Introduction
BMS implements Multi-Factor Authentication (MFA) aiding in enhanced security. Administrators can enforce MFA on all users or end users can enable this in their profiles.
You can use any generic authenticator products like Passly, Google Authenticator, Duo, and others. You can use your organization's IDP to implement this extra security or use the built-in service by BMS to enforce MFA.
Prerequisites
- An active employee or contact in the system.
- An authenticator application on your mobile device.
Features
- Enforce MFA for few or all users.
- MFA will work in parallel with your current SSO and SAML IDP authentications.
- MFA enabled/disabled value columns are listed in Employee and Contact listing pages.
- MFA can be disabled for multiple users at once using batch actions under Contacts.
Setup
As an Admin :
-
- In BMS, navigate to Admin > My Company > Auth and Provision.
- Require MFA for non-SSO users: Yes
Existing SSO users:
- SSO Provider interface > BMS App > My Settings > Enable MFA > Logout of BMS
- SSO Provider interface > BMS App > Loads BMS profile using SAML
Authentication will show MFA enabled, and the user authentication type under HR for this user will be SAML SSO.
As an end-user :
-
- Open "My Settings page", Enable MFA
- Once MFA is enabled for an account, you will have to set up your mobile device to help you generate code during your next login.
- Scan the QR code shown on your screen
- Generate code, use it in the" Verify MFA Code" box, click Enable.
If your app doesn't support a code scanner you can also use the following steps to configure the code manually.
Once MFA is enabled, you will also see an option to generate an MFA recovery, Click on the link and save the code somewhere secure.
Lockout recovery
If you do not have access to your mobile device to generate a code, you can either use the Recovery key or reset your MFA.
- Copy the recovery token that you saved from the 'My Settings' page during the MFA setup.
- Enter it into the MFA Code field when you log in. This code expires after the first use. You’ll need to get a new recovery code and store it in a secure place for future use.
Reset MFA
- Reach out to someone with an Administrator role in the system, and have them reset your MFA.
- Reset path : Navigate to Admin > HR >Employees if the user is and employee and Contacts > CRM > Contact> Client portal access for a client portal user.
- Choose Reset MFA. You will be asked to set up MFA again on your next login.