Multi-Factor Authentication (MFA) - Administration guide

Overview

Multi-Factor Authentication requires users to authenticate themselves via two or more means when logging in.  Skills Base support two factors of authentication for accounts that are authenticated by Skills Base:


- Password authentication

- Virtual MFA device


It is important to note that this feature and article applies only to local accounts that are authenticated by Skills Base.  If your organization has Single Sign On integrated, this feature and article does not apply to accounts authenitcated by your SSO Identity Provider.


Enabling MFA for an account

Users must directly enable MFA on their own account.  It is not possible for administrators, Skills Base support staff, or anyone else to enable MFA on an account other than their own account.


In order to complete the registration process, users must have a valid email address associated with their account which is not in "bounced" state (ie: has been flagged as "bounced" by Skills Base due to email bouncing in the past). They must also be able to receive email at this registered address.


Only users with local passwords stored in Skills Base can enable MFA. The MFA will apply to Skills Base password authentication only and will not apply to SSO authentication (if the user has the ability to log in via both means).  However, the organization can enable/enforce MFA on its own Identity Provider if it wishes, in order to enable MFA for SSO authentication.


Any user with a local password stored in Skills Base can enable MFA on their account via their "Preferences" page.  A user can access their preferences page by clicking their profile icon at the top right of the screen and selecting "Preferences" from the drop down menu if on a desktop computer, or expading the menu and selecting "Preferences" from the profile name drop down on a mobile device.


Disabling MFA for an account

Administrators have the ability to disable MFA for a user account if necessary, such as when a user loses access to their virtual MFA device and cannot log in. 


Note: Before proceeding, it is crucial for security reasons to manually verify the user's identity. Cyber attackers often use impersonation techniques, so we strongly recommend confirming the user's identity via a video call before disabling MFA.


The steps for disabling MFA on a user acocunt are:


1. Ensure you are logged in as an administrator

2. Edit the user

3. In the Multi-Factor Authentication field, click "Deregister"



Virtual MFA device

Skills Base supports Virtual MFA device-based Multi-Factor Authentication only. This means that users must have access to a smartphone, and must have an authenticator app installed such as Google Authenticator or Microsoft Authenticator.  If the user doesn't have a smartphone or cannot install or access a suitable authenticator app they will not be able to enable MFA.


Enforcing MFA for user accounts

Administrators can choose to enforce MFA for user accounts in Skills Base. This is configured in the [Administration > Authentication] screen.  There are three options:


  • Optional - When this option is selected, MFA will not be enforced for any user, however all users can optionally enable MFA for their account via the method described in the above section. Additionally, administrators will be prompted and encouraged to enable MFA on their account upon each login until they either enable MFA or dismiss the prompt.
  • Required for administrators - When this option is selected, MFA will be enforced for administrators.  As above, administrators will continue to be prompted upon login, however they will no longer be able to dismiss the prompt and will be required to register a Virtual MFA device in order to access Skills Base.  The registration process will involve validating their email address, so the user must be able to receive email at their registered address in order to complete the process.
  • Required for all users - When this option is selected, MFA will be enforced for all users.  All users will be prompted to enable MFA upon login and cannot dismiss the message.  As such they will need to register a Virutal MFA deivce in order to access Skills Base.  The registration process will involve validating their email address, so the user must be able to receive email at their registered address in order to complete the process.