Multi-Factor Authentication
Summary
Multi-Factor Authentication (MFA) is a security process for authenticating users across more than one method of information. Rather than simply having users sign in with a password, MFA requires that users sign in across two methods. By using more methods than just a username and password, you can support stronger security practices for users accessing your applications.
Further Defined
Authenticating a user is done to help ensure only authorized users are able to get into an application. A user name and password is the typical way to have users gain access, but in certain scenarios you may want to require more security steps than that.
A user name and password is something unique that only an authorized user would have. This is secret knowledge to them, and is considered a Knowledge Factor. There are other types of factors to consider, and for a signin process to be defined as MFA you need to use at least two factors across three factor categories. The categories are:
• Knowledge Factors – Something you know
• Possession Factors – Something you have
• Inherence Factors – Something you are
As mentioned earlier, a user name and password counts as a knowledge factor. This is something only a user should know. To be MFA you would also have to require a secondary factor in the Possession or Inherence categories. Here are the examples of the secondary factors that are available with our MFA feature:
• Emailed Security Token
• Smartphone App (provided by Ping ID)
• Voice call with temporary token
The three examples above are all possession factors, as the temporary tokens and the smartphone app count toward ‘something you have’. Any one of the above combined with a username and password will qualify for our Multi-factor Authentication as Knowledge Factor (password) and Possession Factor (temporary token) are being used to authenticate.
HOW IT WORKS
Options
After your organization has turned on the feature, any users upon signing in will be sent to a screen to register for MFA. During the registration, users can select one of the following for the second factor:
1. Smart Phone App
2. Voice Call
3. Email
Smart Phone App
Our smart phone app is provided by PingID, and it can be downloaded from the iOS and android stores. Search for “PingID” and look for the app called PingID. Look for this icon:
Voice Call
You can register a phone number to obtain your second factor. This will authenticate during signin by calling your phone number with an automated voice call telling you a code to enter. Enter the code into the screen and submit to complete your signin session.
Use an email address to obtain your second factor. This will send your temporary code to an email address during signin. Enter the code into the screen to complete your signin session.
MFA- Trusted Device
After you authenticate successfully using MFA, your device (i.e. laptop, desktop computer, mobile phone) will be recognized for a 12-hour period as a trusted device. Trusted devices are those that have been used to sign in successfully using the MFA feature. You will be required to run the MFA signin process every 12 hours for trusted devices, as the MFA trust will expire at that time. Additionally, anytime you sign in from a new device for the first time, you will be required to run through the MFA signin process.
LET'S GET STARTED
Step 1- Turn on MFA for your organization
Multi-Factor Authentication is available for opt-in at the agency level. The MFA feature is by default not turned on. To enable it for your organization log in as an admin user to the VSSO admin portal, and select the checkbox next to the feature and save the setting. The checkbox is located on the “My Organization” tab.
Step 2- Register a secondary factor with Ping
The next time you log into your MFA-enabled product, you will see the screen (shown below) that asks you to set up your Multi-Factor Authentication. Please click on START.
The recommended option is the PingID App that can be installed on your smartphone. Once installed, you can scan the QR code on the screen or enter the pairing code manually. This is the recommended process, but you can also use the VOICE or EMAIL option at the bottom of the page to set up a phone number or email address to receive the Pairing Code.
Step 3- User Flow
1. A user goes to their VSSO enabled Vertafore product to sign in as normal.
2. User enters their username and password.
3. During signin attempt, the screen runs the MFA feature, and asks the user to select from the factors they had registered:
4. A.) If a smart phone is selected, the PingID application will send the user a push notification to unlock their phone and open the app. The screen will show a “switch” that they need to swipe up to confirm access:
B.) If the user selects the Voice call or Email method, then they will receive a call or email with a temporary code to enter. Enter the code in the following screen:
5. When a user completes the secondary factor, they see a success screen:
6. Congratulations! A user has now authenticated through MFA. They will be redirected to your product.
REGISTRATION PROCESS
When your agency has opted-in for MFA, users will be required to register with Ping ID or get a temporary code via email or phone call. This registration will have to be done for each Vertafore solution they use. Here is the process for Ping ID.
Ping ID Pairing
1. First time users are sent to the registration page:
2. To use the Ping ID app, users will enter their email address to get a download link. This should be the same email address used to log onto the Vertafore application.
3. They will be taken to the Finish Pairing Ping ID page.
4. On this page, users can open the Ping ID mobile app previously downloaded (through the iOS or Android store) and use the Manual Authentication option to QR scan the code on the page. This will finish pairing the Ping ID app.
5. Instead of using the app QR code reader, users can also go to the email inbox on their mobile phone to review the registration email. They can tap on the green button to finish pairing.
Registering an Email or Phone Number
Rather than downloading the Ping ID app, users can choose to register by receiving a temporary code through voice call or email.
1. When registering, click on the “I want to use a different authentication method” link.
2. Select either voice call or email.
3. Verify the code provided by voice call or email.
4. Any time users need to authenticate using these methods, they enter the code that is given via voice call or email address.
CHANGING YOUR SETTINGS
1. Any time you attempt to authenticate using MFA, you will see a settings button at the bottom of each authentication screen.
2. Click this button to enter the settings area of your Ping account. Remember that each Vertafore solution you use will have a separate registered account, so make sure you click the settings page for each Vertafore solution.
3. In the settings area, you can add another factor to your options. This way, you can ensure you have more than one secondary factor available to use.
4. To delete an existing registered method, click on the menu icon on the right of the method.
5. You will have to authenticate the existing registered method to approve editing and deleting.
6. You have successfully edited your method settings!