MFA provides another layer of security beyond just passwords and is currently the best way to make sure that only the right person can access an account.
Logging In
How often will MFA be required on web and/or mobile?
MFA challenges will be required any time a user would typically provide a username and password. On mobile, this means that the Mobile Client Timeout Window Account setting will apply.
i.e. if the user only has to login once a week, they will only get an MFA code that one time in the week. Users who will be out in the field without access to service should login before they are out of service, as it is today.
If my company requires MFA, will I be given an authentication challenge when logging into both the web portal and the mobile application?
Yes, that is a fairly standard expectation. Authenticated sessions are not shared between mobile apps and web browsers.
Administration
Can companies have MFA and SSO enabled at the same time?
Not at this time. Many SSO Identity Providers offer MFA capabilities of their own (i.e. Okta, Azure AD).
Can admins accidentally lock their users out by requiring MFA?
No, as long as the account uses real email addresses for their users. The first time a user logs in on an account requiring MFA to sign in, but has not set up any MFA methods, we will default to using their email address. We will notify them that on subsequent logins they can set up other MFA methods as they prefer.
Can admins restrict which MFA factors are available to their users?
No, all users have Authenticator, Email, and SMS* available to them.
*SMS is limited to the US, Australia, and South Africa at this time.
Can admins require MFA only on web but not on mobile or vice versa?
No. If MFA is enabled for a user, it applies to both web and mobile logins.
Troubleshooting
What if I lose my phone or change my number?
Admins and authenticated users can revoke SMS and Authenticator factors as needed and then confirm new factors the next time they login. If users do not have a verified factor available for login and MFA is required they should reach out to their account admin for assistance.
What if I change my email address?
The Change Email confirmation process will automatically update the MFA factor.
What if I try to log in and have never confirmed an MFA method?
We will offer an email-based challenge for the first time a user logs in or an SMS challenge using the number associated with your profile. However, SMS is limited to the US, Australia, and South Africa at this time.
Miscellaneous
Is MFA available with white-labeling or custom domains?
Yes, MFA is available for white-labelled accounts and customer domains.
Is GoCanvas' MFA implementation secure?
GoCanvas follows security best practices for supporting MFA, such as:
- Ensuring tokens/challenges are short-lived,
- Protecting against repeated guesses in a short period of time,
- Routinely testing and maintaining the authentication logic,
- Using industry-standard MFA factors.
Comments
0 commentsPlease sign in to leave a comment.