Multi-Factor Authentication (MFA) is an increasingly common feature that provides additional account security beyond passwords. When enabled, a user attempting to log in to PensionPro will need to provide a generated code that is sent to them via text message or email.
This article discusses enabling MFA for Employees logging in to PensionPro. MFA can also be enabled for Plan Sponsors logging in to PlanSponsorLink; refer to the article Multi-Factor Authentication For PlanSponsorLink.
Tier Availability: Track, Team, Business
Article Contents
- Signing In to PensionPro with MFA
- Enabling MFA for Employees
- Setting Allowed Employee MFA Verification Methods
- Individual Employee MFA Preferences
- Resetting an Employee's MFA Settings
- Actions Triggering Employee MFA Re-Verification
- Employee MFA Notifications
- Employee MFA and PensionPro Fetch
Signing In to PensionPro with MFA
- Email, Text, and App verification methods are available.
- The user will receive a 6-digit verification code.
- The code expires 10 minutes after it is sent.
- MFA verification is stored for 60 days.
When Multi-Factor Authentication is enabled, a PensionPro user will begin the sign-in process by entering their username and password as normal. If the credentials are correct, the MFA process begins, during which the user will be asked to input a 6-digit verification code they can obtain from an outside source.
A user signing in with MFA for the first time will be asked what method they would like to use to receive their verification code (unless the firm's preferences only allow one method). These methods are:
- Email (all tiers): The code will be sent to the email address associated with the user's PensionPro account.
- Text (all tiers): The user will be prompted to provide a cell phone number; a code will be sent via text message to that number. The chosen phone number will then be saved and used automatically for future MFA requests.
-
App (Enterprise tier only): The user will be asked to scan a QR code with their authenticator app to connect it to PensionPro, then input the verification code given by the app. Subsequent logins will not require scanning the QR code; the verification code can be retrieved from the app. The following authenticator apps are compatible:
- Microsoft Authenticator
- Google Authenticator
- Duo Mobile
Verification codes sent via text and email will expire after 10 minutes; authenticator apps will refresh verification codes every 30 seconds.
Once the user inputs the verification code, they will be signed in to PensionPro. The MFA verification is stored for 60 days unless one of the factors outlined in the section Actions Triggering Employee MFA Re-Verification is met.
A user is unable to change their preferred verification method after one is selected. If their preference needs to be altered at a later time, refer to the section Resetting an Employee's MFA Settings.
Enabling MFA for Employees
Requires Security Rights: Maintenance, Security Management
Multi-Factor Authentication is enabled on an Employee-by-Employee basis; in other words, firms can decide which Employee accounts will require MFA.
- From the Navigation Panel, select Maintenance > Preferences > Security Management. The corresponding tab opens.
- In the Views list on the left, select Multi-Factor Authentication.
- In the Multi-Factor Authentication grid, click to select a single Employee record, or Ctrl-click to select multiple records.
- Select More
> Edit. The corresponding window displays.
- Set MFA Status to Enforced to turn on MFA for the selected Employee(s).
- Setting MFA Status to Disabled will allow Employees to log in without verification.
- Selecting Reset MFA Settings will erase the selected Employees' saved MFA preferences. Refer to the section Resetting an Employee's MFA Settings.
- Select Save.
Automatic MFA for New Employees
PensionPro can optionally enable MFA for all newly-created Employee accounts, eliminating the need to perform the above steps manually for each new hire. To do so, enable the Turn MFA on by Default option found in the Data Security view of PensionPro Preferences.
Setting Allowed Employee MFA Verification Methods
Requires Security Rights: Maintenance
When enabling Multi-Factor Authentication, a firm has the option to limit the MFA methods that an Employee can use. The available options are:
- Text
- Email & Text
- Authenticator App (Enterprise only)
- Email, Text, & App (Enterprise only)
To set the allowed MFA method(s):
- Navigate to Maintenance > Preferences > PensionPro. The corresponding tab opens.
- In the Views list on the left, expand the General grouping, then select the Data Security view.
- Update the Available MFA Options preference to set the desired MFA method(s).
If this setting is later edited, any user for which MFA is enforced will be required to re-verify on their next sign-in attempt.
Individual Employee MFA Preferences
Users can manage their MFA preferences by selecting More > View My Account in the PensionPro header at the top-right. This opens the user's Account view in a new Employee tab.
- If the firm allows multiple MFA methods, the user's preferred method can be updated by Selecting Edit
at the top-right of the Account Information grid and setting the Preferred MFA Option as desired.
- If using Text for MFA, selecting Update Phone Number on the Account view will sign the user out of PensionPro. Upon their next sign-in, they will be prompted to supply a new cell phone number to continue using MFA verification.
For privacy and security reasons, users can only view their own Preferred MFA Option and MFA Phone Number settings.
Resetting an Employee's MFA Settings
Requires Security Rights: Maintenance, Security Management
If an Employee encounters a situation where their Multi-Factor Authentication preferences need to be reset, but the Employee is unable to access their account, another user with the Security Management Security Rights can reset the preferences manually. This action does the following:
- Forces the Employee to re-verify using MFA upon next login (assuming their MFA Status is Enforced).
- Allows the Employee to select their verification method, if applicable.
- Allows the Employee to supply a new cell phone number if Text verification is chosen.
To reset an Employee's MFA settings:
- From the Navigation Panel, select Maintenance > Preferences > Security Management. The corresponding tab opens.
- In the Views list on the left, select Multi-Factor Authentication.
- In the Multi-Factor Authentication grid, click to select a single Employee record, or Ctrl-click to select multiple records.
- Select More
> Edit. The corresponding window displays.
- Enable Reset MFA Settings.
- Select Save.
Actions Triggering Employee MFA Re-Verification
After submitting a successful verification code, PensionPro will remember an Employee's device and IP address for 60 days. An Employee will not be required to provide a new verification code during login unless one of the following events occurs:
- 60 days have elapsed since the current combination of device and IP address was verified.
- The Employee signs in to PensionPro from a different IP address or a different device.
- The System Administrator uses Reset MFA Settings for the Employee in Security Management preferences.
- The System Administrator changes the Available MFA Options in the Data Security preferences.
- The Employee changes their Preferred MFA Option in their Account settings.
Employee MFA Notifications
Employees will receive email notifications when the following events occur:
- When an Employee account is successfully accessed via MFA.
- When a new phone number is used to successfully authenticate an account.
Employee MFA and PensionPro Fetch
If MFA is enabled, an Employee will be required to authenticate during login if Fetch is accessed directly via URL or bookmark. However, authentication will not be required when Fetch is opened from PensionPro's navigation menu.