Configuring 2-Factor Authentication Ingrid Multi-factor authentication (MFA) or 2-factor authentication (2FA) is an authentication method that provides an extra layer of security. It requires two or more pieces of evidence to an authentication mechanism in order for it to grant access to a website or application.Instead of immediately gaining access after entering a username and password, another piece of information is required. This additional factor can be: Something you know: Personal identification number (PIN), answers to secret questions, a specific keystroke pattern, etc. Something you have: The card verification value (CVV) of a credit card, a smartphone, a small hardware token, etc. Something you are: Biometric patterns, such as fingerprints, iris scans, voice recognition, etc. Permissions Admin can require users to configure 2FA. Admin can reset 2FA to allow users to reconfigure 2FA. Users can configure 2FA for their own account. Step 1: Configure 2FA for Your AccountTo configure 2FA, go to the Two-Factor Authentication section in the User Preferences tab of the Account page. Use any of the following methods to add the Bitsight secret to a Time-based One Time Password (TOTP) app and enable 2FA: Configure your mobile app via a QR code, which is the encoding of the TOTP URL. For some apps (e.g., 1Password), copy the URL and paste it into the corresponding field. For apps (e.g., OTP Manager) that require multiple fields, fill in the fields. Issuer – Distinguish different services. User – Distinguish different users on the same service. The TOTP secret. After adding the Bitsight secret to the app, enter the 6-digit code to enable the feature.Ten recovery codes are automatically generated. We recommend downloading these as a text file (.txt), ensuring it’s safe yet easily accessible. Only the number of remaining, unused recovery codes will be displayed, with no option to display them again. If all ten codes are used, another batch of codes can be generated.To disable 2FA, enter a verification code or one of the recovery codes.Step 2: Enforce 2FA2FA can be enforced by Admin either for all users or on a per user basis. To require a particular user to implement 2FA, select Options ➔ Require 2FA in the Users tab of the Access Control page. To require all users to implement 2FA, select the “Require Two-Factor Authentication for all users” option in the Require Two-Factor Authentication section of your Account User Preferences page. All users will be required to configure 2FA upon their next login. Following the above steps, the user(s) will be sent an email to configure 2FA or they can go directly to their Account settings.Troubleshooting: Reset 2FA for a UserIf a user has lost access to their authentication mechanism, resetting 2FA allows them to reconfigure 2FA and set up a new mechanism. They can request a reset from the login page.If a user requests to reset 2FA, select Options ➔ Reset 2FA in the Users tab of the Access Control page. They are sent an email to reconfigure 2FA or they can go directly to their Account settings. Refer them to Step 1: Configure 2FA for Your Account.Integrating Your Authenticator via SAMLWith SAML, you can integrate existing corporate authentication mechanisms or use a custom service provided by a third party, which might have rich authentication mechanisms. Policies such as requiring 2FA if the user is logging in outside business hours or from a country outside the US can be configured on the SAML identity provider.Frequently Asked QuestionsWhat happens if I lose my device and forget to save the recovery codes?Contact your Admins directly or with the link on the login form to request a 2FA reset. You will receive an email to reconfigure 2FA.Can I enforce 2FA?2FA can be enforced by Admin either for all users or per user. Users cannot enforce 2FA if they are not an Admin. September 7, 2021: Updated requirements to enforce 2FA. June 3, 2021: Published. Related articles SAML Setup Subsidiaries API Endpoint TLS/SSL Finding Remediation & Remediation Verification Microsoft Entra ID (Azure AD) Integration Guide What is a Bitsight Security Rating? Feedback 0 comments Please sign in to leave a comment.