Overview:
Multifactor Authentication (MFA) adds an extra layer of security when accessing Workbench, making it even more difficult for unauthorized users to gain access. This a secure way to manage logins, where Office 365 authentication is not available. We still recommend Office 365 (Azure) authentication as the most reliable way to secure your users loggin to the web application.
MFA adds an additional verification step when logging in.
When MFA is enabled by your system administrator on your Workbench instance, each time you log in to Workbench you will require:
Your Login code
Password
One-Time Passcode
This Passcode can be either:
sent to your email address from the Log-in screen in Workbench or
you can grab a One-Time Passcode generated from your preferred authenticator app every time you log in. This requires that you configure your preferred authenticator app and add an account for your Workbench instance (steps below).
Note |
---|
Users must have an email address in their User details to be able to login for the first time after MFA has been enabled. |
Screen Guide:
For Users - how to login to Workbench using Multifactor authentication
Once MFA is enabled on your Workbench instance, you will follow these steps on your Workbench login screen:
Enter login code and password as usual
Click Login
'Enter your passcode' screen appears.
Send new Passcode option:
Use the Send new passcode option to get a one-time passcode sent to your email address. The email address used is the one on your Workbench user. If your User does not have an email address an error message will display indicating so, and you need to contact your System Administrator to add an email address for you.Authenticator app option:
Once you log in for the first time by sending a passcode to your email address, you have the option to configure a second method of getting the one-time passcode. From your Profile (on the top right of your screen), navigate to the MFA setup menu.You will need an authenticator app such as Microsoft Authenticator or Google Authenticator. Download it on your phone from your App Store or Google Play.
From Workbench on your desktop or laptop:
Once you have the authenticator on your mobile phone, open it and scan the QR code on this screen.
Enter the one-time passcode generated by the app and type it back on your Workbench screen to validate and finish the configuration.
Bingo! That is it; your authenticator app is ready for you to get one-time passcodes from it to log in to Workbench.
Next time you log in enter your log-in code and password, and on the next screen enter the passcode from your authenticator app. Be quick! it only lasts 1 minute.
From Workbench on your mobile device:
Because you cannot use your phone’s camera to scan your screen, you will need to add the Secret Key manually. On the MFA screen tap & copy the Secret Key.
Open your authenticator app and select the option to add an account (Google authenticator: Plus symbol/Enter setup key or on Microsoft Authenticator: Plus symbol/Other/ Enter code manually/Account name is a name to identify your account (Workbench), Secret Key is the key you copied from Workbench).
Tap on the one-time passcode from this new account and paste it back on your Workbench screen to validate and finish the configuration.
Bingo! That’s it; your authenticator app is ready for you to get one-time passcodes from it to log in to Workbench.
Next time you log in enter your log-in code and password, and on the next screen enter the passcode from your authenticator app. Be quick! it only lasts 1 minute.
Tip |
---|
Remember!
|
For System Administrators - how to enable Multifactor authentication on Workbench
Note |
---|
Users must have an email address in their User details to be able to log in for the first time after MFA has been enabled. |
Multifactor authentication can be enabled with the control parameter 'Authentication - Enable MFA'. This will enable it for all your users, regardless of whether they have an email address or not. Before enabling it make sure all users have an email address and inform them about the change. You can send them a link to this page so they can be prepared and follow step-by-step how their login experience will look once MFA is enabled.
There is a way to temporarily disable a user’s MFA. This can be done from the User Main tab, however, it is recommended that MFA is enabled for all users as a security policy, especially those privileged users that have unlimited access to the application. On the Users list you can sort by HasMFA column to check if any users have MFA disabled.