Multi-Factor Authentication

Summary

Multi-Factor Authentication (MFA) is a security process for authenticating users across more than one method of information. Rather than simply having users log in with a password, MFA requires that users log in across two methods. By using more methods than just a username and password, you can support stronger security practices for users accessing your applications.

Further Defined

Authenticating a user is done to help ensure only authorized users are able to get into an application. A user name and password is the typical way to have users gain access, but in certain scenarios you may want to require more security steps than that.

A username and password is something unique that only an authorized user would have. This is secret knowledge to them, and is considered a Knowledge Factor. There are other types of factors to consider, and for a login process to be defined as MFA you need to use at least two factors across three factor categories. The categories are:

  • Knowledge Factors - Something you know
  • Possession Factors - Something you have
  • Inherence Factors - Something you are

As mentioned earlier, a username and password counts as a knowledge factor. This is something only a user should know. To be defined as MFA you would also have to require a secondary factor in the Possession or Inherence categories. Here are the examples of the secondary factors that are available with our MFA feature:

  • Emailed Security Token
  • Smartphone App (provided by Ping ID)
  • Voice call with temporary token

The three examples above are all possession factors, as the temporary tokens and the smartphone app count toward ‘something you have’. Any one of the above combined with a username and password will qualify for our Multi-Factor Authentication as Knowledge Factor (password) and Possession Factor (temporary token) are being used to authenticate.

How It Works

Options

After your organization has turned on the feature, any users upon logging in will be sent to a screen to register for MFA. During the registration users can select one of the following for the second factor:

  1. Smart Phone App
  2. Voice Call
  3. Email

SMART PHONE APP

Our smartphone app is provided by PingID, and it can be downloaded from the Apple App Store (iOS) and Google Play (Android). Search for “PingID” and look for the app called PingID. Look for the Icon:

VOICE CALL

You can register a phone number to obtain your second factor. This will authenticate during login by calling your phone number with an automated voice call telling you a code to enter. Enter the code into the screen and submit to complete your login session.

EMAIL

Use an email address to obtain your second factor. This will send your temporary code to an email address during login. Enter the code into the screen to complete your login session.

MFA - Trusted Device

After you authenticate successfully using MFA, your device (i.e. laptop, desktop computer, mobile phone) will be recognized for a 30 day period as a trusted device. Trusted devices are those that have been used to log in successfully using the MFA feature. You will be required to run the MFA login process every 30 days for trusted devices, as the MFA trust will expire at that time. Additionally anytime you log in from a new device for the first time you will be required to run through the MFA login process.

Let's Get Started

Step 1 - Turn on MFA for your organization

Multi-Factor Authentication is enabled at the agency-level. The MFA feature is by default not turned on. To enable it for your organization check the “Enable Multi-Factored Authentication” checkbox next to the feature and save the setting.

You can find the settings by going to Administration Center -> Agency Setup -> Agency Password Setup

Step 2 – Register a secondary factor with Ping

The next time you log into your MFA-enabled product, you will see the screen (shown below) that asks you to set up your Multi-Factor Authentication. Please click on START.

The recommended option is the PingID App that can be installed on your smartphone. Once installed, you can scan the QR code on the screen or enter the pairing code manually. This is the recommended process, but you can also use the VOICE or EMAIL option at the bottom of the page to set up a phone number or email address to receive the Pairing Code.

Step 3 – User Flow

1. A user goes to https://ams360.com to login as normal.

2. User enters their Agency Number, User ID and Password.

3. During login attempt, the screen runs the MFA feature, and asks the user to select from the factors they had registered:

4. A.) If a smartphone is selected, the PingID application will send you a push notification for you to unlock your phone and open the app. The screen will show a “switch” that you need to swipe up to confirm access or utilize Touch ID to authenticate:

B.) If you select the Voice Call or Email method, then you will receive a call or email giving you a temporary code to enter. Enter the code in the following screen:

5. When you complete the secondary factor you will see a success screen:

6. Congratulations, you have authenticated through MFA! You will now be redirected to AMS360.

REGISTRATION PROCESS

As mentioned earlier, when your agency has enabled MFA, users will be required to register with PingID. This registration will have to be done for each Vertafore solution you use. Here is the registration process.

Step by Step

1. First time users are sent to the registration page:

2. If you want to use the PingID app, enter your email address to get a download link for your application. We recommend that you use the same email address that you use to log in to your Vertafore application.

3. You will be taken to the “Finish Pairing PingID” page:

4. On this page you can open the PingID mobile app that you previously downloaded (iOS or Android) and use the Manual Authentication option to QR scan the code on the page.

This will finish pairing your PingID app with your registration.

5. Additionally, instead of using the app code reader you can go to your email inbox on your mobile phone to review the registration email. Tap on the green button to finish pairing your device.

REGISTERING YOUR EMAIL OR PHONE NUMBER

If instead of using the PingID app you would prefer to get a temporary code via email address or phone call, you can also register one of those as your second factor.

Step by Step

1. When registering, click on the “I want to use a different authentication method” link.

2. This will allow you to select voice call or email:

3. Make your selection, and then verify using the code that is provided to you by voice call or email.

4. Now any time you need to authenticate using these methods simply enter the code that is given to you on your voice call or at your email address.

CHANGING YOUR SETTINGS

1. At any time you attempt to authenticate using MFA, you will see a settings button at the bottom of each authentication screen.

2. Click this button to enter the settings area of your Ping account. Remember each Vertafore solution that you use will have a separate registered account, so make sure you click the settings page that shows for each Vertafore Solution that you attempt to log in to.

3. On the settings area you can add another factor to your options. This way you can ensure you have more than just one secondary factor available to use.

4. To delete an existing registered method, click on the menu icon on the right for the given method.

5. You will have to authenticate the existing registered method to approve editing and deleting.