Two-Factor Authentication (2FA) is a form of multi-factor authentication intended to confirm a user's identity by utilizing a combination of identifying pieces of information to successfully log in to the system.
Authentication Apps for Mobile Devices
There are several authentication applications available for mobile devices. We recommend installing the following apps for these top mobile platforms: Google Authenticator for Android and iOS, and Microsoft Authenticator for Windows Phone.
Implementation of Two-Factor Authentication
Your system administrator has the ability to configure the implementation of Clarity Human Services 2FA using two methods: mandatory and self-enrolled.
- Mandatory (recommended) - all users are required to use a 2FA method for logging in
- Self-Enrolled - users can voluntarily configure their account to use 2FA functionality for logging in
In addition to the authentication configurations described above, system administrators may enable additional configurations to the 2FA functionality system-wide.
- Enable Trusted Devices - when this setting is enabled by your system administrator, you will be presented with the checkbox option of registering the device you're using to log in as a trusted device for accessing Clarity Human Services during the login process. A trusted device is not required to use the two-step login process at each login session, however it is required to avoid the need to enter the verification code each time you log in using the same device. The 2FA prompts can be delayed for 7, 14, 30, or 90 days. This is determined by your system administrator.
- Allow Email Authentication - with this setting enabled, you'll be presented with the option to have a code emailed to you in the initial 2FA setup screen. This will allow the authentication codes to be emailed to the email address associated with your account. This alleviates the use of an authentication app to receive codes.
These additional configurations will determine what options are available to you when accessing Clarity Human Services using 2FA, and how the login process will behave for future logins.
|Note: for this article, the 2FA configuration is depicted with Enable Trusted Devices and Allow Email Authentication settings enabled.|
Set Up Two-Factor Authentication
With 2FA enabled, you'll be presented with options to authenticate your identity upon entering your username and password (figure 1). The option selected will be used for future login procedures until the authentication token is reset. The methods available are:
- Use an authenticator app
- Get a code emailed
Use an Authenticator App
Selecting this option and clicking the Next button will display a dialog box prompting you to scan a custom QR code using your mobile device's camera within the authentication app (figure 2). When the app has scanned the QR code on the screen, a 6-digit numerical code will be generated by the app. Enter the 6-digit code from the app and click Verify Code to complete login.
|Note: the Trusted Device checkbox will appear in this step if your system administrator has activated the setting in the overall 2FA system configuration.|
Get a Code Emailed
Selecting this option and clicking the Next button will send an email containing a 6-digit code to the email address associated with your account (figure 3).
Once you receive the email, enter the code into the dialog box and click Verify Code to complete the login process (figure 4). You may also click the *Resend Code button to have another code generated and sent to your email address.
*Users will receive a warning if a user requests a Two Factor Authentication (2FA) > Resend Code request within a 5-minute window.
If you do not receive an email, please be sure to check your junk/spam folder.
If you are unable to receive the email code, please reach out to your IT department. They'll be able to whitelist the incoming email address so that it will be marked as a safe sender. Please provide them with the following email address: firstname.lastname@example.org. Once your IT department has whitelisted the incoming email address, log on and have the code re-sent to your email address.
In the meantime, you can contact Bitfocus Support at (702) 614-6690, Ext. 2 to receive a temporary authentication code.
If you continue to have difficulty receiving email, we recommend downloading and using an authenticator app instead. If you have already attempted to receive a code by email, you will need to contact Support first to have the code reset.
Subsequent Logins with 2FA Enabled
With the initial login completed using either the authentication app or email methods, for subsequent logins, you'll be presented with a dialog box to enter the required code in order to complete login.
If you selected the email option, an email with a new code will be sent upon entering your username and password.
If you selected the authentication app method, you'll be required to open the app and enter the code displayed (figure 5).
|Note: if your system administrator has configured 2FA to allow trusted devices for a specific amount of time, the Trusted Device checkbox will appear. Checking this box will not require this step each time you enter your username and password.|
Self-Enrolling in Two-Factor Authentication
You may choose to activate 2FA for your individual account in the event the functionality is not activated for all users by your system administrator. This is useful for specific agencies that may have stricter login regulations requiring the use of 2FA.
Accessing the 2FA Account Setting
To access the 2FA setting for your individual account, click the user icon in the upper left hand corner of the screen (figure 6). This may be your photo or name initials. When the user account control dialog appears, click Account Settings.
Toggle on Enable 2FA (figure 7).
Reset Authentication Token
Once a code has been generated by the authentication app, you have the ability to reset your authentication token from Account Settings (figure 8). This will reset the 2FA functionality and require you to generate and verify a new code at the next login attempt.