User based 'Multi Factor Authentication'
MFA – Multi Factor Authentication
Multi-factor authentication is an electronic authentication method in which users are granted access to printIQ after successfully entering their authentication code from an authentication application on their device.
MFA can be configured to be optional or mandatory.
When enabled, it always applies to Staff type users.
Customer and Supplier users can be forced to authenticate.
Multi-Factor Authentication can be enabled in printIQ with the following settings located under Admin -> Customise -> Settings -> Global:
It can be controlled with the following settings:
The Required By Date setting can be set in the future, the past or left blank. It can be set for the entire site, or individually for internal, customer and/or supplier users.
When set on a Customer record, all users associated with that customer will be required to configure and use MFA.
When set in the future, users logging on will have the option to secure their login or do it later which will allow users to set up the MFA in their own time before the specified date.
Each time the user logs in, they will be reminded to configure MFA or be reminded later:
When the date is set in the past, there is no ‘Remind me later’ option and the user must complete the MFA configuration in order to access the system.
When there is no date set, the use of MFA is optional, and it is left to the user to configure if they wish. This is done through the ‘Update my Profile’ modal under the username. MFA will only appear if it has been enabled. Clicking ‘Change’ will take the user to the MFA Setup screen (see below):
The following setting controls whether the MFA is to be applied to Staff users only or to include Customers and Suppliers too:
MFA Cookie Expiry Days depicts the frequency with which the user must enter their MFA generated code. Blank or zero means that the user will need to enter their MFA code every time they log in.
The last two settings relating to MFA controls which authenticator app is recommended:
The options are Google Authenticator, Microsoft Authenticator and Authy:
The last setting controls whether the three authenticator apps are presented to the user.
- When disabled, only the Recommended Multi Factor Authenticator App is presented with a QR code to assist installation.
- When enabled, all three apps are presented with QR Codes.
User Configuration of MFA on their Account
The MFA Configuration screen is a one-time process and is broken into 3 parts.
Part 1 - Install
The screen opens with the default Recommended MFA App as set above. If Show MFA Apps is enabled, the other 2 apps are also listed on screen:
The user simply scans the relevant QR Code to install the application if it is not already installed on their device.
Part 2 – Link Account
Once the Authenticator app is installed, the user opens the app and adds a new account. They will have the option to either scan the QR Code or manually enter the account name and secret:
Select ‘Other Account (Google, Facebook, etc)’.
Scan the QR code on screen or select to setup manually.
Once setup, the one-time passcode will show for that user:
The small number next to the password code is a countdown timer showing how long the password code is valid for. When this counter reaches zero, a new password code is generated.
Part 3 – Enter Code
Enter the code from the authenticator app and click Enable to finish configuring MFA:
When the entered code is verified, a success message is displayed:
The user will remain authenticated for as many days as set in the Authentication Cookie Expiry Days setting.
After, the user logs in as usual:
If the authenticator token has expired, they will need to open the authenticator app on their device and enter the code presented:
Clicking on 'Submit' before the code expires on the app will grant the user access to printIQ.
Behind the Scenes
When MFA is enabled and no date is set (not ‘enforced’), if the user has not opted to configure MFA, it displays in orange as ‘Not Set’:
If the Required Date setting is set in the future, it still displays in orange and shows the required date:
If the required date is in the past, it will show in red as overdue:
When MFA has been configured by the user, it will display in green as authenticated:
When a user is authenticated with MFA, there is the option to regenerate the secret or remove the authentication altogether; both of which will require the user to reconfigure MFA again.
A warning is presented before either action is performed:
Related Articles
Multi Site setup
To print or download this document click here Multi Site Setup You must have a master ‘FACTORY” and create the ‘sites’ required as additional sites. Upload all customers to these additional ‘sites’. MASTER is for pricing access only: USER ...Create User
This is where you enter the details of any ‘user’ you wish to add into printIQ. All this is managed under Users>Create User at the top of the screen. To create a new user, click ‘Create User’ and the following box will appear: Compulsory ...Options for quoting multi part jobs
Often a single quote/job will contain multiple items of different sizes on the same stock and printing process. In this case, estimators often want to price this like a ‘campaign/gang’ based concept where the intention is to produce the job imposed ...Production Printing - while creating Multiple-Deliveries and Multiple Invoices
Multi-Print Strategy IQ gives you the ability to print multiple items on a sheet, or within a print job. For instance, you might be printing posters for multiple store locations. You can print them at once, sometimes multiple up on a sheet saving ...User Positions
User Positions, Roles and Details Setup & Admin This article describes the tools available for managing user accesses. It covers User Positions, User Details and User Roles. There are three user types – Staff, Customer and Supplier: Customer users ...