The Multi-Factor Authentication tab will be visible when the Multi-Factor Authentication feature switch is enabled and allows for the management of Employee's Multi-Factor Authentication settings.
Tier Availability: All Tiers
Security Rights Required: Add/Edit Employee, Maintenance, Security Management
Multi-Factor Authentication is a feature that must be enabled in order to access the MFA features in Security Management and Workflow.
Turning MFA on for Employees
- From the Application Menu, click Maintenance > Preferences > Security Management.
- Click on the Multi-Factor Authentication tab.
- Select 1 or more Employees and click Edit.
- Set MFA Status to Enforced to require Employees to verify themselves with a code delivered to them by your choice of Email or Text. Set to Disabled to let Employee log in without verifying themselves.
- Set Reset MFA Settings to Yes to wipe selected Employees' MFA Settings and require them to verify themselves at next login if their MFA Status is Enforced.
Setting Available MFA Options
When an Employee logs in and MFA Status is Enforced, they will be able to select how they want to receive their 6-digit code from a list of delivery methods that you allow for your firm. You can allow Email, Text, or both.
- From the Application Menu, click Maintenance > Preferences > PensionPro.
- Select the Data Security Preference Type.
- Click Edit and select the Available MFA Options you will let Employees use.
When you change the Available MFA Options, Employees that have MFA Status Enforced will be required to verify themselves at next login.
Employee's Preferred MFA Option
When an Employee is going through the MFA process for the first time at log in, their first selection becomes their default Preferred MFA Option. When the Employee logs in, they will see their Preferred MFA Option at the top of the list at the log in screen. An Employee can change their Preferred MFA Option in Employee Details > Account.
Note: Employee email address is a required field. Users can not remove an employee's email address.
After submission of a successful verification code, the system will remember an Employee's machine and IP address for 60 days. An Employee will not be prompted to provide a new verification code unless:
- 60 days have elapsed since last verification code was submitted for that machine and IP address
- The user is logging into PensionPro from a different IP address
- The System Administrator Reset MFA Settings in Security Management
- The System Administrator changes Available MFA Options in Data Security Preferences
- The Employee changes their Preferred MFA Option in Account
Note: This code is remembered by the machine and IP address combination. Each unique combination will be saved for 60 days. If a new machine and IP address are being used, the user will be required to reauthenticate.
An Employee using Text can change their phone number by pressing the Change button. This will wipe the current phone number if they had one on file and exit the application. The Employee can set up their new number the next time they log in. When a phone number is changed, the user will receive an email notification notifying them of the change. When a user receives a new MFA validation code via text message, the code's expiration time will be included.
The Employee can select any of the Available MFA Options at the log in screen regardless of their Preferred MFA Option.
Due to privacy concerns, no one can see an Employee's Preferred MFA Option and Phone Number except for that Employee.
Users will receive notifications for the following actions:
- When a phone number that is used for MFA is changed
- If an employee's email address has changed, an email notification of the change will be sent to the employee's old and new email address
- When a user is authenticated through MFA
- When a new MFA code is used to access an account
Fetch Multi-Factor Authentication
If the MFA Preference is enabled, users will be required to authenticate when logging into Fetch from a browser window. Authentication will not be required when accessing Fetch though PensionPro.
Users have the ability to show or hide password inputs when logging into Fetch.