Articles in this section

See more

Increase Account Security With Two-Factor Authentication (2FA / MFA)

Avatar
Vision6
  • Updated

Last updated
20230612
Article type
Step-by-step
Applies to
Starter, Business, Pro-Marketer
Special contents
Video Captions are available

Video

 

Details

2FA is only available on paid accounts.

Two-factor authentication ('2FA') provides additional security benefits, as it requires both something you know (such a password or PIN) as well as something you have (such as a phone, token or other digital device for authentication).

In this guide, we'll take you through setting up 2FA in our platform, with both SMS and Google Authenticator options supported.

 

Things To Consider

  • During the setup process for 2FA, we'll generate a series of single-use Backup Codes which can be used to log into the account if you don't have your device with you.
  • We also have separate single-use Recovery Codes which expire after an hour. These are designed to be given to new staff who may not yet have 2FA configured, but need to log in for the first time in order to do so (that is, if you've enabled the setting to force 2FA on for the entire account). 
  • As mentioned above, it is possible to enable 2FA for the entire account, even if not all of your users have set it up yet. If this is done, users without 2FA configured will only be able to login with a Recovery Code. For details, refer to the guide below titled 'Force 2FA for All Users'.
  • Using our API? Be sure to setup an IP address filtering rule first - otherwise you will block the APIs ability to access data in the system.

 

How-to Guide

This article contains a number of guides for various related topics. Click below to jump ahead to a particular guide.

 

Setting up 2FA With Google Authenticator

  1. Open the Account area (⚙️ icon, at top right).
  2. Select Security from the sidebar.
  3. On the Security tab, locate the Google Authenticator section and click Enable.
  4. Download & install the Google Authenticator app (links are provided on screen) onto your phone using the links provided.
  5. Use the Google Authenticator app to scan the QR code on the screen.
  6. Once added, a code will be displayed on your phone. Type this code into the field provided in our platform, then click Activate.

2FA via Google Authenticator is now enabled; you'll need to enter a verification code from your device each time you log into our platform.

At this time, a selection of secret single-use backup codes will be generated & are available to view by clicking the Show codes link provided. Keep your backup codes in a secure location & don't share them with anyone - as they can be used to login when you're unable to use your phone. Treat them like a password.

Options are also provided to generate a new set of codes (which invalidates the previous ten codes), as well as to print or download the codes.

 

Setting up 2FA With SMS Validation

2FA via SMS is only supported in Australia. 

  1. Open the Account area (⚙️ icon, at top right).
  2. Select Security from the sidebar.
  3. On the Security tab, locate the SMS Validation section and click Enable.
  4. Enter your mobile number and click Send Code. A validation code will be sent to your device via SMS. 
    sms-2fsa-image.png
  5. Enter this code into the field provided and click Validate.

2FA via SMS is now enabled; you'll need to enter a verification code from your device each time you log into our platform.

At this time, a selection of secret single-use backup codes will be generated & are available to view by clicking the Show codes link provided. Keep your backup codes in a secure location & don't share them with anyone - as they can be used to login when you're unable to use your phone. Treat them like a password.

Options are also provided to generate a new set of codes (which invalidates the previous ten codes), as well as to print or download the codes.

 

Generating a One-time, Time-limited Recovery Code

These can only be created by the user with the Owner-level permission assigned.

Recovery Codes are single-use and expire after an hour. They're generally designed for when an account owner wants to grant access for a new user (and hasn't setup 2FA yet), or for a user that doesn't have access to their device & their backup codes.

  1. Open the Account area (⚙️ icon, at top right).
  2. Select Users from the sidebar.
  3. Locate the user that you wish to generate a recovery code for, and click the ellipsis (...) over on the right.
  4. Select Generate recovery code - the code will be displayed. You can now securely give this to your user, who can enter it on the login screen. After an hour, the code will automatically expire.

 

Logging in With 2FA Enabled

When logging into the platform, users with 2FA enabled will be asked to enter their 2FA verification information (along with the usual email and password). Enter the SMS or Google Authenticator code, then login.

If you have both forms of 2FA enabled, you can switch between them depending on the method you'd prefer to use.

 

Using With a One-time Backup Code

If you don't have your device on you, you can login with one of your ten single-use Backup Codes.

  1. Open the login screen & enter your login & password.
  2. Click to proceed to the 2FA screen.
  3. Click Use Backup code.
    sms-2fsa-image-backup-highlighted.png
  4. Enter one of your ten single-use Backup codes and click Validate to login.

 

Using With a One-time, Time-limited Recovery Code

Remember, Recovery Codes are designed for when an account owner wants to grant access for a user that's new (and hasn't setup 2FA yet), or for a user that doesn't have access to their device & their backup codes. Only the user with the Owner-level permission can create Recovery Codes.

  1. Open the login screen & enter your login & password.
  2. Click to proceed to the 2FA screen.
  3. Click Use Backup code.
  4. Next, click Use Recovery code.
  5. Enter the one-time, time-limited Recovery Code given to you by the account owner user. 
  6. Click Validate to login. You will now be logged in to the system. We highly recommend that the user completes the 2FA setup process ASAP - otherwise they will need another Recovery Code from the Owner user to log in next time.

 

Force 2FA for All Users

It is possible to force a 2FA requirement for all logins (or to force 2FA from certain IP ranges), even if some of your users haven't set it up yet. If you enable this, users without 2FA setup will only be able to login using a one-time, time-limited Recovery Code (see above) - which they can then use to login and setup their 2FA.

Configure IP rules & 2FA requirements

 

Further Reading

For additional security benefits, you can also restrict your account by IP address, if you wish.

Guide for IT Administrators or Security Best Practices

 

Article is closed for comments.