How to configure and transition to using Multi-Factor Authentication (MFA) for your organisation

Providers have the option to strengthen further the security of Staff logging into SupportAbility by utilising Multi-Factor Authentication (MFA). Setting up MFA in SupportAbility comprises configuring MFA for your organisation in System Preferences, each Staff Member activating MFA individually using an Authenticator App and then passing the MFA step periodically when logging into SupportAbility. 

This article provides instructions on configuring and transitioning to using Multi-Factor Authentication (MFA) for your organisation.

We have used the Last Pass Authenticator App to provide some example screenshots. However, how this appears will differ based on your organisation's chosen Authenticator App. 

Prerequisites: We recommend reviewing the Multi-Factor Authentication (MFA) in SupportAbility article, linked in the Related Articles section at the bottom of this article, as this contains important considerations before configuring MFA. 

Privileges: System Preferences & Edit User Accounts

Audience: Authorised Representatives, Operations Management, System Administrator

Summary

The following list summarises the content within this article. Click on the links below to take you to the relevant sections:

• Transitioning to Multi-Factor Authentication (MFA) Log In
  
  • Ensuring a Staff Account Email Address has been set for all Staff required to activate MFA
• Configuring MFA 
  
  • MFA Status
  • Staff Accounts Search list
  • Staff MFA Activation Instructions
  • MFA Valid For

Transitioning to Multi-Factor Authentication (MFA) Log In

By default, MFA is Blocked, meaning that no Staff Members are required to complete this step when logging into SupportAbility, nor can anyone activate this in My Staff Account. 

If your organisation wishes to utilise MFA in SupportAbility, two options are available when enabling MFA for your organisation in System Preferences - 'Optional' or 'Enforced'. 

• Optional is available to assist providers in the transition to MFA being mandatory for all Staff when logging into SupportAbility, or when MFA log-in is only required for some Staff in the organisation. 
• Enforced mandates MFA log-in as part of the SupportAbility log-in process. 

Once a plan to transition to MFA is determined and has been communicated to Staff, including which Authenticator App will be used and instructions about setting this up, it is recommended to transition to MFA by configuring this as ‘Optional’ to begin with. If your organisation plans to mandate MFA for all Staff logging into SupportAbility, when the majority of Staff have activated MFA, the configuration can be updated to ‘Enforced’.

Return to Summary

Ensuring a Staff Account Email Address has been set for all Staff required to activate MFA

Before enabling MFA it is important to ensure all Staff Members have a Staff Account Email address configured in the User Details tab of their Staff Account so that in the event of being unable to access the Authenticator App, they can utilise the email fallback option: 

Return to Summary

Configuring MFA

There are several settings available in System Preferences to configure MFA for your organisation, MFA Status, Staff MFA Activation Instructions and MFA Validity For: 

More information regarding each of these configuration options has been outlined below. 

Return to Summary

MFA Status

To enable MFA for your organisation, this is done by changing the MFA Status:

IMPORTANT - before changing the MFA Status to Optional or Enforced, Staff Members must have access to an Authenticator App in order to activate MFA and link this to SupportAbility and once this has been activated, Staff will require access to this (or their Staff Account Email as a fallback), in order to log in to SupportAbility.

Return to Summary

Blocked

There are three MFA Status options available, with Blocked set as the default: 

In Blocked status, no Staff are required to authenticate using MFA when logging into SupportAbility and Staff are not able to activate MFA in their Staff Account.

This is the default setting to ensure that providers can transition to using MFA if and when they are ready to do so. 

Return to Summary

Optional

In Optional status, Staff will not be forced, or even prompted to activate MFA on their account when they log into SupportAbility. 

When a provider's MFA Status is set to Optional, this allows Staff Members to activate MFA via ‘My Staff Account’ at any time using an Authenticator App e.g: 

This MFA Status is suitable for organisations that are transitioning to enforcing MFA for all Staff, or when MFA log-in is only required for some Staff Members in the organisation.

When the MFA Status of Optional is selected, a blue information message appears indicating how many Staff are yet to activate MFA: 

Selecting the link to view the list of these Staff navigates you to the Staff Accounts Search List as outlined below. 

Return to Summary

Enforced

The Enforced status represents the final stage of an organisation's transition to mandating MFA for all Staff logins to SupportAbility. 

When a provider's MFA Status is set to Enforced Staff Members that have not already activated MFA using an Authenticator App will be required to do so upon their next login:

When the MFA Status of Enforced is selected, a blue information message appears indicating how many Staff are yet to activate MFA: 

Selecting the link to view the list of these Staff navigates you to the Staff Accounts Search List as outlined below. 

Return to Summary

Staff Accounts Search List

When viewing the list of Staff who have not activated MFA by clicking the blue link in the Change MFA Status window when Optional or Enforced is selected, this navigates you to a filtered list from the Staff Account Search of Active Staff Accounts with the MFA Status of 'Deactivated': 

This list can also be exported and contains an MFA Status column including the MFA Status for each Staff Member. The Staff Accounts Search List can be exported from the Actions menu for reference. 

Please see the Staff Accounts Search article for more information regarding this search. 

Return to Summary

Staff MFA Activation Instructions

When Staff activate MFA in 'My Staff Account', a QR code is displayed along with a field to enter the confirmation code generated by their Authenticator App. Your organisation can configure specific instructions to help guide Staff in the MFA Activation process. Once saved, these instructions are displayed alongside the QR code during the activation process e.g:

To configure Staff MFA Activation Instructions, select the Change button: 

This opens the Staff MFA Activation Instructions window which is formatted with two sections to give you a sense of what this will look like for Staff when they activate MFA: 

To add instructions for Staff when they activate MFA about which Authenticator App to use, as well as who to contact should they need support with this process, simply type this information in the text field. It will expand to accommodate the information required. Simple formatting is available for this feature which includes Bold, Italic, and ordered and unordered lists:

To format the text, either use the icons in the formatting menu above or the keyboard shortcuts outlined below:

• Bold -  highlight the relevant words, then use Command-B (Control-B on Windows) to bold the text
• Italics - highlight the relevant words, then use Command-I (Control-I on windows) to format the text in italics
• Ordered List -  place your cursor before the relevant text, then add a number followed by a period and select the Return/Enter key to make the line a numbered bullet
• Unordered List - place your cursor before the relevant text, then add a * and select the Return/Enter key to make the line a bulleted point

N.B. If the text has been copied and pasted from another source, only the formatting available in this feature will be retained.

Whilst the text field will expand as required to accommodate a larger quantity of information, however, we recommend that messages are kept relatively brief. Linking to documents/websites with more detailed information is a useful way to manage this.

Return to Summary

MFA Valid For

When MFA is in use, SupportAbility remembers authentications for up to 5 devices (or browsers) per Staff Member for a period of 7 days by default, meaning that the MFA log-in step is only required once every 7 days for each device (or browser) when logging in to SupportAbility. 

Providers can choose how long SupportAbility will retain device authentications before they expire, by customising the 'MFA Valid For' setting in System Preferences: 

To change the MFA validity period, select the drop-down menu next to 'MFA Valid For': 

The MFA Validity Period options available to select from are:

• 24 hours
• 7 days - set as the default
• 14 days
• 28 days
• 30 days

Return to Summary