Enabling multifactor authentication

Introduction

IMPORTANT   As an enhanced mandatory security measure, BMS has enforced multi-factor authentication (MFA) for all users. As you might know, MFA is an industry-standard two-pronged security measure that protects your identity, profile, and data. You cannot disable MFA from your tenant.

You can use any authenticator products like Passly, Google Authenticator, Duo, etc. You can use your organization's IDP to implement this extra security as well.

MFA exclusion for Client Portal user

As an exclusion to the above rule, users of Client Portal are excluded from mandatory MFA. For more information, see Disabling MFA for a Client Portal User towards the end of this article.

Prerequisites

  • An active employee or contact in the system
  • An authenticator application on your mobile device

Setup

Existing SSO users: 

If the user has an existing SSO, they would still have to log in to their profile and enable MFA. This is a one-time setup for SSO users. MFA will not be asked for any subsequent logins. 
  • SSO Provider interface > BMS App > My Settings > Enable MFA > Logout of BMS
  • SSO Provider interface > BMS App > Loads BMS profile using SAML

Authentication will show MFA enabled, and the user authentication type under HR for this user will be SAML SSO.

As an end-user :

    1. Open "My Settings page" and Enable MFA.
    2. Once MFA is enabled for an account, you will have to set up your mobile device to help you generate code during your next login.
      • Scan the QR code shown on your screen
      • Generate code, use it in the" Verify MFA Code" box, click Enable. 

If your app doesn't support a code scanner you can also use the following steps to configure the code manually. 

    1. Click on the "Show secret Key for manual configuration" 
    2. On your device, Add a new setup key and use the secret token from BMS.mceclip2.png

Once MFA is enabled, you will also see an option to generate an MFA recovery token, click on the link and save the code somewhere secure. You will need this in case you need to reset your MFA and self-serve.

mceclip0.png

mceclip1.png

NOTE  On your next login, you will be prompted for your Username, Password, and authentication code OTP generated by an authenticator application. Change in authentication type requires users to refresh their logged-in session.

Lockout recovery

If you do not have access to your mobile device to generate a code, you can either use the Recovery key token or reset your MFA.

  • Retrieve the recovery token that you saved securely from the 'My Settings'  page during the MFA setup.
  •  Enter it into the MFA Code field when you log in. This code expires after the first use. You’ll need to get a new recovery code and store it in a secure place for future use.

 mceclip0.png

mceclip3.png

Resetting MFA

  • If one does not have access to their recovery token, they can reach out to someone with an Administrator role in the system, and have them reset MFA for their user.
  • Administrators can reset MFA for their users by navigating to Admin > HR > Employees if the user is an employee or Contacts > CRM > Contact > Client portal access for a client portal user. Select Reset MFA. The user will be asked to set up MFA again on their next login.
  • A sole administrator can get their MFA reset, in case they are locked out by creating a support ticket with our BMS Support Team.

    blobid0.png

 mceclip5.png

Disabling MFA for a Client Portal user 

  1. Go to CRM > Contacts > Batch Action.
  2. Select the contact for which MFA for the client portal needs to be disabled.
  3. Click Next > Update.
  4. Click Yes next to Disable MFA field.
  5. Click Confirm.

    MFA_disable_client_portal.PNG