1. GoCanvas Help Center
  2. Advanced Team Management
  3. Advanced Password Management

Multi-Factor Authentication

Updated
Lauren Sunday
Community Manager
Have more questions? Submit a request

MFA provides another layer of security beyond just passwords and is currently the best way to make sure that only the right person can access an account.

Multi-Factor Authentication

Multi-factor Authentication is widely regarded as one of the most effective and essential modern security methods. We have all become accustomed to creating passwords for everything we use in our day-to-day life, websites, services, banking, etc. We are also unfortunately aware of the many ways passwords have become insecure.

MFA is the industry standard; it’s used by banks, streaming services, and other SaaS products. Many companies, such as GoCanvas, require MFA to be available for all information systems that deal with our data.

Profile_Multi-factor Authentication_Disabled.png

The available factors include Email, SMS (i.e. text message), and/or an Authenticator service. Google Authenticator is commonly used and can be downloaded either from the Apple App Store or the Google Play Store.

Please Note

SMS is limited to the US, Australia, and South Africa at this time. Please email beta@gocanvas.com to request MFA in your country.

Any factors not on the above list are not currently planned to be supported.

Implementing MFA

Multi-factor Authentication is available to select accounts before the official launch. Please reach out to your Account Representative with inquiries.

How to Enable MFA

Admins have the option to enable MFA for all users as a bulk action in their company settings. When MFA is enabled this way, each user will be allowed to verify an MFA factor the next time they log in to their account. When admins require MFA for the entire account within the Account Settings, individual users may NOT opt out.

If that bulk action is not done, users may enable MFA individually from their Profile page. This can also be done for individual users by an account admin, but individual users can still opt out from verifying a factor for their account. This could be a good option for organizations looking to slowly ramp-up to requiring MFA for their users or for users who individually want to adopt stronger account security practices.

  1. Navigate to the Profile page, following the instructions based on your Account View.
    • Legacy View: Navigate to the Profile page in the left navigation.
      Profile_Left Navigation with Account.png
    • Project View: Select your username in the lower left corner of the left navigation to expand the menu and select Profile.
       
      Project View_Left Navigation_Username Menu_Profile.png
  2. Near the top of the page is the section dedicated to Multi-factor Authentication.
  3. Click Enable in the upper right corner. Once the page reloads, ENABLED by User will replace the previous DISABLED.
Profile_Multi-factor Authentication_Disabled_Enable Button.png

How to Verify the Factors

Users can verify SMS and email MFA factors from the GoCanvas mobile app. Users can also verify SMS, email, and authenticator factors from the GoCanvas web application in their Profile. 

When MFA is enabled on account and a user logs in for the first time, they will be presented with options to verify an MFA factor. This factor will be used as an MFA challenge for subsequent logins. Additional MFA factors can be verified from within the user’s Profile.

Text (SMS)
  1. Navigate to the Profile page and select Verify in the box for Text (SMS).
  2. If there is no phone number on the account, the button in will say Edit Phone Number. Click the Change Phone button and enter a mobile phone number that can receive text messages. 
    • If there is a phone number on the account but it is technically not real, a 500 Error message will appear and the user will need to change the phone number for the account in order to use this factor.

  1. Once the phone number associated with the account is real, click Verify.

  1. A text message will automatically be sent to the phone number associated with the user.
  2. Enter the code from the text message into the Code text box on the webpage. Save.
  3. When the Profile reloads, the Verify button will now say Revoke should the user ever want to remove this authentication factor.

*Image blurred for security reasons.

Email
  1. Navigate to the Profile page and select Verify in the box for Email.

  2. An email will automatically be sent to the email address that is the username of the Profile. 

    *Image blurred for security reasons.

  3. Enter the code from the email into the Code text box on the webpage. Save.
    Multi-factor Authentication_SMS_ Enter MFA Code Verification.png
  4. When the Profile reloads, the Verify button will now say Revoke but it will also be greyed out. The only way to revoke the verification is to change the email associated with the account. If the company requires MFA, the new email has to be a legitimate email because the confirmation will automatically re-verify the factor.
Authenticator
  1. Install your preferred TOTP Service, like Google Authenticator. This can be downloaded either from the Apple App Store or the Google Play Store.
  2. Navigate to the Profile page and select Verify in the box for Authenticator.

  3. Scan the QR code on the screen from within the Authenticator application. In the screenshot example below, the Google Authenticator app has a “+” button in the lower right corner of the screen. Tap that to expand the menu and select Scan a QR code

    *Image blurred for security reasons.

    *Image blurred for security reasons.

  4. The code that is then shown on the screen can be typed into the Code text box on the web page. Save.
  5. When the Profile reloads, the Verify button will now say Revoke should the user ever want to remove this authentication factor.

How Admins can Require MFA

Just because Multi-Factor Authentication is enabled for an account, that is not the same as requiring MFA for users when logging into their account. Enabling MFA simply makes it available for users to opt in as an optional extra-layer of security. If MFA is required, users cannot opt out of using MFA. To require MFA, follow the steps below:

  1. Navigate to the Account Settings page, following the instructions based on your Account View. 
    • Legacy View: Navigate to the Account Settings page under the Account drop down in the left navigation. If Departments are enabled, expand the Department drop down and switch to the All Department. 
      Left Navigation_Account_Account Settings.png
    • Project View: Select your username in the lower left corner of the left navigation to expand the menu and select Account. If Departments are enabled, expand the Department drop down and switch to the All Department. 
      Project View_Left Navigation_Username Menu_Account.png
  2. Select Account Settings and scroll to Security Settings.

  3. Located under Client Timeout Window, toggle MFA Required to ON.

    Tool Tip Text: When MFA is required, users will be required to provide an additional form of authentication (SMS, Email, or Authenticator code) when logging in. Users must have at least one of these methods verified before logging in. MFA Authentication factors may be configured from the Profile page. When MFA is not required for the entire account, users may still opt to require it on their own logins. 

     *Image blurred for security reasons.

Did we answer your question?

We'd really appreciate your feedback! Please leave your suggestions for improvement in the comments or let us know what you're looking for so we can assist you better. We want to help, but we need to understand your needs!

Articles in this section

Share

Comments

0 comments

Please sign in to leave a comment.