Enforce Multi-Factor Authentication On Your Organisation
Overview
System Administrators can enable multi-factor authentication (MFA) for the entire organization. Once enabled, MFA will be enforced organization-wide, requiring all users to provide an additional authentication factor when logging in.
The Multi-factor Authentication (organisation-wide) functionality is provided by the Enhanced Security feature. If you do not see the settings explained in this article, contact your system administrator to make sure the Enhanced Security feature is included in the current subscription.
How it works
When the system administrator enables MFA, company-wide, all users will be required a second step when logging in.
After users enter their correct login credentials, an email with a code will be sent to their email address.
Users will need to enter the code sent to their email, before it expires, to complete the login process.
If needed, users can require a new code which will be sent to their email. This will automatically expire all previous codes.
If enabled by the system administrator, users can choose to trust the device they have successfully logged in from, allowing them to skip MFA for a set number of days.
Considerations for Enforcing MFA on your Organisation
Currently, MFA can only be enforced for Administrative users, and not for teachers or students.
When MFA is enabled (organisation-wide), it is automatically enforced for all users. Users cannot opt-out individually.
For the company-wide MFA, email is the only method available.
Since the code sent to users' email is required for login, all users must have a valid email address and access to their email at the time of login.
It is recommended to add the email address that we use to send the MFA emails from as a safe/trust sender. Contact your system administrator for details.
Enforce Multi-Factor Authentication On Your Organisation
Once Multi-Factor Authentication is enabled on your organization, all users will be required to use MFA from their next login.
From the Main menu, go to Utilities > Setup Configuration > Setup > Options > Security.
From the Enhanced Security Options section, enable the option: “Enable Multi-Factor Authentication (MFA) with Email for Admin Users”.
Click on Save to apply the changes.
Enable Users to Skip Multi-Factor Authentication on Trusted Devices
System Administrators can allow users to trust devices that they regularly use to skip MFA for a period of time.
Note the following:
For eBECAS/EDMISS Classic, a trusted device is the computer used when trusting the device. The trusted device option is per device and user. If users log in using a different device, MFA will be required. Additionally, if two users use the same device, both will need to enter the MFA code and trust the device separately.
For eBECAS/EDMISS Next Generation, a trusted device is the web browser used when trusting the device. If users log in using a different device or browser, MFA will be required.
Trusting a device in one system will not trust it on the other.
To allow users to trust devices, follow these steps:
From the Main menu, go to Utilities > Setup Configuration > Setup > Options > Security.
From the Enhanced Security Options section, enter the number of days, between a minimum of 1 day and a maximum of 28 days, that a device will be trusted for in the option: “After User provides MFA, device can be trusted for [ ] days by User (0 to always ask for MFA)”.
After these number of days have passed from the last MFA verification, users will be required MFA again.Click on Save to apply the changes.
Disable Multi-Factor Authentication On Your Organisation
From the Main menu, go to Utilities > Setup Configuration > Setup > Options > Security.
From the Enhanced Security Options section, disable the option: “Enable Multi-Factor Authentication (MFA) with Email for Admin Users”.
Click on Save to apply the changes.