Prefer a visual tour to learn more about this feature?
Click the link to check out the Employee Navigator University Two Factor Authentication course*
*You will need to be registered in our EN University to access the course. If you haven't already registered, please check out our EN University article to learn how to register.
Two factor authentication allows an agency to an additional form of security when it comes to account access.
How this works?
When two factor authentication (2FA) is configured for an agency a broker user will log into Employee Navigator with their credentials as usual. Since 2FA is configured, the user will be a 2FA screen to add the extra validation credentials. If the agency is using “EN Two Factor Authentication” then on first login, the user will need to register their device with an authenticator app and QR code (for example, Microsoft Authenticator). Once this is configured, on their subsequent logins they will need to enter the authenticator app’s generated code.
If the agency is using “Third Party- Duo Authentication” then they will be routed to the duo authentication page. Duo will give them several options to confirm their login. NOTE: A duo account needs to be established for a user prior to logging into EN with MFA.
Before 2FA can be assigned to a user, it first needs to be configured as a setting under an Agency>Users> Two Factor Authentication. Only agency users that can "Manage Users" can configure an agency's 2FA settings.
Please note that HR Users cannot turn on 2FA for their group. The broker would need to set this up for them.
Initial Setup of 2FA at the Broker Level
An agency is given four options for 2FA configuration: None (no second factor auth), EN Two Factor Authentication, Email Code Authentication and Third Party- Duo Authentication.
If "None: no second factor auth" is selected, then the agency is not using 2FA.
If “EN Two Factor Authentication” is selected, then the setup is complete. All users on the account will automatically be assign MFA as a setting on the User Profile.
If "Email Code Authentication" is selected, upon each login, users will be emailed a code to use for authentication. To use this setting, email addresses are required for all users.
If “Third Party- Duo Authentication” is selected, then you will be prompted to enter the unique integration key, secret key, and API Endpoint. Once this is configured, then the setup is complete. All users on the account will automatically be assign 2FA as a setting on the User Profile.
NOTE: If you are using "Third Party- Duo Authentication" then you will go through a "Test" Save. This will allow us to confirm that the Duo credentials that the you entered are correct. When save is selected for the first time, we will run a test to see if we are able to successfully log in with the unique Duo credentials and the user's email. If it does not work on the first try, we will prompt you to enter your Duo Username. If the login works, we will save the Duo Username to the associated record. If it fails again, we will pop up a toaster that instructs the user to check their Duo configuration and confirm their username.
Initial Setup of 2FA at the Company Level
A broker is able to set up 2FA for their companies HR User, as well as the company employees (must be set up for HR Users before setting up for all company employees). To setup 2FA at the company level, the broker will go to the Company > Settings > Employee Experience > Two-Factor Authentication.
The company is given four options for 2FA configuration: None (no second factor auth), EN Two Factor Authentication, Email Code Authentication and Third Party- Duo Authentication.
Once a 2FA type is chosen for the HR Users, the broker will also have the ability to enable this security feature on employee users as well, but is not required.
EN Two Factor Authentication User
- Only users that have the permission set to "Manage Users” have the ability to turn 2FA on or off at the agency level.
- Now, Under a user’s “Profile” there is a check box for 2FA. If you can "Manage Users", and a user get's locked out or forgets their device you will have the ability to disable 2FA for up to 8 hours.
Email Code Authentication
- Only users that can "Manage Users” have the ability to assign and disable 2FA.
- On each login, users will be emailed a code to use for authentication. To use this setting, email addresses are required for all users; the system will select the required fields.
Third Party- Duo Authentication
- Only users that can "Manage Users” have the ability to assign and disable 2FA
- Now, Under a user’s “Profile” there is a check box for 2FA. You do NOT have the option to disable 2FA because this will be managed in Duo
- There is now a Duo username field that is auto-populated with a user’s email. This field is editable because your Duo username might be different than your email address.
Q: I'm using EN Two Factor Authentication, what authenticator app should I use?
A: Any authenticator app can we added to your phone to successfully log into EN using 2FA. From the App store on your phone, you can download Microsoft Authenticator, Google Authenticator, etc.
Q: If we are using a Authentication App such as Microsoft Authenticator, do the users need to have a phone number on record?
A: No, the user will link the Microsoft Authenticator app to their login by scanning a bar-code on their first login after it is turned on. There does not need to be a phone number in the system for this process.
Q: I already have Duo Account established. Where do I find the unique integration key, secret, and API Endpoint?
A: Login to your Duo account (must be a Duo Admin) On the left hand navigation, click into Applications>Protect an application.
Select "Web SDK."
Copy the Integration Key, Secret Key, and API Hostname over into your Employee Navigator settings.
Scroll down and change the name of "Web SDK" to "Employee Navigator." When push notifications are sent, Employee Navigator will appear.
Q: What happens in a registered agency user loses their device?
A: If you are using Third Party- Duo Authentication, then lost device management will be handled in Duo. If you are using EN Two Factor, then a user with the "Manage Users" permission can disable 2FA for a user for 8 hours if the device is recoverable. If not, the a "Manage Users" user will have the option to "reset" 2FA for the user to register a new device.
Q: For Email Authentication, what email address is used?
A: For 2FA at the agency level, your agency email will be used. For 2FA at the HR level, the email address added on the HR users profile will be used.
Q: For Email Authentication, does the user need to have an authentication app installed?
A: No, the user will just need to have a valid email address in the system.
Q: Will 2FA work with Login Widgets?
A: No. If 2FA is enabled and login widgets are being used, users will be stuck in a loop without ever being prompted to enter an authentication code. 2FA would either need to be disabled or users would need to login under the Employee Navigator homepage.