Multi-Factor Authentication, or MFA, is an increasingly common feature that provides additional account security beyond passwords. When enabled, a user attempting to log in to PensionPro will need to provide a generated code that is sent to them via text message or email.
Tier Availability: All Tiers
Security Rights Required: Add/Edit Employee, Maintenance, Security Management
Table of Contents
- MFA Quick Facts
- Enabling MFA for Employees
- MFA Verification Methods
- Employee MFA Preferences
- Actions Triggering MFA Re-Verification
- MFA Notifications
- MFA and PensionPro FETCH
MFA Quick Facts
- Email and Text verification methods are available.
- The user will receive a 6-digit verification code.
- The code expires 10 minutes after it is sent.
- MFA verification is stored for 60 days.
Enabling MFA for Employees
- From the Navigation Panel, select Maintenance > Preferences > Security Management.
- Select the Multi-Factor Authentication view.
- Click to select a single Employee record, or Ctrl-click to select multiple records.
- Select More Options > Edit.
- Set the MFA Status dropdown to Enforced to require Employees to verify themselves with a code delivered to them by Email or Text.
- Setting MFA Status to Disabled will allow Employees log in without verification.
- Selecting the Reset MFA Settings checkbox will wipe the selected Employees' MFA Settings and require verification upon their next login (assuming their MFA Status is Enforced).
- Select Save.
MFA Verification Methods
When enabling Multi-Factor Authentication for Employees, a firm has the option to select their preferred MFA method. The available options are Email, Text, or both.
- From the Navigation Panel, select Maintenance > Preferences > PensionPro.
- Expand the General category from the Views list on the left, then select the Data Security view.
- Hover over Available MFA Options and select Edit on the right.
- In the Value field, select either Email, Text, or Email and Text.
- Select Save.
If this setting is edited, any user for which MFA is enforced will be required to perform the appropriate verification steps upon their next login attempt.
Employee MFA Preferences
If the firm allows both Email and Text to be used for MFA, the Employee will be asked for their preferred method upon first login. Otherwise, the option chosen by the firm will be enforced.
- If Email is selected, a code will be sent to the email address associated with the Employee's PensionPro account.
- If Text is selected, the Employee will be prompted to provide a cell phone number; a code will be sent via text message to that number. The chosen phone number will then be saved and used automatically for future logins.
Employees can manage their MFA preferences by selecting User Profile > View My Account in the upper-right hand corner of PensionPro. This opens the Employee's Account view in a new Employee tab.
- Selecting Edit displays the Edit Account popup window; if the firm allows both Email and Text delivery methods, the Preferred MFA Option can be changed from the dropdown.
- Selecting a Preferred MFA Option does not prevent an Employee from using both Email and Text. The Preferred option will be automatically highlighted during a login attempt, but either method can be selected for verification during this stage.
- If Text is set as an Employee's Preferred MFA Option, selecting Update Phone Number on the Account view will log the Employee out of PensionPro. Upon re-login, they will be prompted to supply a new cell phone number to continue using MFA verification.
For privacy and security reasons, no user can view an Employee's Preferred MFA Option and Phone Number except for the Employee in question.
Actions Triggering MFA Re-Verification
After submitting a successful verification code, PensionPro will remember an Employee's device and IP address for 60 days. An Employee will not be required to provide a new verification code during login unless one of the following events occurs:
- 60 days have elapsed since a verification code was submitted for the device and IP address combination that the Employee is attempting to log in through.
- The Employee is logging into PensionPro from a different IP address or a different device.
- The System Administrator has selected Reset MFA Settings for the Employee in the Security Management preferences.
- The System Administrator changes the Available MFA Options in the Data Security preferences.
- The Employee changes their Preferred MFA Option in their Account options.
Note: The verification code is remembered by the device and IP address combination. Each unique combination will be saved for 60 days.
Employees will receive email notifications when the following events occur:
- When an Employee account is successfully accessed via MFA.
- When a new phone number is used to successfully authenticate an account.
- When an employee's email address is changed.
- An email notification of the change will be sent to the Employee's old and new email addresses.
MFA and PensionPro FETCH
If MFA is enabled, an Employee will be required to authenticate during login if Fetch is accessed directly via URL or bookmark. However, authentication will not be required when Fetch is opened from PensionPro's Navigation Panel.