Setting Up Multi-Factor Authentication
Overview
Admin users can no longer enforce MFA Enrollment requirements for individual users; however, they can enforce MFA Enrollment at the organizational level for all members.
Multi-Factor Authentication (MFA) provides an additional layer of security by generating a one-time code that users must enter during sign in. If you are prompted to set up MFA while activating your account, you can do so using any QR-code-based authenticator app (i.e. Google or Microsoft Authenticator).
Enabling MFA For Your Account
MFA settings are located in the Profile page for your account. This page can be accessed by selecting the Profile icon () at the very bottom of the Navigation bar, then selecting the Profile link from the dropdown menu.
Please note that Profile icons vary in appearance from account to account. While its color is assigned at random, the icon will always contain the first letter of the first name associated with your account.
From the Profile page, select the Enable MFA on your account toggle located in the Settings panel.
A popup will appear asking you to confirm that you would like to continue. Select OK to confirm. A green Member successfully updated message will appear and you will be redirected to the MFA Setup page.
Once you have been redirected, you will see a QR Code. Scan this code with your preferred authenticator app. Next, enter the one time code generated by the authenticator into the provided field, then click the Continue button.
Recovery codes are only shown once and must be saved in a secure place!
You will be provided with a recovery code that can be used to log into your account in the event that you lose access to your authenticator app. Select the Copy code button to copy the code to your clipboard then save it in a secure place.
Once you've saved your code, check the I have safely recorded this code checkbox, then click the Continue button to complete this process.
Resetting an MFA Token
The Sevco platform allows you to reset your MFA Token. Admin users may also reset MFA Tokens for other members in their organization.
MFA tokens may be reset:
- To practice good security hygiene. Like updating your password, resetting an MFA Token can help shield you from cyber attacks
- If a user has lost access to their authenticator app.
- If you have reason to believe that a user's password or recovery code has been wrongfully obtained
Profile Page
To reset an MFA Token from your Profile page, select the Reset MFA token button in the Settings Panel. A popup will appear. Select Ok to continue.
You will be redirected to the MFA Setup page where you can continue reconfiguring your MFA authentication.
Members Page
Please note that this page is only accessible to Admin users. If your account is Read Only, you will need to contact an Admin to view it.
The Members page can be accessed by clicking the Admin icon () on the Navigation bar then select the Members link from the dropdown menu
MFA tokens can be reset by clicking the kebab icon () in the far-right column and selecting Reset MFA token from the popup menu.
Lost MFA Login Alternatives
In the event that you have lost access to your MFA authentication app, there are two methods that can be used for accessing your account.
From the Login page, enter and submit your username and password as you normally would. Next, select the Try another method link at the bottom of the Verify Your Identity prompt.
Recovery Code
If you have access to your Recovery Code, select the Recovery Code option from the Other Methods menu.
Once you have been redirected, paste your Recovery Code into the provided field, then click the Continue button.
You will be provided with a new Recovery Code. Select the Copy code button to copy the code to your clipboard then save it in a secure place.
Once you've saved your code, check the I have safely recorded this code checkbox, then click the Continue button to complete this process.
Email
In the event that you have lost your Recovery Code, you can have a temporary verification code emailed to you that will allow you to access your account. As a security measure, we recommend only using this method as a last resort.
Select the Email option from the Other Methods menu to begin this process. You will be prompted to enter the code that has been emailed to you. Keep this page open, as you will be returning to it momentarily.
Copy the verification code that has been sent to your email, then return to the verification page in Sevco.
Paste the verification code into the provided field, then select the Continue button to complete this process.
Depending on the MFA Enrollment requirements set by your Organization Admin, you may be prompted to reset your MFA Token automatically. If your Organization does not have this requirement, we strongly recommend resetting your MFA Token from your Profile page to secure your account.
Enforcing MFA for an Organization
While Admin users can no longer enforce MFA Enrollment requirements for individual users, they can enforce MFA Enrollment at the organizational level for all members. Sevco recommends enforcing MFA enrollment at the organizational level to reduce the risk of phishing attempts that could result in stolen credentials.
From the Members page, select the Enforce MFA for all members toggle in the Settings panel.
Logging in with Single Sign-on (SSO Integration)
Admins planning on configuring a Single Sign-on integration for their organization should disable MFA enforcement at the organizational level. Additionally, organization members should also disable MFA enforcement for their accounts.
Admin users can connect their Single sign-on (SSO) integration (i.e. cloud Identity Providers such as Okta or AzureAD) to the Sevco platform using Sevco's SAML Configuration APIs.
Creating an Application
To enable an SSO Integration, your Identity Provider will create an Application. This will require the following configuration information:
Single Sign-on URL:
Replace the 0's with your Organization ID
https://sevco.us.auth0.com/login/callback?connection=00000000-0000-0000-0000-000000000000
Audience Restriction (or Entity ID):
urn:auth0:sevco:00000000-0000-0000-0000-000000000000
Additionally, you will need to add a Claim. The claim's Name should equal email
and its Value should reflect the naming scheme used by your Identity Provider to qualify a user's email address (i.e. user.email
).
Enabling the SSO Integration
After the Application has been created, your Identity Provider will provide an X.509 Certificate as well as a Single Sign-on URL. These will be used when calling the API to enable the SSO Integration.
For additional questions about Sevco's SAML Single Sign-on, please email us at [email protected].
Updated about 1 month ago