Multi-Factor Authentication, or MFA, is an increasingly common feature that provides additional account security beyond passwords. When enabled, a user attempting to log in to PensionPro will need to provide a generated code that is sent to them via text message or email.
This article discusses enabling MFA for Employees logging in to PensionPro. MFA can also be enabled for Plan Sponsors logging in to PlanSponsorLink; refer to the article Multi-Factor Authentication For PlanSponsorLink.
Tier Availability: Track, Team, Business
Security Rights Required: Add/Edit Employee, Maintenance, Security Management
Article Contents
- MFA Quick Facts
- Enabling MFA for Employees
- MFA Verification Methods
- Employee MFA Preferences
- Actions Triggering MFA Re-Verification
- MFA Notifications
- MFA and PensionPro Fetch
MFA Quick Facts
- Email and Text verification methods are available.
- The user will receive a 6-digit verification code.
- The code expires 10 minutes after it is sent.
- MFA verification is stored for 60 days.
Enabling MFA for Employees
- From the Navigation Panel, select Maintenance > Preferences > Security Management.
- Select the Multi-Factor Authentication view.
- Click to select a single Employee record, or Ctrl-click to select multiple records.
- Select More > Edit.
- Set the MFA Status dropdown to Enforced to require Employees to verify themselves with a code delivered to them by Email or Text.
- Setting MFA Status to Disabled will allow Employees log in without verification.
- Selecting the Reset MFA Settings checkbox will wipe the selected Employees' MFA Settings. See Resetting an Employee's MFA Settings, below.
- Select Save.
MFA Verification Methods
When enabling Multi-Factor Authentication for Employees, a firm has the option to select their preferred MFA method. The available options are Email, Text, or both.
- From the Navigation Panel, select Maintenance > Preferences > PensionPro.
- Expand the General category from the Views list on the left, then select the Data Security view.
- Hover over Available MFA Options and select Edit on the right.
- In the Value field, select either Email, Text, or Email and Text.
- Select Save.
If this setting is edited, any user for which MFA is enforced will be required to perform the appropriate verification steps upon their next login attempt.
Employee MFA Preferences
If the firm allows both Email and Text to be used for MFA, the Employee will be asked for their preferred method upon first login. Otherwise, the option chosen by the firm will be enforced.
- If Email is selected, a code will be sent to the email address associated with the Employee's PensionPro account.
- If Text is selected, the Employee will be prompted to provide a cell phone number; a code will be sent via text message to that number. The chosen phone number will then be saved and used automatically for future logins.
Employees can manage their MFA preferences by selecting More > View My Account in the PensionPro header at the top-right. This opens the Employee's Account view in a new Employee tab.
- Selecting Edit displays the Edit Account popup window; if the firm allows both Email and Text delivery methods, the Preferred MFA Option can be changed from the dropdown.
- Selecting a Preferred MFA Option does not prevent an Employee from using both Email and Text. The Preferred option will be automatically highlighted during a login attempt, but either method can be selected for verification during this stage.
- If Text is set as an Employee's Preferred MFA Option, selecting Update Phone Number on the Account view will log the Employee out of PensionPro. Upon re-login, they will be prompted to supply a new cell phone number to continue using MFA verification.
For privacy and security reasons, no user can view an Employee's Preferred MFA Option and Phone Number except for the Employee in question.
Resetting an Employee's MFA Settings
If an Employee encounters a situation where their Multi-Factor Authentication preferences need to be reset, but the Employee is unable to access their account, another user with the Security Management Security Rights can reset the preferences manually. This action does the following:
- Forces the Employee to re-verify using MFA upon next login (assuming their MFA Status is Enforced).
- Allows the Employee to select Email or Text verification, if applicable.
- Allows the Employee to supply a new cell phone number if Text verification is chosen.
To reset an Employee's MFA settings:
- From the Navigation Panel, select Maintenance > Preferences > Security Management.
- Select the Multi-Factor Authentication view.
- Click to select a single Employee record, or Ctrl-click to select multiple records.
- Select More > Edit.
- Enable Reset MFA Settings.
- Select Save.
Actions Triggering MFA Re-Verification
After submitting a successful verification code, PensionPro will remember an Employee's device and IP address for 60 days. An Employee will not be required to provide a new verification code during login unless one of the following events occurs:
- 60 days have elapsed since a verification code was submitted for the device and IP address combination that the Employee is attempting to log in through.
- The Employee is logging into PensionPro from a different IP address or a different device.
- The System Administrator has selected Reset MFA Settings for the Employee in the Security Management preferences.
- The System Administrator changes the Available MFA Options in the Data Security preferences.
- The Employee changes their Preferred MFA Option in their Account options.
MFA Notifications
Employees will receive email notifications when the following events occur:
- When an Employee account is successfully accessed via MFA.
- When a new phone number is used to successfully authenticate an account.
- When an employee's email address is changed.
- An email notification of the change will be sent to the Employee's old and new email addresses.
MFA and PensionPro Fetch
If MFA is enabled, an Employee will be required to authenticate during login if Fetch is accessed directly via URL or bookmark. However, authentication will not be required when Fetch is opened from PensionPro's Navigation Panel.