Two-Factor Authentication (2FA) is a form of multi-factor authentication intended to confirm a user's identity by utilizing a combination of identifying pieces of information to successfully log in to the system.
Authentication Apps for Mobile Devices
There are several authentication applications available for mobile devices. We recommend installing the following apps for these top mobile platforms: Google Authenticator for Android and iOS, and Microsoft Authenticator for Windows Phone.
Implementation of Two-Factor Authentication
Your system administrator has the ability to configure the implementation of Clarity 2FA using two methods; mandatory and self-enrolled
- Mandatory (recommended) - All users are required to use a 2FA method for logging in
- Self-Enrolled - Users can voluntarily configure their account to use 2FA functionality for logging in
In addition to the authentication configurations described above, the system administrator may enable additional configurations to the 2FA functionality system-wide.
- Enable Trusted Devices - When this setting is enabled by your system administrator, you will be presented with the checkbox option of registering the device you are using to log in as a trusted device for accessing Clarity Human Services during the login process. A trusted device is not required to use the two-step login process at each login session, however it is required to avoid the need to enter the verification code each time you log in using the same device. The 2FA prompts can be delayed for 7, 14, 30, or 90 days. This is determined by your system administrator.
- Allow Email Authentication - With this setting enabled, you will be presented with the option to have a code emailed to you in the initial 2FA setup screen. This will allow the authentication codes to be emailed to the email address associated with your account. This alleviates the use of an authentication app to receive codes.
These additional configurations will determine what options are available to you when accessing Clarity Human Services using 2FA, and how the login process will behave for future logins.
Note: For this article, the 2FA configuration is depicted with Enable Trusted Devices and Allow Email Authentication settings enabled.
Set Up Two-Factor Authentication
With 2FA enabled, you will be presented with options to authenticate your identity upon entering your Username and Password. The option selected will be used for future login procedures until the Authentication Token is reset. The methods available are:
- Use an Authenticator App
- Get a Code Emailed
Use an Authenticator App
Selecting this option and clicking the Next button will display a dialog prompting you to scan a custom QR code using your mobile device's camera within the authentication app. When the app has scanned the QR code on the screen, a 6-digit numerical code will be generated by the app. Enter the 6-digit code from the app and click Verify Code to complete login.
Note: The Trusted Device checkbox will appear in this step if your System Administrator has activated the setting in the overall 2FA system configuration.
Get a Code Emailed
Selecting this option and clicking the Next button will send an email containing a 6-digit code to the email address associated with your account.
Once you receive the email, you may enter the code into the dialog box and click Verify Code to complete the login process. You may also click the Resend Code button to have another code generated and sent to your email address.
Subsequent Logins with 2FA Enabled
With the initial login completed using either the authentication app or email methods, for subsequent logins, you will be presented with a dialog box to enter the required code in order to complete login.
If you selected the email option, an email with a new code will be sent upon entering your username and password.
If you selected the authentication app method, you will be required to open the app and enter the code displayed.
Note: If your system administrator has configured 2FA to allow trusted devices for a specific amount of time, the Trusted Device checkbox will appear. Checking this box will not require this step each time you enter your username and password.
Self-Enrolling in Two-Factor Authentication
You may choose to activate 2FA for your individual account in the event the functionality is not activated for all users by your System Administrator. This is useful for specific agencies that may have stricter login regulations requiring the use of 2FA.
Accessing the 2FA Account Setting
To access the 2FA setting for your individual account, click the user icon in the upper left of the screen. This may be your photo or name initials. When the user account control dialog appears, click Account Settings. The 2FA setting is located in the My Info window.
Reset Authentication Token
Once a code has been generated by the authentication app, you have the ability to reset your authentication token from the Account Settings window. This will reset the 2FA functionality and require you to generate and verify a new code at the next login attempt.