What is Multi-factor authentication?
Multi-factor authentication (MFA) is a mechanism that provides more secure access to applications and services. Typical authentication on most services/apps/websites involves a user login and password, and MFA can provide additional security steps before allowing user access to the site.
One of the most common ways of MFA is to ask the user for a password and then ask for a security code that has a short lifespan (e.g. 30 seconds). This is something known as a time-based one-time password.
Here at Grabyo, we are using this method with the help of an additional service, the Google Authenticator App. The link to download the Google Authenticator App is below:
The Google Authenticator App generates a 6 digit code every 30 seconds that is used to access Grabyo Studio after the user has supplied a username and password.
Who controls MFA for Grabyo Organisations and its users?
Admin users have two different options when it comes to enabling MFA. Option one is to enable MFA for all the users in their organisation, and the second option is to set up MFA on a per-user basis, allowing Admins to control the individual security level for each user.
Here are some more details for each configuration:
Organisation level: Admins can toggle and enforce MFA for the whole organisation. Each user will be prompted to set up MFA before access to the Grabyo platform is granted. Suspended users will not be required to set up MFA, however, if their access is re-enabled they will automatically receive an email prompting the setup process. Once MFA is enabled on an organisation level, all users will be required to set up MFA. To disable MFA, the Admin must switch off the organisation wide setting, and also remove it from each user individually.
User level: MFA can be configured for each user individually if it is not enforced on the whole organisation as described above. When an Admin turns on MFA for a particular user, we send that user an email asking them to set up the MFA. Next time this user tries to log in, they will be presented with the UI to set up their MFA. MFA can be reset for any user that currently, that has it enabled on their account by an Admin.
How to enable MFA for a user:
From the users page, the Admin can enable MFA for each specific member of their organisation (see image above).
Once this option is selected, the status will become 'pending' until MFA setup is complete y the user.
The user will receive an activation email.
Upon the following login, the user needs to scan an automatically
generated QR code with their phone via the Google Authenticator App.
Once the QR code is scanned, a new entry will be visible on
the Google Authenticator App on the their mobile device.
Once the above steps are complete, the user status is changed from pending to active
and MFA activation is complete. Each time the user logs into Grabyo, they will
be prompted to enter the MFA code generated by the Google Authenticator app.
How to reset MFA for a user:
If a user is no longer able to access MFA for any reason - for example, if a phone is lost - the Admin can simply hit the Reset MFA button on the user page and a new code will be generated and sent via email prompting the user to complete the initial MFA setup again.
How to disable MFA for a user:
The Admin can select Disable MFA on the user page, which will revoke access for that login. The MFA status for each is also visible on the user page.