You can use any authenticator products like Passly, Google Authenticator, Duo, etc. You can use your organization's IDP to implement this extra security as well.
MFA Exclusion for Client Portal User
As an exclusion to the above rule, users of Client Portal are excluded from mandatory MFA. For more information, see Disabling MFA for a Client Portal User towards the end of this article.
- An active employee or contact in the system
- An authenticator application on your mobile device
Existing SSO users:
- SSO Provider interface > BMS App > My Settings > Enable MFA > Logout of BMS
- SSO Provider interface > BMS App > Loads BMS profile using SAML
Authentication will show MFA enabled, and the user authentication type under HR for this user will be SAML SSO.
As an end-user :
- Open "My Settings page" and Enable MFA.
- Once MFA is enabled for an account, you will have to set up your mobile device to help you generate code during your next login.
- Scan the QR code shown on your screen
- Generate code, use it in the" Verify MFA Code" box, click Enable.
If your app doesn't support a code scanner you can also use the following steps to configure the code manually.
Once MFA is enabled, you will also see an option to generate an MFA recovery token, click on the link and save the code somewhere secure. You will need this in case you need to reset your MFA and self-serve.
If you do not have access to your mobile device to generate a code, you can either use the Recovery key token or reset your MFA.
- Retrieve the recovery token that you saved securely from the 'My Settings' page during the MFA setup.
- Enter it into the MFA Code field when you log in. This code expires after the first use. You’ll need to get a new recovery code and store it in a secure place for future use.
- If one does not have access to their recovery token, they can reach out to someone with an Administrator role in the system, and have them reset MFA for their user.
- Administrators can reset MFA for their users by navigating to Admin > HR > Employees if the user is an employee or Contacts > CRM > Contact > Client portal access for a client portal user. Select Reset MFA. The user will be asked to set up MFA again on their next login.
- A sole administrator can get their MFA reset, in case they are locked out by creating a support ticket with our BMS Support Team.
Disabling MFA for a Client Portal User
- Go to CRM > Contacts > Batch Action.
- Select the contact for which MFA for the client portal needs to be disabled.
- Click Next > Update.
- Click Yes next to Disable MFA field.
- Click Confirm.