Multi-factor Authentication

What is Multi-factor Authentication (MFA)?

When you sign into your online accounts - a process we call "authentication" - you're proving to the service that you are who you say you are. Traditionally that's been done with a username and a password. Unfortunately, that's not a great way to do it as usernames are often easy to identify such as an email address. Many people tend to pick simple passwords or use the same one at many different sites.

That's why online services such as banks, social media, shopping, and quite often your business have added a way for your accounts to be more secure. You may hear it called "Two-Step Verification", “Two-factor Authentication” or "Multifactor Authentication" but they operate on the same methodology. When you sign into the account on a new device or app you need more than just the username and password. You need a second thing - what we call a second "factor" - to prove who you are.

For example, a password is one kind of factor, it's a thing you know. Other common kinds of factors are: 

• Something you know - Like a password or a PIN
• Something you have - Like a smartphone
• Something you are - Like a fingerprint or facial recognition

How does it work?

If you were to log into your Reward Gateway account with only an email and password anyone with that information could access some sensitive information!

With Multifactor Authentication this becomes a lot more tricky as once that password is entered we’ll prompt you for another code (that secret second factor) to make sure it’s you logging in. 

At Reward Gateway we follow a standard Time-based One-Time Password (TOPT) protocol (RFC 6238). There are various apps that support this standard, such as Authy, Google Authenticator, and Microsoft Authenticator. You open the app on your smartphone or Desktop, and it shows you a unique, dynamically created string of numbers that you type into Reward Manager and you're in! 

Now imagine that someone has your password and they get to this stage. They’d need access to your phone or computer in order to log in.

Multi-Factor Authentication in Reward Manager

All of the users with Reward Manager access are required to set up their additional authentication method when logging in, in order to access Reward Manager (their current session is interrupted until they set it up, unless they are an admin). Upon login users also have the option to “trust” the device they are using, so they do not have to enter their authentication code every time they log in from it. Users who also log in from a “safe” IP address (set by the client in the security settings) will not be asked to enter their authentication code every time when logging in.

If any user, regardless of their role, has lost access to their device and cannot authenticate themselves, they may request their account to be unlocked by an admin of the scheme.

If all of the admins of the scheme have lost access to their accounts in Reward Manager, they will have to contact the Client Support team to assist them with regaining access.

Roles associated with Reward Manager’s Multi-Factor Authentication

• 2FA User - Ability to update own Two-Factor Authentication settings.
• 2FA Administrator - Ability to reset Two-Factor Authentication setups for new devices only. Does not allow the ability to unlock failed attempts locked accounts. Access to 2FA Dashboard and visibility of all 2FA users.
• 2FA Configuration Administrator - Ability to enable or disable 2-factor authentication.
• 2FA Support Administrator - The user will be the primary 2FA contact for the client. Must have Permissions Manager role.
• 2FA User Access Administrator - The user will be able to unlock 2FA failed attempts locked accounts only.
• 2FA Internal Administrator - Ability to reset Two-Factor Authentication setups on external and internal programs.

Multi-Factor Authentication Enforcement

To turn on each scheme’s individual Multi-Factor authentication, you must go into the “Security” section in Reward Manager, then into Login Challenges.

On this page, you can choose to enable Multi-Factor Authentication for a certain segment of users, and add a custom message visible while they are setting up their authentication. Once enforcement is enabled, the affected users will be required to set up their authentication before using the website (ongoing sessions are interrupted).

Users who are accessing the scheme from a “safe” IP address will not be asked to authenticate themselves when logging in.

The users’ authentication setups can be reset by an admin of the scheme from the “Manage Members” option in the form.

Roles associated with the schemes’ Multi-Factor Authentication

• 2FA Administrator - Ability to reset Two-Factor Authentication setups for new devices only. Does not allow the ability to unlock failed attempts locked accounts. Access to 2FA Dashboard and visibility of all 2FA users
• Member Administrator / Member Access Control Administrator / ​​Terminal User (either one of the three provides necessary permissions)
• Security Administrator - Ability to manage security settings of a program

MFA Availability matrix 

With the below table, we are presenting the currently available MFA options of the available types (SMS and Authenticator app like Authy) against the interface - Reward Manager, SmartHub, Smart Spending or the Connect+ apps.

"MFA token is incorrect" Error

You might see the error message, "MFA token is incorrect" when inputting the code or scanning the QR code, despite it being correct. Try one of the following to resolve this:

Use the digit code instead of QR

If you're getting this error whilst using a QR code, enter the number code provided instead.

Sync device clock (Google Authenticator)

If using Google Authenticator, try syncing the device’s clock to the service. You can do this by navigating to:

Google Authenticator home screen > top right, 3 dots > Settings > Time Correction for codes