The Multi-Factor Authentication functionality for PlanSponsorLink provides an optional layer of account security, requiring PSL users to enter a one-time code sent via email or text in order to access the application. This article discusses the details of MFA on PlanSponsorLink and how to enable this feature.
Article Contents
- Enabling MFA for Plan Sponsors
- Signing In to PlanSponsorLink with MFA Enabled
- Resetting a Plan Sponsor's MFA Settings
- What Triggers the MFA Prompt on PSL?
Enabling MFA for Plan Sponsors
Requires Security Rights: Maintenance, PSL MFA Security
Unlike MFA for Employees, the firm's Multi-Factor Authentication policy for PlanSponsorLink is enabled or disabled globally for all Contacts, with no exceptions. To enable MFA for PSL:
- Navigate to Maintenance > Preferences > PlanSponsorLink Subdomains. The corresponding grid opens in a new tab.
- Double-click a subdomain in the grid to open it at the Preferences view.
- Set the Multi-Factor Authentication preference to Yes.
Once Multi-Factor Authentication is enabled, the MFA Type preference is made available. This allows the firm to decide how PSL users can receive their one-time code.
| The code is sent to the email on the user's Contact tab. | |
| Text | The code is sent via text message to a phone number of the user's choosing. |
| Email and Text | The user can choose which of the above methods they prefer to use. |
Signing In to PlanSponsorLink with MFA Enabled
After entering a correct username and password, a PSL user may be asked to verify their identity by entering a 6-digit code sent to either their email or phone, depending on preference. Entering the correct code allows access to PlanSponsorLink.
If this is the user's first time signing in to PSL and the MFA Type preference is set to Text, they will first be asked to provide the phone number they would like to use to receive the one-time code. If the MFA Type is set to Email and Text, they will be asked which method they would prefer to use, and then enter their phone number if applicable. In either case, if the Contact needs to make a change to their MFA choices, their settings will need to be reset; refer to the next section, Resetting a Plan Sponsor's MFA Settings, for details.
Resetting a Plan Sponsor's MFA Settings
In the event that a Plan Sponsor would like to change their preferred MFA method, or needs to update the phone number they are using for MFA, their settings can be reset. To do so:
- Open the user's Contact record in a new tab. Ensure the General view is active.
- At the top-right of the General Information grid, select More
> Reset MFA.
When the Plan Sponsor attempts to log in again after MFA is reset, they will receive the initial MFA prompt asking them to select their preferred method, as though they were using it for the first time.
What Triggers the MFA Prompt on PSL?
After a user signs in to PSL with Multi-Factor Authentication, PlanSponsorLink will record details of this success, allowing the user to skip the MFA challenge on subsequent occasions. Re-verification will be required if any of the following events occur:
- 60 days have elapsed since the user's last successful verification
- The user attempts to access PSL from a different device or IP address
- The user's MFA settings are reset
- The Multi-Factor Authentication preference is updated in PlanSponsorLink preferences
- The MFA Type preference is updated in PlanSponsorLink preferences