Multifactor Authentication (MFA)

Purpose: An additional layer of account security for logging into LegalServer. It allows access to LegalServer only after you enter a username and password and and authentication code you receive by email or via an authentication app.

Cost: None.

Authentication Period

  • Authentication lasts 24 hours from when you last successfully logged in.

  • Authentication is specific to a device:

    • Different computers are, unsurprisingly, considered different devices.

    • Different browsers are also considered different devices. If, for example, you login and authenticate with Firefox, then login with Chrome, you will be prompted to authenticate again (unless you had authenticated with Chrome within that last 24 hours).

    • A private/incognito window in the same browser is considered a different device.

Initial User Experience

Hover your cursor over your name in the upper right corner of any page and select “My Preferences”.

On your My Preferences page, Actions menu > Enable MFA.

Depending on what your site administrators have configured, you can receive your MFA code via email or an app.

Configure MFA via email mechanism

If Email is offered, and you select it, follow the prompts.

The code in the email expires after 15 minutes.

Configuring MFA via an app-based mechanism

If offered, and you select MFA via an app, follow the prompts.

You need an authentication app on your phone or device. Install one like you do other apps (or as required by your organization). Options are Google Authenticator (Google Authenticator for iOS / Google Authenticator for Android), Authy, or password vault applications like 1Password, Lastpass, or Bitwarden.

On the next screen, either: 1) scan the LegalServer MFA QR code to set-up an account, or 2) enter the MFA Manual Entry key via the setup key prompt on your device.

The authenticator app will populate a 6 digit code for entry into LegalServer’s Authenticator Code section. The codes expire every 30 seconds.

Disabling MFA


You may be allowed to disable MFA on your My Preferences page via Actions menu > Disable MFA. If MFA is required for your user role by your site administrators, you will not be able to disable it.

Site Administrators

Site administrators can disable MFA, or change a user's MFA Method, by editing those fields on the user record. Those fields are typically not shown, or not editable, on the user profile, but are on an auxiliary form restricted to only Administrators.

I Lost/Replaced My Phone/Device (Re-Enabling MFA)

A site administrator will need to disable MFA for your account. When you next login, you can enable MFA again, or if it is required for your user role, you will be forced to enable MFA again.

Enabling MFA for a Site (Site Administrators)

Visit the Admin > Site Settings page and look in the Authentication section.

Requiring MFA (Site Administrators)

  • Administrators can require MFA per user role on the Admin > Site Settings page.

  • Note well the note shown below the list of user roles: "Users whose role has the API Access permission will not be required to implement MFA."

  • Also note well that you should not select the Pro Bono Restricted Access role. It will prevent them from logging in. This role is not yet supported.

Reporting on MFA

There are two fields on the System Users table that tie in with MFA. A boolean about whether MFA is enabled and which MFA mechanism in use. A sample report about all users and whether they have MFA enabled can be found in Example Reports.

Was the MFA Email Sent

Emails sent to users using that method appear in the /mail/queue sent list. Add that to the end of your site's URL, for example, Filter the List Sent Mail list for Subject "verification code".

MFA Cookie

MFA works by storing a cookie named mfa_daily_secret_key in your device's browser. Clearing cookies or other browser data (manually or automatically when you close your browser) will require you to authenticate again.

There are different ways to view cookies in different browsers, but you can see when the current MFA cookie expires. Here is an example using Firefox's Developer Tools:

Notes and Known Issues

    • Administrators can see which users have MFA enabled but there is not yet a way to enable MFA without the user’s participation.

    • Users assigned to the Pro Bono Restricted Access role cannot currently use MFA.

    • If your organization uses "LinkProtect", "SafeLinks", or some other program that plays with links in your email messages, you will need to manually get the link from within the email message, if you even can. We have tried to work around that software "using up" the one-time use when it follows the link.