...

...

• Tick the “Enable Multi-Factor Authentication” box on your Manage Customer/BP page. This will require all users to set up MFA on their next sign-in. Important Note: With this enabled, users will not be able to do anything after login until they forced to set up MFA . If you want users to use MFA at their discretion, they can do so from their edit profile page.before they can successfully log in.  Even if not enforced all users still have the option of configuring MFA for their account under their profile settings.
• For any users that need to be exempted from MFA, for example it is a generic account used by multiple engineers, or a Dashboard account, select Exclude from Multi-factor authentication Identify users that you want excluded from this policy and select “Exclude from Multi-Factor Authentication” on their profile page.   Note: users with this setting enabled are excluded from MFA being enforced They can still opt-in if they choose to do so.

Administrators:

...

What to

...

do if a user has lost their phone, or

...

cannot log on with MFA

As an administrator it is also possible to reset their Multi-Factor configuration set up, on the Manage Users page, along-side reset password.

Image Added

Users also have the ability to manage their own multi factor authentication options under their profile.  This A user can manage their multi-factor authentication options under their profile, this includes:

• Resetting recovery codes
• Reinstalling the app, and re-configuring
• Disabling MFA (if not enforced by the administrator)

As an administrator it is also possible to reset their Multi-Factor configuration set up, on the Manage Users page, along-side reset password.

Image Removed

Setting up MFA for the first time

If MFA is enforced by your administratorsan administrator enforces MFA, you will be prompted with the MFA landing page on login if it is not already set upthe next time you log in to VSM.

If MFA has not been enforced, but you would like to opt-in, you can get to this same page when you edit your profile →  Account settings > Configure MFA.

...

• Click “Add Authenticator App”
• Use your preferred TOTP authentication app (we recommend Google or Microsoft Authenticator) to scan the QR code shown on the page.
• Use the newly set up account on your app to get a code and enter it into the box below the QR code. These codes are only valid for 30s. Your app should show you how long the code is still valid for. Any code entered after its 30s timer has expired will be invalid, and you will need to use the next one.
• Click finish, and then log in again with MFA. You will be prompted for a code, which is provided to you in your authenticator app, the same way we did in step 3.

...

You can only disable MFA on your account if your organisation has organization has not enforced it, or you have been excluded from the MFA policy. Administrators can also temporarily disable MFA on your account through the user management pages to allow you get back into your account if you are having issues with your current MFA configuration.

...

• Go to your profile -> Manage MFA
• Disable MFA

Note that this does not wipe any MFA configuration. Your recovery codes will still be valid, but you will not be prompted for authentication codes until you re-enable MFA again.MFA can be re-enabled for that account at any time. 

How to re-enable MFA

• Navigate to your profile -> Manage MFA Multi factor authentication
• Click reset authenticator app and scan the QR code with your authenticator app the same as you did on initial set up.

We do not allow using the same QR code ( and therefore key) as before MFA was disabled on your account, as sometimes users who follow these steps are doing so because they have lost an old phone, meaning the old QR code (key) is now in unknown hands. This is why you must reset your authenticator rather than just enabling it.

...

Reset Multi Factor Authentication, under your profile if you are logged on, or contact your VSM administrator, if you are unable to log on

What

...

An authenticator key is the key that your authenticator app will use to generate the codes you need on login. It is embedded in the QR code that you scan when setting up your app.

What are Recovery Codes?

Recovery codes are one-use codes that you can use to get into your account should you lose access to your phone/app. They can only be used once, so if you have used most of them already, you should head to your profile , manage MFA and generate some more (note that any left-over codes from your last batch will be invalidated). To use a recovery code, you must click “Log in with a recovery code” at the bottom of the second stage login MFA form.  

Where should I store my Recovery Codes?

The idea of MFA is to require you to provide something you have (a lockable phone) in order to gain access. Recovery codes allow you to log in without a phone, but to maintain this element of security they should be stored in a place as safe or safer than your phone. Writing the codes down and keeping them somewhere secure is a good option as it means the codes can’t be accessed digitally. Storing the codes on your work computer in a text document is not as safe as a breach of your work network will mean your Virsae account is effectively also breached.

How are my Recovery Codes and Authenticator Apps linked?

They are not. Recovery codes are provided on first set up of MFA. After that, the app keys (QR code) and recovery codes are managed independently, and one can be reset without affecting the other. 

What if I lose my phone and Recovery Codes?

...