Configuring two-factor authentication (2FA or MFA)

Two-factor authentication (also known as 2FA or MFA) adds an extra layer of security to your Diligent One instance by requiring users to enter a temporary access code in addition to their password. In the event that someone's Diligent One password became compromised, an attacker would remain unable to login without access to that person's 2FA authenticator app, typically requiring their mobile phone.

Permissions

Only System Admins can enforce 2FA, unlock accounts, and disable 2FA.

How it works

System Admins can enforce 2FA in your Diligent One instance. Once enforced, all users of your instance will be unable to access any instance of Diligent One until they do all of the following:

Download an authenticator app that supports time-based one time passcodes (TOTPs)
Activate 2FA on their Diligent One account by linking it to their authenticator app
Enter their code in Diligent One

Which 2FA authenticators we support

Diligent One's 2FA is compatible with the majority of authenticator apps that can provide a time-based on time passcode (TOTP). We have tested on the following apps and know they work, but others should work too.

Google Authenticator
Microsoft Authenticator
Cisco Duo Mobile
Okta Verify
Auth0 Guardian
LastPass Authenticator

What happens when people try to login incorrectly

To prevent brute-force attacks, users of 2FA-enabled instances are limited to 5 failed passwords and 3 failed authentication codes. At this point, Diligent One locks their account. A System Admin will need to unlock it for them.

You cannot use SSO and 2FA together

You cannot use two-factor authentication with single sign on. If you need to use both SSO and 2FA, you should use your SSO identify provider's own 2FA ability. If SSO is enabled, Diligent One does not permit you to turn on 2FA. Likewise, if any member of your instance uses 2FA, Diligent One does not permit you to turn on SSO.

If your users access multiple instances

When you enable 2FA in your Diligent One instance, all users of that instance will need to use 2FA to access any instance of Diligent One, including instances that belong to other companies.

Enforcing 2FA

Follow the steps below to enable 2FA for all users in your Diligent One instance.

Preparing people for 2FA

Most people have encountered 2FA somewhere before, but you should not assume everyone has. Since this is a global change, it's good to advise people this change is coming and what to expect.
Consider what you want to do for edge cases. For example, should people who do not have access to a mobile device authenticate using an authenticator app on their existing machine?
If you work for a large organization, prepare for the additional overhead of supporting people in the event that Diligent One has to lock their account.

Making the change to 2FA

Open Launchpad.
If your company uses more than one instance in Diligent One, make sure the appropriate instance is active.
Select Platform Settings > Organization. If you do not see Organization as an option, the account you used to sign in does not have System Admin privileges.
Click Update Organization.
Click the Security Settings tab.
Under Platform-wide two-factor authentication, check Enable.
Click Save changes.

2FA is now enforced for any person who can access this instance of Diligent One. Next time you log in, you will need to set up 2FA for your own account, like everyone else. For now, you remain logged in.

Disabling 2FA in your instance

You can turn off the enforcement of 2FA in your instance of Diligent One.

Note

This will not automatically turn off 2FA for your users. Each person can choose to continue using 2FA or you can unregister them.

Open Launchpad.
If your company uses more than one instance in Diligent One, make sure the appropriate instance is active.
Select Platform Settings > Organization. If you do not see Organization as an option, the account you used to sign in does not have System Admin privileges.
Click Update Organization.
Click the Security Settings tab.
Under Platform-wide two-factor authentication, clear Enable.
Click Save changes.

Unlocking a locked account

If someone tries to log in without success too many times, Diligent One locks their account. To restore their access, a System Admin must unlock it.

Open Launchpad.
If your company uses more than one instance in Diligent One, make sure the appropriate instance is active.
Select Platform Settings > Users. If you do not see Users as an option, the account you used to sign in does not have System Admin privileges.
Find the user who needs to be unlocked:
- Enter a name or email in the search box.
- Use the filters to restrict the list of users to a subset.
- Click on the Name, Status, or Previous sign in date columns to sort users.
Click that user's name. The User Details panel opens.
Click Unlock.

The locked user can log into Diligent One again.

Unregistering someone else from 2FA

If someone loses or changes their mobile device, a System Admin can unregister them from 2FA. If 2FA is enforced, next time they try to log in, Diligent One will prompt them to enroll their new device in 2FA. If 2FA is not enforced, this person will no longer need to use 2FA.

Open Launchpad.
If your company uses more than one instance in Diligent One, make sure the appropriate instance is active.
Select Platform Settings > Users. If you do not see Users as an option, the account you used to sign in does not have System Admin privileges.
Find the user who needs to be unlocked:
- Enter a name or email in the search box.
- Use the filters to restrict the list of users to a subset.
- Click on the Name, Status, or Previous sign in date columns to sort users.
Click that user's name. The User Details panel opens.
Click Unregister 2FA.

That user is now unregistered from 2FA.