1. GoCanvas Help Center
  2. Advanced Team Management
  3. Advanced Password Management

Multi-Factor Authentication FAQs

Updated
Lauren Sunday
Community Manager
Have more questions? Submit a request

MFA provides another layer of security beyond just passwords and is currently the best way to make sure that only the right person can access an account.

Logging In

How often will MFA be required on web and/or mobile?

MFA challenges will be required any time a user would typically provide a username and password. On mobile, this means that the Mobile Client Timeout Window Account setting will apply.

i.e. if the user only has to login once a week, they will only get an MFA code that one time in the week. Users who will be out in the field without access to service should login before they are out of service, as it is today.

If my company requires MFA, will I be given an authentication challenge when logging into both the web portal and the mobile application?
Yes, that is a fairly standard expectation. Authenticated sessions are not shared between mobile apps and web browsers.

Administration

Can companies have MFA and SSO enabled at the same time?
Not at this time. Many SSO Identity Providers offer MFA capabilities of their own (i.e. Okta, Azure AD).
Can admins accidentally lock their users out by requiring MFA? 
No, as long as the account uses real email addresses for their users. The first time a user logs in on an account requiring MFA to sign in, but has not set up any MFA methods, we will default to using their email address. We will notify them that on subsequent logins they can set up other MFA methods as they prefer.
Can admins restrict which MFA factors are available to their users?

No, all users have Authenticator, Email, and SMS* available to them.

*SMS is limited to the US, Australia, and South Africa at this time.

Can admins require MFA only on web but not on mobile or vice versa? 
No. If MFA is enabled for a user, it applies to both web and mobile logins.

Troubleshooting

What if I lose my phone or change my number?
Admins and authenticated users can revoke SMS and Authenticator factors as needed and then confirm new factors the next time they login. If users do not have a verified factor available for login and MFA is required they should reach out to their account admin for assistance.
What if I change my email address? 
The Change Email confirmation process will automatically update the MFA factor.
What if I try to log in and have never confirmed an MFA method? 
We will offer an email-based challenge for the first time a user logs in or an SMS challenge using the number associated with your profile. However, SMS is limited to the US, Australia, and South Africa at this time.

Miscellaneous

Is MFA available with white-labeling or custom domains? 
Yes, MFA is available for white-labelled accounts and customer domains.
Is GoCanvas' MFA implementation secure? 

GoCanvas follows security best practices for supporting MFA, such as:

  • Ensuring tokens/challenges are short-lived,
  • Protecting against repeated guesses in a short period of time,
  • Routinely testing and maintaining the authentication logic,
  • Using industry-standard MFA factors.

Did we answer your question?

We'd really appreciate your feedback! Please leave your suggestions for improvement in the comments or let us know what you're looking for so we can assist you better. We want to help, but we need to understand your needs!

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.