Multi-Factor Authentication
Summary
Multi-Factor Authentication (MFA) is a security process for authenticating users across more than one method of information. Rather than simply having users login with a password, MFA requires that users login across two methods. By using more methods than just a username and password, you can support stronger security practices for users accessing your applications.
Authenticating a user is done to help ensure only authorized users are able to get into an application. A user name and password is the typical way to have users gain access, but in certain scenarios you may want to require more security steps than that.
A user name and password is something unique that only an authorized user would have. This is secret knowledge to them, and is considered a Knowledge Factor. There are other types of factors to consider, and for a login process to be defined as MFA you need to use at least two factors across three factor categories. The categories are:
- Knowledge Factors: Something you know
- Possession Factors: Something you have
- Inherence Factors: Something you are
As mentioned earlier, a user name and password counts as a knowledge factor. This is something only a user should know. To be MFA you would also have to require a secondary factor in the Possession or Inherence categories. Here are the examples of the secondary factors that are available with our MFA feature:
- Emailed Security Token
- Smartphone App (provided by Ping ID)
- Voice call with temporary token
The three examples above are all possession factors, as the temporary tokens and the smartphone app count toward ‘something you have’. Any one of the above combined with a username and password will qualify for our Multi-factor Authentication as Knowledge Factor (password) and Possession Factor (temporary token) are being used to authenticate.
How It Works
After your organization has turned on the feature, any users upon logging in will be sent to a screen to register for MFA. During the registration users can select one of the following for the second factor:
- Smart Phone App
- Voice Call
SMART PHONE APP
Our smart phone app is provided by PingID, and it can be downloaded from the iOS and android stores. Search for “PingID” and look for the app called PingID. Look for the Icon:
VOICE CALL
You can register a phone number to obtain your second factor. This will authenticate during login by calling your phone number with an automated voice call telling you a code to enter. Enter the code into the screen and submit to complete your log in session.
Use an email address to obtain your second factor. This will send your temporary code to an email address during log in. Enter the code into the screen to complete your log in session.
After you authenticate successfully using MFA, your device (i.e. laptop, desktop computer, mobile phone) will be recognized for a 12-hour period as a trusted device. Trusted devices are those that have been used to log in successfully using the MFA feature. You will be required to run the MFA login process every 30 days for trusted devices, as the MFA trust will expire at that time. Additionally anytime you log in from a new device for the first time you will be required to run through the MFA login process.
Let's Get Started
Multi-Factor Authentication is available for opt-in at the agency level. The MFA feature is by default not turned on. To enable it for your organization check the “opt-in” box next to the feature and save the setting.
An Agency Administrator or Location Administrator (if no Agency Administrator) can opt-in to MFA for PL Rating. On the Admin Menu Choose Manage Agency Information. Check the box beside Use Multi-Factor Authentication.
The next time you log into your MFA-enabled product, you will see the screen (shown below) that asks you to set up your Multi-Factor Authentication. Please click on START.
The recommended option is the PingID App that can be installed on your smartphone. Once installed, you can scan the QR code on the screen or enter the pairing code manually. This is the recommended process, but you can also use the VOICE or EMAIL option at the bottom of the page to set up a phone number or email address to receive the Pairing Code.
- A User goes to https://rating.vertafore.com to login as normal
- User enters their Account ID, Username and Password
- During login attempt, the screen runs the MFA feature, and asks the user to select from the factors they had registered:
-
A.) If a smart phone is selected, the PingID application will send you a push notification for you to unlock your phone and open the app. The screen will show a “switch” that you need to swipe up to confirm access:
B.) If you select the Voice call or Email method, then you will receive a call or email giving you a temporary code to enter. Enter the code in the following screen:
- When you complete the secondary factor you see a success screen:
6. Congratulations, you have authenticated through MFA. You will now be redirected to your product.
REGISTRATION PROCESS
As mentioned earlier, when your agency has opted-in for MFA, users will be required to register with Ping ID. This registration will have to be done for each Vertafore solution you use. Here is the registration process:
1. First time users are sent to the registration page:
2. If you want to use the Ping ID app, enter your email address to get a download link for your application. Use the same email address that you use to log in to your Vertafore application.
3. You will taken to the “Finish Pairing Ping ID” page:
4. On this page you can open the Ping ID mobile app that you previously downloaded (iOS or Android store) and use the Manual Authentication option to QR scan the code on the page.
This will finish pairing your Ping ID app with your registration.
5. Additionally, instead of using the app code reader you can go to your email inbox on your mobile phone to review the registration email. Tap on the green button to finish pairing your device.
REGISTERING YOUR EMAIL OR PHONE NUMBER
If instead of using the Ping ID app you would prefer to get a temporary code via email address or phone call, you can also register one of those as your second factor.
1. When registering, click on the “I want to use a different authentication method” link.
2. This will allow you to select voice call or email:
3. Make your selection, and then verify using the code that is provided to you by voice call or email.
4. Now any time you need to authenticate using these methods simply enter the code that is given to you on your voice call or at your email address.
1. At any time you attempt to authenticate using MFA, you will see a settings button at the bottom of each authentication screen.
2. Click this button to enter the settings area of your Ping account. Remember each Vertafore solution that you use will have a separate registered account, so make sure you click the settings page that shows for each Vertafore Solution that you attempt to log in to.
3. On the settings area you can add another factor to your options. This way you can ensure you have more than just one secondary factor available to use.
4. To delete an existing registered method, click on the menu icon on the right for the given method.
5. You will have to authenticate the existing registered method to approve editing and deleting.