Multi-Factor Authentication (MFA) in SupportAbility
Providers have the option to further strengthen the security when Staff log into SupportAbility by utilising Multi-Factor Authentication (MFA). Setting up MFA in SupportAbility is comprised of; configuring MFA for your organisation in System Preferences, each Staff Member activating MFA individually using an Authenticator App and then passing the MFA step periodically when logging into SupportAbility.
This article provides information about what MFA is, SupportAbility's implementation of MFA, important considerations before this is configured and an overview of Multi-Factor Authentication (MFA) in SupportAbility.
We have used the Last Pass Authenticator App to provide some example screenshots, however, how this appears will differ based on your organisation's chosen Authenticator App.
Audience: Authorised Representatives, Executive Management, Operations Management, IT Specialist
The following list summarises the content within this article. Click on the links below to take you to the relevant sections:
- What is Multi-Factor Authentication (MFA)?
- SupportAbility's Implementation of MFA
- Considerations before enabling Multi-Factor Authentication (MFA) for your organisation
- MFA Overview
What is Multi-Factor Authentication (MFA)?
Multi-factor authentication (MFA) is a security technology that requires users to verify their identity using multiple methods of authentication from different categories of credentials in order to log in to a software system.
Categories of credentials include:
- What the user knows - such as a username and password,
- What the user has access to - such as a security token provided by an Authenticator App on their smartphone, or access to a specific email account; and
- Who the user is - using biometric verification methods such as fingerprint or facial recognition on a smartphone.
The goal of MFA is to create a multi-layered defence approach that makes it more difficult for an unauthorized person to access a software system. Thus if one factor is compromised, such as a user's username and password, the attacker still has to breach additional security credentials, from other credential categories, before successfully gaining access to the system.
SupportAbility's Implementation of MFA
Traditionality, SupportAbility has relied on the 'what the user knows' credential category, in the form of both shared and individual usernames and passwords to verify a user's identity upon login.
Given that most devices, other than the latest smartphones, do not support biometric authentication, SupportAbility has implemented MFA by adding credentials within the 'what the user has access to' category via:
- The primary MFA authentication method used by SupportAbility is delivered utilising codes generated by smartphone Authenticator Apps.
- The secondary fallback method is delivered by sending authentication codes to the Staff Member's Email Address.
More on each of these methods is outlined below.
MFA Primary Method - Authenticator App
Authenticator Apps allow SupportAbility to verify a user's identity by confirming 'what the user has access to'. In this case, we are verifying that the user has access to a physical device; their smartphone.
To implement MFA logins using Authenticator Apps, SupportAbility supports the generation of time-based one-time passwords (TOTPs) based on the RFC 6238 standard.
There are many free smartphone Authenticator Apps available that support this standard. These include, but are not limited to:
- Microsoft Authenticator
- Duo Mobile
- Google Authenticator
These smartphone Authenticator Apps generate a 6-digit authenticator unique to each SupportAbility user, which is rotated/updated every 30 seconds e.g. Last Pass:
If your organisation is not already utilising an Authenticator App, it is recommended that your organisation researches the different Authenticator Apps that are available to determine which will meet your business needs.
Once MFA has been configured by your organisation in SupportAbility, Staff can then activate MFA using an Authenticator App. From here, when logging into SupportAbility periodically (based on how the MFA Validity Period is configured), they will be required to enter the authenticator code generated by their smartphone Authenticator App, after they have entered their username and password.
We strongly recommend that providers choose to use a smartphone Authenticator App that supports cloud backup and ensure that all Staff have the cloud backup feature enabled in the Authenticator App on their smartphone. This will mean that the MFA codes can be easily transferred to a new smartphone in the situation where a staff member replaces their smartphone device for any reason.
In order to utilise cloud backup functionality, user accounts must be set up for the Authenticator App software and the Staff Members user account must be linked to the Authenticator App on each Staff Member's smartphone device. Most Authenticator Apps will prompt the user to login in or create an account when activating cloud backups. This linked account will allow any MFA accounts set up in the Authenticator App to be backed up to the user's account in the cloud. Thus the user's MFA accounts can be restored to any device as required in the event that they get a new smartphone.
Note: If cloud backups are not enabled in the Authenticator App, and the staff member needs to replace their phone, they will need to access SupportAbility using Email MFA Authentication (see below), and access My Staff Account to manually deactivate and reactivate MFA within SupportAbility. They will likely need to follow a similar process for any other MFA accounts they had registered within the Authenticator App.
MFA Fallback Method - Email
For Staff that have activated MFA on their SupportAbility Staff Account and do not have access to their Authenticator App when logging in to SupportAbility (eg. they left their phone at home), they can request that an MFA code be sent to their Staff Account Email Address as a fallback option. The code sent to their email can then be copied and entered into SupportAbility to log in securely via MFA.
When logging into SupportAbility using this method, it is important to note that the confirmation codes sent via email are 8-digits in length so that they can be easily differentiated from the 6-digit codes generated by Authenticator Apps. The confirmation code sent via email will remain valid for a period of 10 minutes from the point at which it was requested.
ISO27001 Information Security Management Compliance
SupportAbility is currently working towards certification in the global standard for Information Security Management (ISO27001).
All of the MFA functionality outlined below has been specifically designed to meet the security requirements of the ISO27001 standard.
This should also assist service providers looking to comply with controls associated with ISO27001 and other security standards.
Considerations before enabling Multi-Factor Authentication (MFA) for your organisation
Enforcing MFA for Staff logins is an important security feature that we recommend providers transition to in order to take full advantage of. However, this transition represents a complex change management exercise that requires careful planning, coordination, documentation, and training, and will require organisations to provide additional support for their Staff.
This is required as MFA does add complexity to the login process and potentially increase the risk of Staff not being able to access SupportAbility if they are having issues with the authentication technology.
We recommend that Staff have access to their work email on their smartphone if your organisation wishes to utilise the email fallback method, which reduces the risk of staff being locked out of SuppoortAbility if they are having technical issues with the smartphone Authenticator app.
MFA transition planning
Given enabling MFA requires some planning before configuring this in SupportAbility, we recommend that a plan to roll this out across your organisation is developed beforehand. It is important to consider the following.
- When transitioning to MFA in SupportAbility will take place and how
- For example, enabling the 'Optional' MFA Status, to begin with, stepping Staff through setting up the Authenticator App with cloud backup and then activating MFA in SupportAbility, before switching to the MFA Status of 'Enforced' if MFA log-in will be required for everyone logging into SupportAbility
- How Staff will be informed about the MFA requirement as part of the SupportAbility log-in process e.g. your organisation is enabling MFA for added security in SupportAbility due to confidential client information being accessed
- Who Staff should contact if they encounter issues using the Authenticator App or logging into SupportAbility with the MFA step e.g. IT support
- Which Authenticator App your organisation will support and require Staff to use
- Research into the different Authenticator Apps that are available to determine which will meet your business needs
- All Staff have the required Authenticator App installed on the relevant device e.g. personal and/or company smartphone, including creating a user account in order to enable cloud backup
- N.B. This is required before activating MFA in My Staff Account in SupportAbility
- The most suitable MFA Validity Period for your organisation i.e. the period of time that the MFA log-in will be valid before it is required again when logging into SupportAbility (7 days by default)
- To ensure Staff can receive MFA Codes via the Email fallback option, it is important to:
- configure your email server software so that all emails from the 'supportability.com.au' domain are whitelisted
- configure Staff Account Email Addresses in the 'User Details' tab of each Staff Account
- N.B. we recommend unique email addresses for each Staff Account are utilised for the purposes of MFA
- The process when Staff change devices e.g. upgrade to a new smartphone
- For example, your organisation may require Staff to notify IT support who will request the relevant person deactivate MFA in the individual's Staff Account, so that once they activate the Authenticator App on their new phone from the cloud backup, they can then link this new device with SupportAbility through the MFA activation process again
- Ensure that all devices used to access SupportAbility are configured to synchronise their clock with internet servers to ensure that accurate MFA codes can be generated for each 30-second period
We recommend consulting an IT professional, be they in-house or external, to assist you in this security transition project.
Setting up MFA in SupportAbility is comprised of, configuring MFA for your organisation in System Preferences, each Staff Member activating MFA individually using an Authenticator App and then passing the MFA step when logging into SupportAbility following this periodically.
Configuring MFA in System Preferences
MFA is blocked by default and can be configured by your organisation in System Preferences when you are ready to utilise this to either 'Optional' or 'Enforced'.
- Optional - Allows Staff Members to activate MFA via ‘My Staff Account’ using an Authenticator App at any time. This option is recommended for organisations that are transitioning to enforcing MFA for all Staff, or when MFA log-in is only required for some Staff Members in the organisation.
- Enforced - Represents the final stage of an organisation's transition to mandating MFA for all Staff logins to SupportAbility. Staff Members that have not already activated MFA using an Authenticator App will be required to do so upon their next log in.
Once a plan to transition to MFA is determined and has been communicated to Staff, including which Authenticator App will be used and instructions about setting this up, it is recommended to transition to MFA by configuring this as ‘Optional’ to begin with:
If your organisation plans to mandate MFA for all Staff logging into SupportAbility, when the majority of Staff have activated MFA, the configuration can be updated to ‘Enforced’.
N.B. The number of Staff that have not activated MFA can be viewed by selecting the link in this window, which navigates you to a filtered Staff Account Search list.
When Staff activate MFA, a QR code is displayed along with a field to enter the confirmation code generated by their Authenticator App. Your organisation can configure specific instructions here to help guide Staff in this process:
Once saved, these instructions are displayed alongside the QR code during the activation process.
When MFA is in use, SupportAbility remembers authentications for up to five sessions (e.g. different web browsers, such as Chrome or Firefox) per Staff Member. However, providers can choose how long SupportAbility will retain authentications before they expire. The MFA validity period options available to select from are:
Noting that 7 days is set as the default.
Each Staff Member must activate MFA individually
Following MFA being configured, Staff Members will require an Authenticator App to activate MFA. When this is configured as 'Optional' Staff will have the option to activate MFA from 'My Staff Account', available from the Dashboard. When this is configured as 'Enforced' Staff Members who have not yet activated MFA will be required to do so when next logging into SupportAbility.
By default, MFA is deactivated for all users:
Clicking on the 'Activate' MFA button opens the 'Activate MFA' window, which includes the Staff Activation Instructions configured in System Preferences. The Staff Member will then need to use the Authenticator App to scan the QR code on the screen to link their SupportAbility account and start generating the required 6-digit code to log in. Once the QR code has been scanned and the Staff Member has added SupportAbility to the Authenticator App, they will need to enter the 6-digit code generated by the Authenticator App into the 'Confirm MFA Code' field to finalise the activation process:
Passing the MFA log-in step to access SupportAbility
Once MFA has been activated, when the Staff Member logs into SupportAbility, they will be required to enter the 6-digit code generated by their Authenticator App periodically after entering their username and password:
If the correct code is entered, they will be logged in to SupportAbility.
If they are unable to enter the correct code (e.g. they do not have access to their smartphone or the Authenticator App), they will be able to request a code be sent to their Staff Account Email Address:
Which they can then copy and enter into SupportAbility to log in:
Once MFA has been Activated for a Staff Account, it can be deactivated by the user on the 'My Staff Account' page or by a Staff Member with the 'Edit User Accounts' privilege from the User Details tab of the Staff Member's Account.
This should only be required if the individual is having issues with their Authenticator App and needs if they are experiencing an issue with their Authenticator App, or if they change smartphones and have been unable to access their Authenticator App back up from the cloud. Please see the Assisting another Staff Member to log in and resetting their password article for more information.
If the MFA Status for the SupportAbility installation is set to 'Enforced', the Staff Member will be required to Activate MFA when they next login in order to gain access to SupportAbility.