Multifactor Authentication for Site Administrators
Related: User Experience When MFA is Enabled
In this Article:
- Enabling MFA for a Site
- Requiring MFA per User Role
- Reporting on MFA
- Verifying the MFA Email Was Sent to the User
- MFA Cookie
- Notes and Known Issues
Enabling MFA for a Site
Visit the Admin > Site Settings page and look in the Authentication section for 'Multi-Factor Auth Enable'
Requiring MFA per User Role
- Administrators can require MFA by user role on the Admin > Site Settings page.
- Note well the notice shown below the list of user roles: "Users whose role has the API Access permission will not be required to implement MFA."
You should not select the Pro Bono Restricted Access role. It will prevent them from logging in. That role is not yet supported.
Reporting on MFA
There are two fields on the System Users table that are related to MFA. One field is a boolean about whether MFA is enabled, and the other is a lookup that stores which MFA mechanisms are in use (Email and or Mobile Device App). A sample report about all users and whether they have MFA enabled can be found in Example Reports.
Verifying the MFA Email Was Sent to the User
For admins, emails sent to users using that authentication method appear in the /mail/queue sent list. Add that to the end of your site's URL, for example, foo.legalserver.org/mail/queue. Filter the List Sent Mail list for Subject "verification code".
MFA Cookie
MFA works by storing a cookie named mfa_daily_secret_key in your device's browser. Clearing cookies or other browser data (manually or automatically) will require you to authenticate again.
There are different ways to view cookies in different browsers, but you can see when the current MFA cookie expires. Here is an example using Firefox's Developer Tools:
Notes and Known Issues
- Administrators can see which users have MFA enabled but there is not a way to enable MFA without the user’s participation.
- Users assigned to the Pro Bono Restricted Access role cannot currently use MFA.
- If your organization uses "LinkProtect", "SafeLinks", or some other program that plays with links in your email messages, you may need to manually get the link from within the email message, if you even can. We have tried to work around that software "using up" the one-time use when it follows the link.