Administrators: How to enforce MFA for your users

• Tick the “Enable Multi-Factor Authentication” box on your Manage Customer/BP page. This will require all users to set up MFA on their next sign-in. Important Note: With this enabled, users will not be able to do anything after login until they set up MFA. If you want users to use MFA at their discretion, they can do so from their edit profile page.
• Identify users that you want excluded from this policy and select “Exclude from Multi-Factor Authentication” on their profile page. Note: users with this setting enabled are excluded from enforced They can still opt-in if they choose to do so.

Administrators: How to manage access if user has lost their phone, or replaced their phone

A user can manage their multi-factor authentication options under their profile, this includes:

• Resetting recovery codes
• Reinstalling the app, and re-configuring
• Disabling MFA (if not enforced by the administrator)

As an administrator it is also possible to reset their Multi-Factor configuration set up, on the Manage Users page, along-side reset password.

Setting up MFA for the first time

If MFA is enforced by your administrators, you will be prompted with the MFA landing page on login if it is not set up. If MFA has not been enforced, but you would like to opt-in, you can get to this same page from your profile -> Manage MFA.

From there:

• Click “Add Authenticator App”
• Use your preferred TOTP authentication app (we recommend Google or Microsoft Authenticator) to scan the QR code shown on the page.
• Use the newly set up account on your app to get a code and enter it into the box below the QR code. These codes are only valid for 30s. Your app should show you how long the code is still valid for. Any code entered after its 30s timer has expired will be invalid, and you will need to use the next one.
• Click finish, and then log in again with MFA. You will be prompted for a code, which is provided to you in your authenticator app, the same way we did in step 3.

How to disable MFA

You can only disable MFA on your account if your organisation has not enforced it, or you have been excluded from the MFA policy. Administrators can also temporarily disable MFA on your account through the user management pages to allow you get back into your account if you are having issues with your current MFA configuration.

To disable MFA:

• Go to your profile -> Manage MFA
• Disable MFA

Note that this does not wipe any MFA configuration. Your recovery codes will still be valid, but you will not be prompted for authentication codes until you re-enable MFA again.

How to re-enable MFA

• Navigate to your profile -> Manage MFA
• Click reset authenticator app and scan the QR code with your authenticator app the same as you did on initial set up.

We do not allow using the same QR code (and therefore key) as before MFA was disabled on your account, as sometimes users who follow these steps are doing so because they have lost an old phone, meaning the old QR code (key) is now in unknown hands. This is why you must reset your authenticator rather than just enabling it.

Frequently Asked Questions

What Authentication App should I use?

Virsae’s MFA uses Time-based One-time Passwords (TOTP). You can use any app that supports this mechanism, but we recommend Microsoft Authenticator or Google Authenticator.

How do I log on, if don't have access to my phone?

Log on using your recovery codes.   You will have been provided recovery codes when setting up MFA the first time.  If you no longer have access to recovery codes, create new recovery codes under your profile → Manage Multi Factor Authentication → Reset Recovery Codes.

If you do not have access to your recovery codes, and are not logged on, contact your VSM administrator. 

How do I log on, if I get a new phone?

Reset Multi Factor Authentication, under your profile if you are logged on, or contact your VSM administrator, if you are unable to log on

What is an Authenticator Key?

An authenticator key is the key that your authenticator app will use to generate the codes you need on login. It is embedded in the QR code that you scan when setting up your app.

What are Recovery Codes?

Recovery codes are one-use codes that you can use to get into your account should you lose access to your phone/app. They can only be used once, so if you have used most of them already, you should head to your profile, manage MFA and generate some more (note that any left-over codes from your last batch will be invalidated). To use a recovery code, you must click “Log in with a recovery code” at the bottom of the second stage login MFA form.

Where should I store my Recovery Codes?

The idea of MFA is to require you to provide something you have (a lockable phone) in order to gain access. Recovery codes allow you to log in without a phone, but to maintain this element of security they should be stored in a place as safe or safer than your phone. Writing the codes down and keeping them somewhere secure is a good option as it means the codes can’t be accessed digitally. Storing the codes on your work computer in a text document is not as safe as a breach of your work network will mean your Virsae account is effectively also breached.

How are my Recovery Codes and Authenticator Apps linked?

They are not. Recovery codes are provided on first set up of MFA. After that, the app keys (QR code) and recovery codes are managed independently, and one can be reset with affecting the other. 

What if I lose my phone and Recovery Codes?

You will need to contact one of your administrators who can reset your authenticator app from the manage user’s page. If you have lost your recovery codes you should regenerate more, especially to invalidate the lost codes, in the case someone else may have access to them.