This article outlines the configuration and use of Two-Factor Authentication (2FA) Security for End Users.
Two-Factor Authentication (2FA) is a form of multi-factor authentication intended to confirm a user's identity by utilizing a combination of identifying pieces of information to successfully login to the system.
Authentication Apps for Mobile Devices
There are several authentication applications available for mobile devices. We recommend installing the following apps for these top mobile platforms: Google Authenticator for Android and iOS, and Microsoft Authenticator for Windows Phone.
Implementation of Two-Factor Authentication
Your system administrator has the ability to configure the implementation of Clarity 2FA using two methods; mandatory and self-enrolled
- Mandatory (recommended) - All users in the Clarity system are required to use a 2FA method for login.
- Self-Enrolled - Users can voluntarily configure their Clarity account to use 2FA functionality for login.
In addition to the authentication configurations described above, the system administrator may enable additional configurations to the 2FA functionality system-wide.
- Enable Trusted Devices - When this setting is enabled by your system administrator, the user is presented with the checkbox option of registering the device they are using to login as a trusted device for accessing Clarity during the login process. A trusted device is not required to use the two-step login process at each login session, however is required to avoid the need to enter the verification code each time they log in using the same device. The 2FA prompts can be delayed for 7, 14, 30, or 90 days. This is determined by your system administrator.
- Allow Email Authentication - With this setting enabled, the user will be presented with the option to have a code emailed to them in the initial 2FA set-up screen. This will allow the authentication codes will be emailed to the email address associated with your Clarity account. This alleviates the use of an authentication app to receive codes.
These additional configurations will determine what options are available to the user when accessing the Clarity site using 2FA, and how the login process will behave for future logins.
Note: For this article, the 2FA configuration is depicted with Enable Trusted Devices and Allow Email Authentication settings enabled.
Set Up Two-Factor Authentication
With 2FA enabled, the user will be presented with options to authenticate their identity upon entering their Username and Password. The option selected will be used for future login procedures until the Authentication Token is reset. The methods available to the user are as follows:
- Use an Authenticator App
- Get a Code Emailed
Use an Authenticator App
Selecting this option and clicking the Next button will display a dialog prompting the user to scan a custom QR code using their mobile device's camera within the authentication app. When the app has scanned the QR code on the screen, a 6-digit numerical code will be generated by the app. Enter the 6-digit code from the app and click Verify Code to complete login.
Note: The Trusted Device checkbox will appear in this step if your System Administrator has activated the setting in the overall 2FA system configuration.
Get a Code Emailed
Selecting this option and clicking the Next button will send an email containing a 6-digit code the the email address associated with the user's Clarity account.
Once the user receives the email, they may enter the code into the dialog box and click Verify Code to complete the login process. The user may also click the Resend Code button to have another code generated and sent to the users email address.
Subsequent Logins with 2FA Enabled
With the initial login completed using either the authentication app or email methods, for subsequent logins the user will be presented with a dialog box to enter the required code in order to complete login.
For users who selected the email option, an email with a new code will be sent upon entering their username and password.
For users who selected the authentication app method, they will be required to open the app and enter the code displayed.
Note: If your system administrator has configured 2FA to allow trusted devices for a specific amount of time, the Trusted Device checkbox will appear. Checking this box will not require this step each time the user enters their username and password.
Self-Enrolling in Two-Factor Authentication
Users may choose to activate 2FA for their individual account in the event the functionality is not activated for all users by their System Administrator. This is useful for specific agencies that may have stricter login regulations requiring the use of 2FA.
Accessing the 2FA Account Setting
To access the 2FA setting for your individual account, click the user icon in the upper left of the screen. This may be the user's photo or name initials. When the user account control dialog appears, click Account Settings. The 2FA setting is located in the My Info window.
Reset Authentication Token
Once a code has been generated by the authentication app, the user has the ability to reset their authentication token from their Account Settings window. This will reset the 2FA functionality and require the user to generate and verify a new code at the next login attempt.