Multi-factor authentication

With multi-factor authentication (MFA), the user receives a security code by text or email when they enter their user name and password on the login screen. They must then enter the security code to finish logging in.

You can require multi-factor authentication for all users, or you can make it optional.

Optional MFA

If multi-factor authentication is optional, users can enable it by clicking the Enable Multi Factor Authentication button in the Dashboard or the My Profile page.

To enable multi-factor authentication, the user selects a communication preference to receive their security codes. After MFA is enabled, the Disable Multi Factor Authentication is shown instead of Enable Multi Factor Authentication.

System administrators can also use the Portal User InfoViewer in Operations and Regulations to disable multi-factor authentication for specific portal users. To open the Portal User InfoViewer, click the Portal Account link for a contact information record. To disable multi-factor authentication in the Portal User InfoViewer, click Action and select Reset Multi Factor Authentication.

Fallback options

If the Multi-Factor Authentication Add New Method feature toggle is enabled, users can set up a fallback option for multi-factor authentication (MFA), such as both email and SMS. If the primary method fails during login, the system automatically prompts the user to use their fallback method.

Agency staff can use the Portal User InfoViewer to view a user's configured MFA methods and assist with troubleshooting if needed.

Configuration

To configure multi-factor authentication, edit the PortalSetup configuration for the Operations and Regulations site. Add the Multi-Factor Authentication node under the Portal User node and set the Enabled attribute to True.

MFA can be optional, or it can be required for all users. To require it for all users, set the Required attribute to True.

See PortalSetup configuration.

The Notification Type attribute of the Multi-Factor Authentication node specifies the notification type to use to send security codes to users. This must match an active notification type that is defined under the NOTIFICATIONS node of the Hansen8 configuration.

The notification type in the Hansen8 configuration specifies the name of a template that is defined in the Notification Templates (RNT) page in Operations and Regulations. Default notification templates for multi-factor authentication are provided for both email and text communications.

  • For email communications, use Portal_TwoFactorAuthentication_Email.
  • For text messages, use Portal_TwoFactorAuthentication_SMS.

Errors

If multi-factor authentication is not configured correctly, the user will see this error message when they attempt to log in:

Login not possible. MFA notifications are unavailable.

If site users report MFA error messages, check these settings:

  • Ensure that MFA is enabled in the PortalSetup configuration.
  • Check that the MFA notification type specified in the PortalSetup configuration is configured correctly under the NOTIFICATIONS > Notification Types node in the Hansen8 configuration.

    Each notification type under the Notification Types node has one or more method nodes as children. Each method node defines a notification method (email or SMS) that is available for the parent notification type.

    To be effective a notification type must have the Enabled attribute set to True for at least one notification method. The Notification Template ID attribute on the notification method node specifies the template to use.

  • In the Notification Templates (RNT) page, ensure that the template specified for the notification method in the Hansen8 configuration is a valid notification template.
Note: We suggest that you consider disabling multi-factor authentication in the PortalSetup configuration until the issue is resolved.