Multi-Factor Authentication (MFA) with One-Time Password (OTP) via Email

This article provides information about the new Multi-Factor Authentication (MFA) feature using one-time passwords (OTPs) delivered via email. This enhanced security measure requires users to enter a unique code sent to their registered email address to gain access to the system.

Purpose:

To strengthen account security by adding an extra layer of verification beyond username and password.

Workflow:

1. Login Attempt: User attempts to log in with their username and password.
2. MFA Trigger: If MFA is enabled, the system generates a unique OTP.
3. Email Delivery: The OTP is sent to the user's registered email address.
4. Code Entry: The user is prompted to enter the OTP on the login screen.
5. Verification: The system verifies the entered code against the generated OTP.
6. Successful Login: If the code is valid, the user is granted access.
7. Failed Login: If the code is invalid or not entered within the validity period, the user is denied access.

Configuration Options (System-Wide):

System administrators can configure the following MFA settings:

• Enable MFA:
  • A global setting to enforce MFA for all users.
  • When enabled, all users will be required to enter an OTP to log in.
• Reauthentication Period:
  • Defines the number of days after which users will be prompted to re-authenticate with a new OTP.
  • Maximum allowed value: 90 days.
  • This forces users to re-verify their identity periodically.
• Code Validity Period:
  • Specifies the duration (in minutes) for which the emailed OTP is valid.
  • Maximum allowed value: 60 minutes.
  • After this period, the code expires, and a new one is required.
• Number of Attempts:
  • Sets the maximum number of incorrect OTP attempts allowed before the account is locked or further action is taken.
  • Minimum allowed value: 1, maximum allowed value: 15.
  • This protects against brute-force attacks.

• A new flag has been added to user profiles, allowing administrators to exempt specific users from MFA requirements.
• This can be useful for service accounts or users with specific needs.

• Valid Email Address: Users must have a valid and accessible email address to receive the OTP.
• Email Delivery Issues: Check spam or junk folders if the OTP is not received promptly. Contact your system administrator if email delivery issues persist.
• Security Best Practices: Do not share your OTP with anyone.
• Account Lockout: Be aware of the number of allowed attempts to avoid account lockout.
• Reauthentication: Understand the reauthentication period and be prepared to re-verify your identity when prompted.