Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

Configuring 2-Factor Authentication

Avatar
Ingrid
Follow
  • September 7, 2021: Updated requirements to enforce 2FA.
  • June 3, 2021: Published.

Multi-factor authentication (MFA) or 2-factor authentication (2FA) is an authentication method that provides an extra layer of security.

  • Admin can require users to configure 2FA.
  • Admin can reset 2FA to allow users to reconfigure 2FA.
  • Users can configure 2FA for their own account.

See user permissions.

Configuring 2FA for Your Account

To configure 2FA, go to the Two-Factor Authentication section of your Account User Preferences page. Use any of the following methods to add the Bitsight secret to a Time-based One Time Password (TOTP) app and enable 2FA:

  • Configure your mobile app via a QR code, which is the encoding of the TOTP URL.
  • For some apps (e.g., 1Password), copy the URL and paste it into the corresponding field.
  • For apps (e.g., OTP Manager) that require multiple fields, fill in the fields.
    • Issuer – Distinguish different services.
    • User – Distinguish different users on the same service.
    • The TOTP secret.

After adding the Bitsight secret to the app, enter the 6-digit code to enable the feature.

Ten recovery codes are automatically generated. We recommend downloading these as a text file (.txt), ensuring it’s safe yet easily accessible. Only the number of remaining, unused recovery codes will be displayed, with no option to display them again. If all ten codes are used, another batch of codes can be generated.

To disable 2FA, enter a verification code or one of the recovery codes.

Enforcing 2FA

To enforce 2FA, you must configure 2FA for your own account first. See Configuring 2FA for Your Account.

  • To require a particular user to implement 2FA, select [(⋮) Icon] Options[Lock Icon] Require 2FA in the Users tab of the Access Control page.
  • To require all users to implement 2FA, select the “Require Two-Factor Authentication for all users” option in the Require Two-Factor Authentication section of your Account User Preferences page. All users will be required to configure 2FA upon their next login.

They are sent an email to configure 2FA or they can go directly to their Account settings. Refer them to the instructions in the “Configuring 2FA for Your Account” section.

Integrating Your Authenticator via SAML

With SAML, you can integrate existing corporate authentication mechanisms or use a custom service provided by a third party, which might have rich authentication mechanisms. Policies such as requiring 2FA if the user is logging in outside business hours or from a country outside the US can be configured on the SAML identity provider.

Resetting 2FA

If a user has lost access to their authentication mechanism, resetting 2FA allows them to reconfigure 2FA and set up a new mechanism. They can request a reset from the login page.

If a user requests to reset 2FA, select [(⋮) Icon] Options[Lock Icon] Reset 2FA in the Users tab of the Access Control page. They are sent an email to reconfigure 2FA or they can go directly to their Account settings. Refer them to the instructions in the “Configuring 2FA for Your Account” section.

Related articles