Multi-Factor Authentication, or MFA, is an increasingly common feature that provides additional account security beyond passwords. When enabled, a user attempting to log in to PensionPro will need to provide a generated code that is sent to them via text message or email.
This article discusses enabling MFA for Employees logging in to PensionPro. MFA can also be enabled for Plan Sponsors logging in to PlanSponsorLink; refer to the article Multi-Factor Authentication For PlanSponsorLink.
Tier Availability: Track, Team, Business
Article Contents
- Signing In to PensionPro with MFA
- Enabling MFA for Employees
- Setting Allowed Employee MFA Verification Methods
- Individual Employee MFA Preferences
- Resetting an Employee's MFA Settings
- Actions Triggering Employee MFA Re-Verification
- Employee MFA Notifications
- Employee MFA and PensionPro Fetch
Signing In to PensionPro with MFA
- Email, Text, and App verification methods are available.
- The user will receive a 6-digit verification code.
- The code expires 10 minutes after it is sent.
- MFA verification is stored for 60 days.
When Multi-Factor Authentication is enabled, a PensionPro user will begin the sign-in process by entering their username and password as normal. If the credentials are correct, the MFA process begins, during which the user will be asked to input a 6-digit verification code they can obtain from an outside source.
A user signing in with MFA for the first time will be asked what method they would like to use to receive their verification code (unless the firm's preferences only allow one method). These methods are:
- Email (all tiers): The code will be sent to the email address associated with the user's PensionPro account.
- Text (all tiers): The user will be prompted to provide a cell phone number; a code will be sent via text message to that number. The chosen phone number will then be saved and used automatically for future MFA requests.
-
App (Enterprise tier only): The user will be asked to scan a QR code with their authenticator app to connect it to PensionPro, then input the verification code given by the app. Subsequent logins will not require scanning the QR code; the verification code can be retrieved from the app. The following authenticator apps are compatible:
- Microsoft Authenticator
- Google Authenticator
- Duo Mobile
Verification codes sent via text and email will expire after 10 minutes; authenticator apps will refresh verification codes every 30 seconds.
Once the user inputs the verification code, they will be signed in to PensionPro. The MFA verification is stored for 60 days unless one of the factors outlined in the section Actions Triggering Employee MFA Re-Verification is met.
A user is unable to change their preferred verification method after one is selected. If their preference needs to be altered at a later time, refer to the section Resetting an Employee's MFA Settings.
Enabling MFA for Employees
Requires Security Rights: Maintenance, Security Management
Multi-Factor Authentication is enabled on an Employee-by-Employee basis; in other words, firms can decide which Employee accounts will require MFA.
- From the Navigation Panel, select Maintenance > Preferences > Security Management.
- Select the Multi-Factor Authentication view.
- Click to select a single Employee record, or Ctrl-click to select multiple records.
- Select More
> Edit.
- Set the MFA Status dropdown to Enforced to turn on MFA for the selected Employees.
- Setting MFA Status to Disabled will allow Employees to log in without verification.
- Selecting the Reset MFA Settings checkbox will wipe the selected Employees' saved MFA preferences. Refer to the section Resetting an Employee's MFA Settings.
- Select Save.
Automatic MFA for New Employees
PensionPro can optionally enable MFA for all newly-created Employee accounts, eliminating the need to perform the above steps manually for each new hire. To do so, enable the Turn MFA on by Default option found in the Data Security view of PensionPro Preferences.
Setting Allowed Employee MFA Verification Methods
Requires Security Rights: Maintenance
When enabling Multi-Factor Authentication, a firm has the option to limit the MFA methods that an Employee can use. The available options are:
- Text
- Email & Text
- Authenticator App (Enterprise only)
- Email, Text, & App (Enterprise only)
To set the allowed MFA method(s):
- From the Navigation Panel, select Maintenance > Preferences > PensionPro.
- Expand the General category from the Views list on the left, then select the Data Security view.
- Hover over Available MFA Options and select Edit
on the right.
- In the Value field, select the desired MFA method(s).
- Select Save.
If this setting is later edited, any user for which MFA is enforced will be required to re-verify on their next sign-in attempt.
Individual Employee MFA Preferences
Employees can manage their MFA preferences by selecting More > View My Account in the PensionPro header at the top-right. This opens the Employee's Account view in a new Employee tab.
- Selecting Edit
- Selecting a Preferred MFA Option does not prevent an Employee from using multiple methods. The Preferred option will be automatically highlighted during a login attempt, but any method can be selected for verification during this stage.
- If Text is set as an Employee's Preferred MFA Option, selecting Update Phone Number on the Account view will log the Employee out of PensionPro. Upon re-login, they will be prompted to supply a new cell phone number to continue using MFA verification.
For privacy and security reasons, no user can view an Employee's Preferred MFA Option and Phone Number except for the Employee in question.
Resetting an Employee's MFA Settings
Requires Security Rights: Maintenance, Security Management
If an Employee encounters a situation where their Multi-Factor Authentication preferences need to be reset, but the Employee is unable to access their account, another user with the Security Management Security Rights can reset the preferences manually. This action does the following:
- Forces the Employee to re-verify using MFA upon next login (assuming their MFA Status is Enforced).
- Allows the Employee to select their verification method, if applicable.
- Allows the Employee to supply a new cell phone number if Text verification is chosen.
To reset an Employee's MFA settings:
- From the Navigation Panel, select Maintenance > Preferences > Security Management.
- Select the Multi-Factor Authentication view.
- Click to select a single Employee record, or Ctrl-click to select multiple records.
- Select More
- Enable Reset MFA Settings.
- Select Save.
Actions Triggering Employee MFA Re-Verification
After submitting a successful verification code, PensionPro will remember an Employee's device and IP address for 60 days. An Employee will not be required to provide a new verification code during login unless one of the following events occurs:
- 60 days have elapsed since a verification code was submitted for the device and IP address combination that the Employee is attempting to log in through.
- The Employee is logging into PensionPro from a different IP address or a different device.
- The System Administrator has selected Reset MFA Settings for the Employee in the Security Management preferences.
- The System Administrator changes the Available MFA Options in the Data Security preferences.
- The Employee changes their Preferred MFA Option in their Account options.
Employee MFA Notifications
Employees will receive email notifications when the following events occur:
- When an Employee account is successfully accessed via MFA.
- When a new phone number is used to successfully authenticate an account.
- When an employee's email address is changed.
- An email notification of the change will be sent to the Employee's old and new email addresses.
Employee MFA and PensionPro Fetch
If MFA is enabled, an Employee will be required to authenticate during login if Fetch is accessed directly via URL or bookmark. However, authentication will not be required when Fetch is opened from PensionPro's Navigation Panel.