The Multi-Factor Authentication capability for PlanSponsorLink is an optional added layer of authentication security for users of PlanSponsorLink. For the purpose of this article, users of PlanSponsorLink will be referred to as "plan sponsors."
Add-On Availability: PlanSponsorLink
Security Rights Required: Maintenance, PSL MFA Security
Article Contents
- Turning MFA on for Plan Sponsors
- Setting Available MFA Options
- Logging Into PlanSponsorLink with MFA Enabled
- Resetting a Plan Sponsor's MFA Settings
- What Triggers the MFA Prompt?
Note: Enabling MFA for PlanSponsorLink is done globally. That means users cannot pick and choose for which plan sponsors MFA is enabled.
Turning MFA on for Plan Sponsors
- Navigate to PlanSponsorLink Preferences.
- For navigation instructions specific to each PensionPro tier, refer to the Accessing PSL Preferences section of the article PlanSponsorLink Preferences.
- Select the PlanSponsorLink or Preferences view from the list on the left.
- Click the Edit icon in the Multi-Factor Authentication row.
- In the Value dropdown menu, select Yes.
- Click Save.
Once the Multi-Factor Authentication preference is set to 'Yes,' an additional preference, MFA Type, displays in the PlanSponsorLink preferences grid.
Setting Available MFA Options
Once MFA is enabled, the user should select the delivery method for the plan sponsor's authentication code. You can allow Email, Text, or both.
- Navigate to PlanSponsorLink Preferences.
- For navigation instructions specific to each PensionPro tier, refer to the Accessing PSL Preferences section of the article PlanSponsorLink Preferences.
- Select the PlanSponsorLink or Preferences view from the list on the left.
- Click the Edit icon in the MFA Type row.
- In the Value dropdown menu, select the preferred option.
- Click Save.
If there is a change made to the MFA Type preference, plan sponsors will be required to verify themselves at next login.
Logging Into PlanSponsorLink with MFA Enabled
When a plan sponsor logs into PlanSponsorLink while the Multi-Factor Authentication preference is set to 'Yes,' the MFA type set in PensionPro will be presented on the login screen. If Text and Email had been selected for the MFA Type preference, the plan sponsor will be able to select how they want to receive their 6-digit code.
Note: The email address associated with the MFA is the one in the plan sponsor's contact record.
Resetting a Plan Sponsor's MFA Settings
In the event that a Plan Sponsor would like to change their preferred MFA method, or needs to update the phone number they are using for MFA, their MFA settings can be reset. To do so:
- Navigate to the Contact tab > General view for the Plan Sponsor in question.
- Select More > Reset MFA.
When the Plan Sponsor attempts to log in again after MFA is reset, they will receive the initial MFA prompt asking them to select their preferred method, as though they were using it for the first time.
What Triggers the MFA Prompt?
After submission of a successful verification code, the system will remember a plan sponsor's machine and IP address for 60 days. A plan sponsor will be prompted to provide a new verification code if:
- 60 days have elapsed since last verification code was submitted for that machine and IP address
- The user is logging into PensionPro from a different IP address
- The Multi-Factor Authentication preference is updated in PlanSponsorLink preferences
- The MFA Type preference is updated in PlanSponsorLink preferences
Note: This code is remembered by the machine and IP address combination. Each unique combination will be saved for 60 days. If a new machine and IP address are being used, the user will be required to re-authenticate.