Introduction
In this document, you will learn how to require members of a specific program to set up their Multi-Factor Authentication (MFA) login method in order to use the site.
Things to Consider
- You should read the member facing MFA article, as this will give you an idea of the user journey your employees will go through to setup MFA
- You should consider whether you have a significant employee population without access to smartphones/desktop, as they will not be able to use MFA in this case
- You should consider the impact to the user journey, as once MFA is enabled, the user will need access to an authenticator app (either on a smartphone or desktop), each time they want to access the RG website
Setup
Select the "Security" option in Reward Manager’s sidebar:
Note: If you can't see the "Security" option, check you have rights to edit a scheme’s Security settings. You may have to raise a support ticket for this.
Then, head over to the “Login Challenges” section:
The option to look for next is “Enforce Multi-Factor Authentication?”. You should see the status of the option currently, whether it’s enabled or not as the checkbox labelled "If selected, members will be required to set up their Multi-Factor Authentication". You can enable or disable enforced MFA for this program using this checkbox.
Enabling this option will require the program's members to have MFA enabled on their accounts. To have fine-grained control of which members need to use MFA, you can place them in a Segment.
Segments are configured within the Segment Manager. For more information, see Creating segments with Segment Manager .
You can also enter a message that you want your employees to see when they reach the MFA sign up page. This can give your employees better clarity on the reasoning behind enforcing them to use MFA.
Changes to the Login User Journey
Once MFA is enforced, members who have not set up their MFA will be asked to do so as soon as they are logged in - the others who have previously set it up will be unaffected.
Keep in mind that turning this option on will take effect immediately on all members. This might interrupt some of the members’ actions on the website - their next selection or action on the site will bring them to the MFA setup page if they haven't set up MFA yet.
Disabling the option will not affect any MFA methods already set up by members, it will only remove the requirement for setting it up to use the website.
MFA Availability matrix
With the below table, we are presenting the currently available MFA options of the available types (SMS and Authenticator app like Authy) against the interface - Reward Manager, SmartHub, Smart Spending or the Connect+ apps.
| MFA type/Interface | Reward Manager | SmartHub | SmartSpending/Connect+ |
| SMS | Yes | No | No |
| Authenticator app | Yes | Yes | No |
"MFA token is incorrect" Error
You might see the error message, "MFA token is incorrect" when inputting the code or scanning the QR code, despite it being correct. Try one of the following to resolve this:
Use the digit code instead of QR
If you're getting this error whilst using a QR code, enter the number code provided instead.
Sync device clock (Google Authenticator)
If using Google Authenticator, try syncing the device’s clock to the service. You can do this by navigating to:
Google Authenticator home screen > top right, 3 dots > Settings > Time Correction for codes