Why Use MFA?
Account security is very important to protect access to your account and the data that it holds. There are 2 main security factors that allow you to protect your account:
- Something you know (Knowledge)
- Something you have (Possession)
By default VSM enforces you to provide something you know. This is your password. By adding more layers to authentication, the more secure we can make your account access. Virsae allows you to add a second layer, something you own, to your account. What you own in this case will be your smartphone, which will host an app to provide authentication codes on log in.
No authentication method can be 100% secure, but by adding layers to your accounts you greatly reduce the risk of being the victim of a successful attack.
Administrators: How to enforce MFA for your users
- Tick the “Enable Multi-Factor Authentication” box on your Manage Customer/BP page. This will require all users to set up MFA on their next sign-in. Important Note: With this enabled, users will be forced to set up MFA before they can successfully log in. Even if not enforced all users still have the option of configuring MFA for their account under their profile settings.
- For any users that need to be exempted from MFA, for example a Dashboard account, select Exclude from Multi-factor authentication on their profile page. Note: users with this setting enabled are excluded from MFA being enforced They can still opt-in if they choose to do so.
Administrators: What to do if a user has lost their phone, or cannot log on with MFA
As an administrator it is also possible to reset their Multi-Factor configuration set up, on the Manage Users page, alongside reset password.
Users also have the ability to manage their own multi factor authentication options under their profile. This includes:
- Resetting recovery codes
- Reinstalling the app, and re-configuring
- Disabling MFA (if not enforced by the administrator)
Setting up MFA for the first time
If an administrator enforces MFA, you will be prompted with the MFA landing page the next time you log in to VSM.
If MFA has not been enforced, but you would like to opt-in, you can get to this same page when you edit your profile → Account settings > Configure MFA.
From there:
- Click “Add Authenticator App”
- Use your preferred TOTP authentication app (we recommend Microsoft Authenticator) to scan the QR code shown on the page.
- Use the newly set up account on your app to get a code and enter it into the box below the QR code. These codes are only valid for 30s. Your app should show you how long the code is still valid for. Any code entered after its 30s timer has expired will be invalid, and you will need to use the next one.
- Click finish, and then log in again with MFA. You will be prompted for a code, which is provided to you in your authenticator app, the same way we did in step 3.
How to disable MFA
You can only disable MFA on your account if your organization has not enforced it, or you have been excluded from the MFA policy. Administrators can also temporarily disable MFA on your account through the user management pages to allow you get back into your account if you are having issues with your current MFA configuration.
To disable MFA:
- Go to your profile -> Manage MFA
- Disable MFA
MFA can be re-enabled for that account at any time.
How to re-enable MFA
- Navigate to your profile -> Manage Multi factor authentication
- Click reset authenticator app and scan the QR code with your authenticator app the same as you did on initial set up.
We do not allow using the same QR code ( as before MFA was disabled on your account, as sometimes users who follow these steps are doing so because they have lost an old phone, meaning the old QR code (key) is now in unknown hands. This is why you must reset your authenticator rather than just enabling it.
Frequently Asked Questions
What Authentication App should I use?
Virsae’s MFA uses Time-based One-time Passwords (TOTP). You can use any app that supports this mechanism, but we recommend Microsoft Authenticator or Google Authenticator.
How do I log on, if I don't have access to my phone?
Log on using your recovery codes. You will have been provided recovery codes when setting up MFA the first time. If you no longer have access to recovery codes, create new recovery codes under your profile → Manage Multi Factor Authentication → Reset Recovery Codes.
If you do not have access to your recovery codes, and are not logged on, contact your VSM administrator.
How do I log on, if I get a new phone?
Reset Multi Factor Authentication, under your profile if you are logged on, or contact your VSM administrator, if you are unable to log on
What are Recovery Codes?
Recovery codes are one-use codes that you can use to get into your account should you lose access to your phone/app. They can only be used once, so if you have used most of them already, you should head to your profile and generate more (note that any left-over codes from your last batch will be invalidated).
Where should I store my Recovery Codes?
The idea of MFA is to require you to provide something you have (a lockable phone) in order to gain access. Recovery codes allow you to log in without a phone, but to maintain this element of security they should be stored in a place as safe or safer than your phone. Writing the codes down and keeping them somewhere secure is a good option as it means the codes can’t be accessed digitally. Storing the codes on your work computer in a text document is not as safe as a breach of your work network will mean your Virsae account is effectively also breached.
What if I lose my phone and Recovery Codes?
You will need to contact one of your administrators who can reset your authenticator app from the manage user’s page. If you have lost your recovery codes you should regenerate more, especially to invalidate the lost codes, in case someone else may have access to them.