Enabling Multi-Factor Authentication in BMS


BMS implements Multi-Factor Authentication (MFA) aiding in enhanced security. Administrators can enforce MFA on all users or end users can enable this in their profiles.

You can use any generic authenticator products like Passly, Google Authenticator, Duo, and others. You can use your organization's IDP to implement this extra security or use the built-in service by BMS to enforce MFA.


  • An active employee or contact in the system.
  • An authenticator application on your mobile device.


  • Enforce MFA for few or all users.
  • MFA will work in parallel with your current SSO and SAML IDP authentications.
  • MFA enabled/disabled value columns are listed in Employee and Contact listing pages.
  • MFA can be disabled for multiple users at once using batch actions under Contacts.


As an Admin :

    1. In BMS, navigate to Admin > My Company > Auth and Provision.
    2. Require MFA for non-SSO users: Yes

Existing SSO users: 

Enabling MFA for non-sso users button applies MFA on all the login accounts. If the user has an existing SSO, they would still have to log in to their profile and enable MFA. This is a one-time setup for SSO users. MFA will not be asked for any subsequent logins. 
  • SSO Provider interface > BMS App > My Settings > Enable MFA > Logout of BMS
  • SSO Provider interface > BMS App > Loads BMS profile using SAML

 Authentication will show MFA enabled, and the user authentication type under HR for this user will be SAML SSO.

As an end-user :

    1. Open "My Settings page", Enable MFA
    2. Once MFA is enabled for an account, you will have to set up your mobile device to help you generate code during your next login.
      • Scan the QR code shown on your screen
      • Generate code, use it in the" Verify MFA Code" box, click Enable. 

If your app doesn't support a code scanner you can also use the following steps to configure the code manually. 

    1. Click on the "Show secret Key for manual configuration" 
    2. On your device, Add a new setup key and use the secret token from BMS.mceclip2.png

Once MFA is enabled, you will also see an option to generate an MFA recovery, Click on the link and save the code somewhere secure.


Note: On your next login, you will be prompted for your Username, Password, and authentication code OTP generated by an authenticator application. Change in authentication type requires users to refresh their logged-in session.

Lockout recovery

If you do not have access to your mobile device to generate a code, you can either use the Recovery key or reset your MFA.

              • Copy the recovery token that you saved from the 'My Settings'  page during the MFA setup.
              •  Enter it into the MFA Code field when you log in. This code expires after the first use. You’ll need to get a new recovery code and store it in a secure place for future use.



Reset MFA

  • Reach out to someone with an Administrator role in the system, and have them reset your MFA.
  • Reset path : Navigate to Admin > HR >Employees if the user is and employee and Contacts > CRM > Contact> Client portal access for a client portal user.
  • Choose Reset MFA. You will be asked to set up MFA again on your next login.




Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us