Increase Account Security With Two-Factor Authentication (2FA / MFA)

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA), also known at multi-factor authentication (MFA), is a security process that requires users to provide two different authentication factors to verify their identity. These factors typically include something the user knows (like a password or PIN) and something the user has (like a smartphone or security token).

By requiring two different types of information, 2FA adds an extra layer of security to help protect against unauthorized access to accounts and sensitive information. There are multiple 2FA methods available - displayed in order from most secure to least secure;

• Authenticator App: A code is displayed in your app of choice (recommended)
• Email Authentication: A code will be sent to the email address on your profile.
• SMS Authentication: A code will be sent to your mobile device. Using SMS for 2FA is not supported on trial accounts, or for those in New Zealand. Please choose a different 2FA method if you have a New Zealand mobile number.

There are also two other methods as a last resort:

• Backup Codes: Ten single-use codes are generated when you first set up a 2FA method
• Recovery Code: If no other methods are available (including backup codes), your account 'owner' user can contact our Support team and we can generate a single-use code for you. 

 

Good To Know

• Email authentication is the default 2FA method. If you don't enable any other method of 2FA, this is the one we will use. However, you can enable more secure 2FA methods (such as SMS  Authentication or an Authenticator App) on your profile if you like.
• Email authentication is considered the least secure method of 2FA.
• If you access multiple accounts on our platform, and at least one of those accounts requires a higher-level of 2FA support, then you will be forced to use one of the more secure methods of 2FA - such as SMS Authentication or an Authenticator App. Email 2FA won't be good enough.
• For security reasons, when you change a 2FA method, you will need to confirm your password.
• Backup codes are single-use. As such, when you use one of your single-use backup codes to login, that code will no longer work.

 

Frequently Asked Questions

Q: What's changing? 
A: Two things! Firstly 2FA is being turned on for everyone. Secondly, 2FA is moving from sitting at the account level, to the profile level. Just for clarification, a profile can have many accounts - so if you have more than one account linked to your profile, you will now only be prompted once for 2FA, instead of each separate account. Much better - as I'm sure you'll agree!

The diagram below helps illustrate the change - with the old account-based 2FA on the left and the new profile-based 2FA on the right.

 

Q: When is this changing? 
A: Profile based 2FA is being rolled out slowly, and in phases. We will be enabling and requiring Email Authentication (refer to the start of this article for more details) for every user soon, but the more secure 2FA options (such as SMS Authentication or an Authenticator App) will not be required at this time ...that is, unless the account that you're logging into has this requirement forced on by that account's administrator. In other words, the more secure 2FA options are not on by default unless someone in your account has set it up to be on.

 

Q: I don't currently have any 2FA turned on. What happens if I do nothing?
A: After we turn on 2FA for you, the next time you login you should be prompted to configure 2FA on your profile. Initially, it will be email-based 2FA - but the more secure 2FA options (such as SMS Authentication or an Authenticator App) are available for you to enable if you wish.

 

Q: I already have 2FA configured in the system. Will I need to set it up again?
A: Yes. Currently, your account would be configured to have 2FA setup on a per-account basis... however, as it's moving to per-profile, you will need to set it up again as part of the migration. Account based two-factor authentication will be transitioned and removed in favour of profile based 2FA.

If you already have 2FA (via an use an Authenticator App) enabled on your account, do not delete your existing Authenticator App entry for our platform until you have successfully logged in to your account(s) and migrated them.

 

Q: Why can't you just migrate the 2FA configuration from per-account to per-profile? 
A: As much as we'd love to, this isn't possible. Besides, if you have more than one account with 2FA, which would we migrate?

 

Q: I currently access multiple accounts in the system - some with 2FA and some without. What will change in this scenario?
A: As mentioned earlier, 2FA is moving from the account level up to the profile level. All that will change is that the 2FA screen will appear before you select the account you'd like to log into - instead of after.

If you already have 2FA (via an use an Authenticator App) enabled on your account, do not delete your existing Authenticator App entry for our platform until you have successfully logged in to your account(s) and migrated them.

Old (account-based) MFA:

New (profile-based) MFA:

 

Q: I currently have the system configured to ignore 2FA when our users log in from certain whitelisted IP addresses. Will this change?
A: The option to ignore 2FA in the Security IP Restrictions page only affects Account Based 2FA, which is being turned off in favour of Profile 2FA. Requiring 2FA works seamlessly with the new and old 2FA systems, which means it’ll prompt the user to configure 2FA if they don’t already have it enabled.

 

Q: We have an API that accesses the system. Will these 2FA changes affect that?
A: No, API access is separate and will remain unchanged.

 

Q: If we use email 2FA, where will emails appear to come 'from'?
A: 2FA emails will come from @vision6.com.au - so ensure emails from this domain are not blocked or, better still, are whitelisted. If this cannot be done, we recommend switching to a non-email based 2FA method ASAP.

 

Q: We all share a login. How will 2FA affect that?
A: Please do not share logins. On any system. Besides, adding extra users doesn't cost you anything - so you will need to create a user login for each staff member. This is far more secure than sharing a login.

 

Q: We currently have 3rd-party integrations that interface with the system. Will these 2FA changes affect that?
A: Yes, you will be prompted for 2FA if you sign in to a 3rd-party integration and you have not selected “Remember this device”.

 

Q: We manage the platform on behalf of others (or are a reseller / agency client). What do I need to keep in mind?
A: As per the email communications you would have received, you will need to inform your sub-accounts / clients of the upcoming changes.

 

Q: What if I login to my account with an email address that no longer works?
A: Since our system will be emailing 2FA codes to this email address, you will need to ensure that it is a real, working email address. If you need to change your email address, start by adding (inviting) your correct email address as a new user to the account. Be sure to verify the email address & log in to the account with it before you remove the old user!

 

How-to Guide

This article contains a number of guides for various related topics. Click below to jump ahead to a particular guide...

• Use an Authenticator App for 2FA
• Use SMS for 2FA
• Backup Codes
• Recovery Codes

 

Use an Authenticator App for 2FA

1. Use your phone's app store to download an Authenticator App on your phone. We recommend Google Authenticator, Microsoft Authenticator, Aegis, Lastpass, Authy, or Duo Security.
2. Log into our platform.
3. Click the coloured circle at the top-right corner and click My Profile.
4. Click Security.
5. Click the toggle next to Authenticator App to switch it on. A QR code will be shown to you.
6. Use the authenticator app you downloaded to scan the QR code.
7. Once added, enter the code from your app into our system to verify that everything worked correctly.
8. If you haven't already been prompted to do so, the next screen will allow you to print or download some single-use backup codes. Save these somewhere safe - as anyone with these codes will be able to access your account in conjunction with your password.
9. Click Continue to complete the process.

2FA via an Autheticator App has been activated. You will need to enter an authentication code from your device every time you log into our platform. Upon logging in, you have the option to have your device remembered for 30 days, eliminating the need to enter the code during that period.

If you ever need to change 2FA methods, follow steps 2 - 4 above.

 

Use SMS for 2FA 

Please note that currently New Zealand numbers will not work and you will not receive an SMS - please choose a different option if you are using an NZ phone number.

1. Log into our platform.
2. Click the coloured circle at the top-right corner and click My Profile.
3. Click Security.
4. Click the toggle next to SMS Authentication.
5. Enter the mobile number you'd like to use to log into your account.
6. We will SMS you a code. Enter the SMS code into our system to verify that everything worked correctly.
7. If you haven't already been prompted to do so, the next screen will allow you to print or download some single-use backup codes. Save these somewhere safe - as anyone with these codes will be able to access your account in conjunction with your password.
8. Click Continue to complete the process.

2FA via SMS has been activated. You will need to enter the authentication code sent to your device every time you log into our platform. Upon logging in, you have the option to have your device remembered for 30 days, eliminating the need to enter the code during that period.

If you ever need to change 2FA methods, follow steps 2 - 4 above.

 

Backup Codes

Backup codes are a set of one-use codes that can be used if you cannot use your regular 2FA method(s) to sign in. To use one, login as usual and when prompted to enter your 2FA code, click Try another way. You can enter one of your backup codes here. They are single use, so once it has been used it will no longer work.

As you should now have access to your account, it's a wise idea to adjust your 2FA settings to either enrol a new device (like your new phone), or switch to a different 2FA method that will work for you. Remember, we use email as the default 2FA method - so if you disable SMS or Authenticator 2FA, our system will default to emailing you these codes instead.

If you have lost or used all of your backup codes, you can generate a new set. Noting that if you generate a set of new codes, any existing backup codes (if any) will stop working. 

1. Log into our platform.
2. Click the coloured circle at the top-right corner and click My Profile.
3. Click Security.
4. Click Generate New Backup Codes and follow the on-screen prompts to create a new set.
5. If you haven't already been prompted to do so, the next screen will allow you to print or download some single-use backup codes. Save these somewhere safe - as anyone with these codes will be able to access your account in conjunction with your password.
6. Click Continue to complete the process.

 

Recovery Code

If you’ve lost access to your 2FA token, your device, have used up your 10 backup codes or have no access to them, you may request a recovery code from our support team via email.

1. Contact our Support Team so they can help recover your account. Note that for security reasons, our team may need to verify you own the profile. Furthermore, our Support Team will only be able to send this code to the email address on file for your profile.
2. Log into your account per usual.
3. On the 2FA page, click Try Another Way.
4. Scroll to the bottom of the page and click Recovery Code.
5. Enter the recover code from our Support Team into this field, then click Verify Code. You will now have access to your account.

You should take this opportunity to reconfigure your 2FA methods.

 

Force 2FA for All Users

It is possible to force a 2FA requirement for all logins (or to force 2FA from certain IP ranges), even if some of your users haven't set it up yet. If you enable this, users without 2FA setup will only be able to login using a one-time, time-limited Recovery Code (see above) - which they can then use to login and setup their 2FA.

Configure IP rules & 2FA requirements