Using Multi-Factor Authentication for PlanSponsorLink (Desktop)

Follow

Looking for the Web version of this article?

 

The Multi-Factor Authentication capability for PlanSponsorLink is an optional added layer of authentication security for users of PlanSponsorLink. For the purpose of this article, users of PlanSponsorLink will be referred to as "plan sponsors."

 

Add-On Availability: PlanSponsorLink

Security Rights Required: Maintenance, PSL MFA Security

 

Multi-Factor Authentication (MFA) is a feature that can be turned on for a user's plan sponsors. 

Note: Enabling MFA for PlanSponsorLink is done globally. That means users cannot pick and choose for which plan sponsors MFA is enabled.

 

Turning MFA on for Plan Sponsors

  1. From the Application Menu, click Maintenance > Preferences > PensionPro.
  2. Select PlanSponsorLink from the Preference Type dropdown menu.
  3. Click the Edit icon in the top-right corner of the grid. The Edit Preferences slider menu displays.
  4. From the Multi-Factor Authentication dropdown menu, select Yes.
  5. Click Save.

Once the Multi-Factor Authentication preference is set to 'Yes,' an additional preference, MFA Type, displays in the PlanSponsorLink preferences grid.

 

Setting Available MFA Options 

Once MFA is enabled, the user should select the delivery method for the plan sponsor's authentication code. You can allow Email, Text, or both.

  1. From the Application Menu, click Maintenance > Preferences > PensionPro.
  2. Select PlanSponsorLink from the Preference Type dropdown menu.
  3. Click the Edit icon in the top-right corner of the grid. The Edit Preferences slider menu displays.
  4. From the MFA Type dropdown menu, select the preferred option.
  5. Click Save.

If there is a change made to the MFA Type preference, plan sponsors will be required to verify themselves at next login.

 

Logging Into PlanSponsorLink with MFA Enabled

When a plan sponsor logs into PlanSponsorLink while the Multi-Factor Authentication preference is set to 'Yes,' the MFA type set in PensionPro will be presented on the login screen. If Text and Email had been selected for the MFA Type preference, the plan sponsor will be able to select how they want to receive their 6-digit code.

Note: The email address associated with the MFA is the one in the plan sponsor's contact record.

 

What Triggers the MFA Prompt?

After submission of a successful verification code, the system will remember a plan sponsor's machine and IP address for 60 days. A plan sponsor will be prompted to provide a new verification code if:

  • 60 days have elapsed since last verification code was submitted for that machine and IP address
  • The user is logging into PlanSponsorLink from a different IP address
  • The Multi-Factor Authentication preference is updated in PlanSponsorLink preferences
  • The MFA Type preference is updated in PlanSponsorLink preferences

Note: This code is remembered by the machine and IP address combination. Each unique combination will be saved for 60 days. If a new machine and IP address are being used, the user will be required to reauthenticate.