Skip to main content

Multi-Factor Authentication

A
user
can

To enable theMulti-Factor useAuthentication of(MFA) and start using one-time passwordspasswords, fromfollow these steps:

Quick Step List

  1. Login then click on your name. In the securitydropdown page,click whichSecurity.

    was
    2. formerly
  2. Click the passwordsChange Multifactor Authentication Settings to open the Multi-Factor Authentication settings page.

  • Choose to disable MFA or enable one-time passwords.

  • Click on Send One-Time Password To Email then go into your email and copy your one time password.

  • Enter your one-time password as well as your current password then click Submit.

    • image.png 

                                                The securityone-time settingpassword in the menu.

    If MFA is enabledonly on the site, a sectionvalid for multi-factor15 authenticationminutes. settings will appear belowIf the password section.has expired, a new one will be generated.

    It contains

    a
    Step-by-Step Instructions

    Enabling MFA

    1. Login then click on your name. In the dropdown click Security.
    2. Find the Multi-Factor Authentication Section. This section shows the current MFA status ofand the user’s current settings, andincludes a button thatto links tomanage the pagesettings.
      3. where
    3. Manage settingsMFA can be managed.

      Clicking onSettings
      Click the Change Multifactor Authentication Settings button at the bottom of the page willto open tothe Multi-Factor Authentication settings.

    Managing MFA Settings

    1. Access MFA Settings Page
      On the multi-factorMulti-Factor authenticationsAuthentication settings page.

      page,

                                      image.png

                                                         The multi-factor authentication settings page.

      Here, the useryou can changeeither:

      their
      • Disable MFA settings. Currently, the only options available are to disable MFA,, or
        • to use
      • Enable one-time passwords.

        passwords        .

    2. InSave orderYour toChanges
      To save anyyour changeschanges, toclick their settings,on the userSend willOne-Time needPassword toTo enterEmail theirthen enter:

      • Your current passwordpassword, and
        • an initial one-time password.

        The user can have a

      • A one-time password emailed(OTP).
        • to
      the
      3. email
    3. address

      Send theya haveOne-Time onPassword file(OTP)

      by
        clicking
      • To receive an OTP, click the button to send a one-time passwordit to theiryour email.

        image.png

                     The message displayed after clicking the sendregistered email button.

        address.

        • After

      • The theOTP buttonwill hasbe beensent clicked,to anyou by email is sent containing the one-time password.

        The passwordand is only valid for 15 minutesminutes.

        • after
      • After 15 minutes, the pointOTP ofexpires, generation,and at which point ityou will no longer work if entered. The user will haveneed to generate a new passwordone.
        • after
      it
      4. has expired.

    4. When a user generates a new one-time password, any unused passwords they have inEnter the system will be rendered unusable, even if they haven’t expired yet.OTP

      image.png

                                           An example of a one-time password email.

        The email will use

      • Enter the formattingOTP of the template that was set up for one-time passwords.

        The one-time password must be entered intoin the box below the current password box.

        field.

        • By

      • Press pressing the submit button, the user will now be ableSubmit to confirm your changes and update theiryour MFA settings.

    image.png

    OTP

    Expiry: Any Enteringunused a one-time password.

    Logging In

    When a user has one-time passwords enabled on their account, theyOTPs will be promptedinvalidated afterif everya subsequentnew regularOTP loginis generated, even if they haven't expired yet.

    OTP Email Format: The OTP email will follow the template set for your account.

    Session Storage: Once you enter an OTP, it is stored in your session data. If you clear your browser's local storage, you'll need to enter a new OTP.

    Different Devices: OTPs do not persist across different browsers or devices. If you log in from another device, you'll be prompted to enter a new OTP.

    Logging In with MFA

    1. Login as Usual
      Enter your username and password as normal.

    2. OTP Prompt
      After logging in, you'll be prompted to enter a one-time password before they can access the site..

    3. TheAccessing usernameOther and password are entered as normal, then the one-time password screen is shown. The userPages
      You will be redirected to thisthe pageOTP wheneverscreen theywhen tryaccessing to access aany page other than one of these:than:

      • /login - theLogin loginpage

        • page.

      • /logout – Logout page
      • /one_time_password – OTP entry screen
      • /account/send_email – Send OTP email
      • /account/multiauth – Multi-auth settings page

    4. /logoutComplete OTP Entry
      Enter -your theOTP, logoutsubmit page.

      it,
      5. and

    5. /one_time_password - the one-time password enter screen.

    6. /account/send_email - the one-time password send email endpoint.

    7. /account/multiauth - the user account multi-auth settings page.

    If the user does not have one-time passwords setup on their account but the site has one-time passwords set as required on the site, the user will instead be redirected to the multi-authentication setup page. They will notyou'll be able to move away from this page until they complete the setup.

    image.png

                                                                                     The one-time password screen.

    The page works just like the setup, with a button to send a new one-time password to the user’s email address.

    After the user enters the one-time password and submits, they will be able to proceed toaccess the rest of the website as normal.site.

    The state of their one-time password verification is stored in the local storage of their session data. If the local storage is cleared, they fill have to enter another one-time password.

    The data does not persist across web browsers, meaning if the user will have to enter a new one-time password if they try to login using another browser or device.



    Back to top