Multi-Factor Authentication (MFA)
Multi-Factor authentication (MFA) can now be set up on Smartabase
Multi-factor authentication means that in addition to using your Smartabase username and password, users will also need to verify their identity using a PIN sent to an SMS or Email that is set up on the user's account.
MFA can be enabled as a site wide setting so that all users on your implementation need to complete the authentication steps before they can login, OR it can be set just for users in a specific Role. For more on set up procedure see the following document.
MFA can be set up using the following methods:
Builder site: Application Details whereby ALL users on the system will need to be authenticated via a PIN
Administration site: Roles whereby MFA can be enabled ONLY on specific Roles which means the likes of Medical Staff can have it set but an athlete may not.
NOTE: If MFA is set for a Role and an expiry period is set, AND it is shorter than the expiry period set on the Application Details, this will superseed the expiry period set on the Application Details. The converse is NOT true where a longer expiry period on a Role will not superseed the expiry period on the Application Details
To set it up for ALL users on your Smartabase site, go to the Builder Site and open the Application Details
EXPIRY PERIOD: -1 means NO expiry period will happen.
The expiry period is the duration (in months) after which the user needs to re-authenticate.
The expiry period can be set to -1, 0 or >/=1:
- -1 means that there is no expiry period and they do not have to re-authenticate. Once they authenticate once, this will suffice.
- 0 means that they will need to authenicate EACH time they login as it expires immediately.
- 1 or >1 means that they will need to authenticate after that period of duration since their most recent authentication.
N.B. If an expiry period is added at some point in the future. Expiry of authentication will occur from the point in time when the authentication was done most recently. Updating expiry periods does not change the point Smartabase does the check from, it simply changes the length of time used to calculate time from last authentication.
If a period is required (either on first set up, or some time in the future) the duration needs to be set in months.
Set the duration in months; e.g., 1, 2, 3, 13, 24 etc.
As soon as MFA is enabled on the site (or via a Role-as outlined in the following steps) this will be a "live" feature and users with MFA WILL have to authenticate themselves on a device AND/OR browser during their next login.
If a user is logged in while the MFA is enabled, the user will NOT be logged off. It just means the next time they login they will need to authenticate.
To set up MFA on a Role by Role Basis
A Role can be enabled to have MFA. This can be set up WITH or WITHOUT the MFA being enabled on the Application Details. If it is NOT enabled on the Application Details and it is ONLY enabled for a role, this provides organisations with the flexibility to ensure users who need to athenticate, such as Doctors, Coaches, or other staff, to authenticate, and yet other users do NOT need to.
Altenatively, if MFA IS enabled on the Application Details, a Role can also be set up to have MFA. This would usually only be done if a shorter expiry period was needed for the Role (again, this might be applicable for a Doctor or Medical staff member).
To set up MFA for a Role go to the Roles module on the Administration Site.
Open the Role required.
The MFA needs to be enabled in the Role settings
Add in the desired expiry period
In this example above a 6 month period has been set. This means that ANY users in the role called "Mobile Coach" will need to authenticate on ALL browsers/devices 6 months after first authenticating.
N.B. If new user is added to this Role, they will be required to authenticate 6 months after first authenticating: so if they have already verified their details on a device 3 months ago, this will expire 3 months after being added, OR if they have not verified at all, then they need to authenticate on login and again at 6 months after being added to the Role.
The authentication steps are outlined here:
Go to the USER LOGIN page
NOTE: If any consents have been added or are required, the consent forms will appear BEFORE the MFA screen.
As soon as the user clicks "LOGIN" the ID Verfification will appear AND and PIN required for authentication will be e-mailed AND/OR texted to the user who is logging in.
This is an example of the email that was sent (to the e-mail address listed for the coach user) and it includes a 6-digit PIN that is ONLY valid for 5 minutes after it is sent.
This is an example of the text message sent to the phone number listed in the user' account page for a Mobile phone.
The PIN MUST be added to the ID Verification Page WITHIN 5 MINUTES OF THE VERIFICATION BEING SENT. Once added, the CONTINUE will be selectable.
The login occurs and the home screen appears.
WARNING: If you do NOT enter in the PIN within 5 minutes of the PIN being sent, it WILL expire and the user will need to create a new PIN by selecting "Resend PIN" (shown below).
A USER MUST verify themselves on ANY browser they use (e.g. a separate verification for Chrome, Firefox, Safari) and site/application (main site, iOS or Android) they login on.
In the example images above, for each browser that the coach user logged in using they needed to authenticate on each browser.
Verification is only needed for each browser on a site, not for each part of the application viewed in that browser (e.g. builder/admin/main app). The mobile apps (iOS and Android) will need verification separate from m.html viewed on a mobile browser.
Verification is needed when using the installed online, m.html, and the iOS and Android Apps.
Once a device/browser is verified, it appears in the list of verified devices on the User's account in the Administration Site AND on the Smartabase application on the user's account page.
An Admin can remove Registered Devices
Any Smartabase Administrator can remove device authenitcations for a User. This means that if a user's device goes missing or is compromised, an Administrator can remove the registered device for that user. The following outlines how to achieve this.
To do remove a registered device, click "Remove"
Note: if this was removed accidentally, this simply means the user needs to go through the verification step again.
A user can also remove devices directly from their account page as well.
Below their account information, a new Registered Devices table appears with a list of all authenticated devices.