Enforce Multi-Factor Authentication On Your Organisation
Overview
System Administrators can enable multi-factor authentication (MFA) for the entire organization. Once enabled, MFA will be enforced organization-wide, requiring all users to provide an additional authentication factor when logging in.
The Multi-factor Authentication (organisation-wide) functionality is provided by the Enhanced Security App. If you do not see the settings explained in this article, contact your system administrator to make sure the App is installed.
How it works
When the system administrator enables MFA, company-wide, all users will be required a second step when logging in.
After users enter their correct login credentials, an email with a code will be sent to their email address.
Users will need to enter the code sent to their email, before it expires, to complete the login process.
If needed, users can require a new code which will be sent to their email. This will automatically expire all previous codes.
If enabled by the system administrator, users can choose to trust the device they have successfully logged in from, allowing them to skip MFA for a set number of days.
Considerations for Enforcing MFA on your Organisation
Currently, MFA can only be enforced for Administrative users, and not for teachers or students.
When MFA is enabled (organisation-wide), it is automatically enforced for all users. Users cannot opt-out individually.
For the company-wide MFA, email is the only method available. However, users can opt-in individually to use an authenticator app instead.
Since the code sent to users' email is required for login, all users must have a valid email address and access to their email at the time of login.
It is recommended to add the email address that we use to send the MFA emails from as a safe/trust sender. Contact your system administrator for details.
Enforce Multi-Factor Authentication On Your Organisation
Once Multi-Factor Authentication is enabled on your organization, all users will be required to use MFA from their next login.
From the Utilities menu, go to Settings > Security
From the Multi-factor Authentication section, enable the option: “Enforce Multi-factor Authentication by Email”
Click on Update to save the changes.
Enable Users to Skip Multi-Factor Authentication on Trusted Devices
System Administrators can allow users to trust devices that they regularly use to skip MFA for a period of time.
Note the following:
For eBECAS/EDMISS Next Generation, a trusted device is the web browser used when trusting the device. If users log in using a different device or browser, MFA will be required.
For eBECAS/EDMISS Classic, a trusted device is the computer used when trusting the device. The trusted device option is per device and user. If users log in using a different device, MFA will be required. Additionally, if two users use the same device, both will need to enter the MFA code and trust the device separately.
Trusting a device in one system will not trust it on the other.
To allow users to trust devices, follow these steps:
From the Utilities menu, go to Settings > Security
From the Multi-Factor Authentication section, enable the setting: Skip Multi-factor Authentication on Trusted Devices
You can select the number of days, between a minimum of 1 day and a maximum of 28 days, that a device will be trusted for. After this period has passed since the last MFA verification, users will be required to complete MFA again.
Disable Multi-Factor Authentication On Your Organisation
From the Utilities menu, go to Settings > Security
From the Multi-factor Authentication section, disable the option: “Enforce Multi-factor Authentication by Email”
Click on Update to save the changes.
Disabling Multi-Factor Authentication on your organisation does not disable MFA for users who have opted-in for MFA using an authenticator app. See this article for more details.