Success Portal

Multi-factor Authentication

Luke
  • Updated
Follow

What is MFA?

When you sign into your online accounts - a process we call "authentication" - you're proving to the service that you are who you say you are. Traditionally that's been done with a username and a password. Unfortunately, that's not a great way to do it as usernames are often easy to identify such as an email address. Many people tend to pick simple passwords or use the same one at many different sites.

That's why online services such as banks, social media, shopping and quite often your business have added a way for your accounts to be more secure. You may hear it called "Two-Step Verification", “Two-factor Authentication” or "Multifactor Authentication" but they operate on the same methodology. When you sign into the account on a new device or app you need more than just the username and password. You need a second thing - what we call a second "factor" - to prove who you are.

For example, a password is one kind of factor, it's a thing you know. Other common kinds of factors are: 

  • Something you know - Like a password, or a PIN
  • Something you have - Like a smartphone
  • Something you are - Like a fingerprint, or facial recognition

 

How does it work?

If you were to log into your Reward Gateway account with only an email and password anyone with that information could access some sensitive information!

With Multifactor Authentication this becomes a lot more tricky as once that password is entered we’ll prompt you for another code (that secret second factor) to make sure it’s you logging in. 

At Reward Gateway we follow a standard Time-based One-Time Password (TOPT) protocol (RFC 6238). There are various apps that support this standard, such as Authy, Google Authenticator and Microsoft Authenticator. We recommend the use of Authy to do this. You open the app on your smartphone or Desktop, it shows you a unique, dynamically created string of numbers that you type into Reward Manager and you're in! 

Now imagine that someone has your password and they get to this stage? They’d need access to your phone or computer in order to login.

Multi-Factor Authentication in Reward Manager

All of the users with Reward Manager access are required to set up their additional authentication method when logging in, in order to access Reward Manager (their current session is interrupted until they set it up, unless they are an admin). Upon login users also have the option to “trust” the device they are using, so they do not have to enter their authentication code every time they log in from it. Users who also log in from a “safe” IP address (set by the client in the security settings) will not be asked to enter their authentication code every time when logging in.

 

If any user, regardless of their role, has lost access to their device and cannot authenticate themselves, they may request their account to be unlocked by an admin of the scheme.

Screenshot_2023-04-24_at_14.48.27.png

If all of the admins of the scheme have lost access to their accounts in Reward Manager, they will have to contact the Client Support team to assist them with regaining access.

 

Roles associated with Reward Manager’s Multi-Factor Authentication:

2FA User - Ability to update own Two-Factor Authentication settings.

2FA Administrator - Ability to reset Two-Factor Authentication setups for new devices only. Does not allow the ability to unlock failed attempts locked accounts. Access to 2FA Dashboard and visibility of all 2FA users.

2FA Configuration Administrator - Ability to enable or disable 2-factor authentication.

2FA Support Administrator - The user will be the primary 2FA contact for the client. Must have Permissions Manager role.

2FA User Access Administrator - The user will be able to unlock 2FA failed attempts locked accounts only.

2FA Internal Administrator - Ability to reset Two-Factor Authentication setups on external and internal programmes.

 

MFA on a desktop

If you don't have the option to use MFA on your mobile phone, you can do it on a desktop.

First, you’ll need to go and download the Authy desktop app which you can find at authy.com

Click the download button in the top right of the page and scroll down to desktop. Once here you’ll have the option to pick which computer you want to download for. 

If you are on a Windows machine and are unsure if it is 32bit or 64bit, search your computer for the control panel. When in the control panel click System and Security, then click System. The system type will be detailed on that page

Screenshot_2022-09-26_at_16.00.31.png

 

Once the download is complete, open the application and install it. 

Opening Authy for the first time you’ll need to select a country code and enter your mobile number. 

Screenshot_2022-09-26_at_15.57.53.png

You’ll then need to enter an email address which can be used if you ever lose access to your Authy account.

Screenshot_2022-09-26_at_15.51.32.png

You can then choose whether you’d like to verify this number via SMS, Phone Call or Whatsapp message. Enter the code received to complete the setup with the desktop app.

Screenshot_2022-09-26_at_15.58.07.png

You can now click on the ‘+’ icon to add a new account on Authy which will be your dedicated Reward Manager authenticator.

Screenshot_2022-09-26_at_15.59.02.png

At the same time, in the top right of your RG platform website, go to Account > Account Settings > Security Centre > Multi-factor authentication > ‘Setup’.

Screenshot_2022-09-26_at_16.18.10.png

Screenshot_2022-09-26_at_16.18.51.png

 

As Authy currently does not support QR code scanning, click on ‘Enter the secret key manually’ under the QR code. Copy and paste the key into the Authy app and click ‘Add Account'.

Screenshot_2022-09-26_at_16.20.11.png

Next, name your Account, select a custom logo, as well as the desired token length, and Save.

Screenshot_2022-09-26_at_16.35.37.png

Authy will then send the verification code to the mobile number provided.
Screenshot_2022-09-26_at_16.37.42.png

Enter this code into the ‘Code’ field on the 2FA setup page and Save.

Screenshot_2022-09-26_at_16.21.50.png

Once you receive the confirmation message below, your 2FA is set up. Each time you log into your Reward Manager account, Authy will automatically generate a code for you to enter and verify your identity.

Screenshot_2022-09-26_at_16.21.58.png

 

Multi-Factor Authentication Enforcement

 

To turn on each scheme’s individual Multi-Factor authentication, you must go into the “Security” section in Reward Manager, then into Login Challenges.

 

Screenshot_2023-04-24_at_15.17.13.png

 

On this page, you can choose to enable Multi-Factor Authentication for a certain segment of users, and add a custom message visible while they are setting up their authentication. Once enforcement is enabled, the affected users will be required to set up their authentication before using the website (ongoing sessions are interrupted).

Users who are accessing the scheme from a “safe” IP address will not be asked to authenticate themselves when logging in.

The users’ authentication setups can be reset by an admin of the scheme from the “Manage Members” option in the form.

 

Screenshot_2023-04-24_at_15.24.54.png

 

Roles associated with the schemes’ Multi-Factor Authentication:

2FA Administrator - Ability to reset Two-Factor Authentication setups for new devices only. Does not allow the ability to unlock failed attempts locked accounts. Access to 2FA Dashboard and visibility of all 2FA users.

Member Administrator / Member Access Control Administrator / ​​Terminal User (either one of the three provides necessary permissions)

Security Administrator - Ability to manage security settings of a programme.

 

 

 

Did this article help you?

0 out of 0 found this helpful

Related articles

Still haven't found what you are looking for?

Product development updates
Learn now
Can't find what you are looking for?
Get in touch

Comments

0 comments

Please sign in to leave a comment.

top Back to top