Introduction
This article explains what Multi-factor Authentication (MFA) is, and how to works on the platform. Also covered are the Reward Manager roles which are needed to manage and administer MFA, and how to turn on MFA for a scheme. This content is for Client Admins to understand the background and how to enable and manage MFA.
About Multi-factor Authentication
When you sign into your online accounts - a process called authentication - you're proving to the service that you are who you say you are. Traditionally, that was done with a username and a password. Unfortunately, that's not a secure way to do it, as usernames are often easy to identify (often being email addresses). Additionally, people tend to pick simple passwords or use the same one for many different websites which further reduces how secure this method is.
That's why online services such as banks, social media, shopping, and quite often your business, have added a way for your accounts to be more secure. You may hear it called Two-step Verification, Two-factor Authentication, or Multi-factor Authentication, but they operate on the same methodology. When you sign into your account on a new device (or app), you need more than just the username and password. You need a second thing - what we call a second factor - to prove who you are.
For example, a password is one kind of factor; it's a thing you know. Other common factors are:
- Something you know (e.g. a PIN)
- Something you have (e.g. a smartphone authenticator app)
- Something you are (e.g. fingerprint or facial recognition)
How MFA Works
If you were to log into your account with only an email and password anyone with that information could access some sensitive information!
With Multi-factor Authentication this becomes a lot trickier as, once that password is entered, you are prompted you for another code (that secret second factor) to make sure it’s you logging in.
At Reward Gateway | Edenred, we follow a standard Time-based One-Time Password (TOPT) protocol. There are various apps that support this standard, such as Authy, Google Authenticator, and Microsoft Authenticator. You open these apps on your smartphone or computer, and it shows you a unique, dynamically created string of numbers that you enter as you log in.
Now imagine that someone has your password and they get to this stage. They’d need access to your phone or computer to log in.
Multi-factor Authentication in Reward Manager
All users with Reward Manager access are required to set up their additional authentication method when logging in. Their current session will interrupted until they set it up (unless they are an admin). Upon login, users also have the option to trust the device they are using, so they do not have to enter their authentication code every time they log in.
Users who log in from a safe IP address (set by the client in the security settings) will not be asked to enter their authentication code every time when logging in.
If any user, regardless of their role, has lost access to their device and cannot authenticate themselves, they may request their account to be unlocked by an admin of the scheme.
If all admins of the scheme have lost access to their accounts, they will have to contact the Client Support team to regain access. This can be done by clicking the Get in touch link onscreen (see screenshot below):
Reward Manager Roles Associated With Multi-factor Authentication
- 2FA Administrator - Ability to reset Two-Factor Authentication setups for new devices only. Does not allow the ability to unlock failed attempts locked accounts. Access to 2FA Dashboard and visibility of all 2FA users.
- 2FA Support Administrator - The user will be the primary 2FA contact for the client. Must have Permissions Manager role.
-
2FA User Access Administrator - The user will be able to unlock 2FA failed attempts locked accounts only.
Turn On Multi-factor Authentication Enforcement
To turn on each scheme’s individual multi-factor authentication:
1. Log into Reward Manager
2. Go to Security > then Login Challenges
This opens the Login Challenges page:
3. On this page, you can choose to enable Multi-Factor Authentication for a certain segment of users, and add a custom message visible when they are setting up their authentication.
Once enforcement is enabled, the affected users will be required to set up their authentication before using the website (ongoing sessions are interrupted).
Users who are accessing the scheme from a safe IP address will not be asked to authenticate themselves when logging in.
4. The users’ authentication setups can be reset by an admin of the scheme from the Manage Members option on the Login Challenges page:
Roles Associated With Scheme Multi-factor Authentication
- 2FA Administrator - Ability to reset Two-Factor Authentication setups for new devices only. Does not allow the ability to unlock failed attempts locked accounts. Access to 2FA Dashboard and visibility of all 2FA users.
- Member Administrator (for Reward Gateway | Edenred admins) / Member Access Control Administrator (for Client Admins) - Provide necessary permissions for unlocking a member account or reseting a member's MFA.
- Security Administrator - Ability to manage security settings of a program.
MFA Availability
MFA options of SMS and authenticator apps, (like Authy) are both available via Reward Manager, SmartHub, the SmartSpending app and the Connect+ app.
Further Information
For more MFA guides, see the section on the Help Center: Multi-factor Authentication