- September 7, 2021: Updated requirements to enforce 2FA.
- June 3, 2021: Published.
Multi-factor authentication (MFA) or 2-factor authentication (2FA) is an authentication method that provides an extra layer of security.
- Admin can require users to configure 2FA.
- Admin can reset 2FA to allow users to reconfigure 2FA.
- Users can configure 2FA for their own account.
See user permissions.
- Configuring 2FA for Your Account
- Enforcing 2FA
- Integrating Your Authenticator via SAML
- Resetting 2FA
Configuring 2FA for Your Account
To configure 2FA, go to the Two-Factor Authentication section of your Account User Preferences page. Use any of the following methods to add the Bitsight secret to a Time-based One Time Password (TOTP) app and enable 2FA:
- Configure your mobile app via a QR code, which is the encoding of the TOTP URL.
- For some apps (e.g., 1Password), copy the URL and paste it into the corresponding field.
- For apps (e.g., OTP Manager) that require multiple fields, fill in the fields.
- Issuer – Distinguish different services.
- User – Distinguish different users on the same service.
- The TOTP secret.
After adding the Bitsight secret to the app, enter the 6-digit code to enable the feature.
Ten recovery codes are automatically generated. We recommend downloading these as a text file (.txt), ensuring it’s safe yet easily accessible. Only the number of remaining, unused recovery codes will be displayed, with no option to display them again. If all ten codes are used, another batch of codes can be generated.
To disable 2FA, enter a verification code or one of the recovery codes.
To enforce 2FA, you must configure 2FA for your own account first. See Configuring 2FA for Your Account.
- To require all users to implement 2FA, select the “Require Two-Factor Authentication for all users” option in the Require Two-Factor Authentication section of your Account User Preferences page. All users will be required to configure 2FA upon their next login.
They are sent an email to configure 2FA or they can go directly to their Account settings. Refer them to the instructions in the “Configuring 2FA for Your Account” section.
Integrating Your Authenticator via SAML
With SAML, you can integrate existing corporate authentication mechanisms or use a custom service provided by a third party, which might have rich authentication mechanisms. Policies such as requiring 2FA if the user is logging in outside business hours or from a country outside the US can be configured on the SAML identity provider.
If a user has lost access to their authentication mechanism, resetting 2FA allows them to reconfigure 2FA and set up a new mechanism. They can request a reset from the login page.