Configuring two-factor authentication (2FA or MFA)

Two-factor authentication (also known as 2FA or MFA) adds an extra layer of security to your HighBond instance by requiring users to enter a temporary access code in addition to their password. In the event that someone's HighBond password became compromised, an attacker would remain unable to login without access to that person's 2FA authenticator app, typically requiring their mobile phone.

Permissions

Only System Admins can enforce 2FA, unlock accounts, and disable 2FA.

How it works

System Admins can enforce 2FA in your HighBond instance. Once enforced, all users of your instance will be unable to access any instance of HighBond until they do all of the following:

  • Download an authenticator app that supports time-based one time passcodes (TOTPs)
  • Activate 2FA on their HighBond account by linking it to their authenticator app
  • Enter their code in HighBond

Which 2FA authenticators we support

HighBond's 2FA is compatible with the majority of authenticator apps that can provide a time-based on time passcode (TOTP). We have tested on the following apps and know they work, but others should work too.

  • Google Authenticator
  • Microsoft Authenticator
  • Cisco Duo Mobile
  • Okta Verify
  • Auth0 Guardian
  • LastPass Authenticator

What happens when people try to login incorrectly

To prevent brute-force attacks, users of 2FA-enabled instances are limited to 5 failed passwords and 3 failed authentication codes. At this point, HighBond locks their account. A System Admin will need to unlock it for them.

You cannot use SSO and 2FA together

You cannot use two-factor authentication with single sign on. If you need to use both SSO and 2FA, you should use your SSO identify provider's own 2FA ability. If SSO is enabled, HighBond does not permit you to turn on 2FA. Likewise, if any member of your instance uses 2FA, HighBond does not permit you to turn on SSO.

If your users access multiple instances

When you enable 2FA in your HighBond instance, all users of that instance will need to use 2FA to access any instance of HighBond, including instances that belong to other companies.

Enforcing 2FA

Follow the steps below to enable 2FA for all users in your HighBond instance.

Preparing people for 2FA

  • Most people have encountered 2FA somewhere before, but you should not assume everyone has. Since this is a global change, it's good to advise people this change is coming and what to expect.
  • Consider what you want to do for edge cases. For example, should people who do not have access to a mobile device authenticate using an authenticator app on their existing machine?
  • If you work for a large organization, prepare for the additional overhead of supporting people in the event that HighBond has to lock their account.

Making the change to 2FA

  1. Open Launchpad.
  2. If your company uses more than one instance in HighBond, make sure the appropriate instance is active.
  3. Select Options > Organization. If you do not see Organization as an option, the account you used to sign in does not have System Admin privileges.
  4. Click Update Organization.
  5. Click the Security Settings tab.
  6. Under Platform-wide two-factor authentication, check Enable.
  7. Click Save changes.

2FA is now enforced for any person who can access this instance of HighBond. Next time you log in, you will need to set up 2FA for your own account, like everyone else. For now, you remain logged in.

Disabling 2FA in your instance

You can turn off the enforcement of 2FA in your instance of HighBond.

Note

This will not automatically turn off 2FA for your users. Each person can choose to continue using 2FA or you can unregister them.

  1. Open Launchpad.
  2. If your company uses more than one instance in HighBond, make sure the appropriate instance is active.
  3. Select Options > Organization. If you do not see Organization as an option, the account you used to sign in does not have System Admin privileges.
  4. Click Update Organization.
  5. Click the Security Settings tab.
  6. Under Platform-wide two-factor authentication, clear Enable.
  7. Click Save changes.

Unlocking a locked account

If someone tries to log in without success too many times, HighBond locks their account. To restore their access, a System Admin must unlock it.

  1. Open Launchpad.
  2. If your company uses more than one instance in HighBond, make sure the appropriate instance is active.
  3. Select Options > Users. If you do not see Users as an option, the account you used to sign in does not have System Admin privileges.
  4. Find the user who needs to be unlocked:
    • Enter a name or email in the search box.
    • Use the filters to restrict the list of users to a subset.
    • Click on the Name, Status, or Previous sign in date columns to sort users.
  5. Click that user's name. The User Details panel opens.
  6. Click Unlock.

The locked user can log into HighBond again.

Unregistering someone else from 2FA

If someone loses or changes their mobile device, a System Admin can unregister them from 2FA. If 2FA is enforced, next time they try to log in, HighBond will prompt them to enroll their new device in 2FA. If 2FA is not enforced, this person will no longer need to use 2FA.

  1. Open Launchpad.
  2. If your company uses more than one instance in HighBond, make sure the appropriate instance is active.
  3. Select Options > Users. If you do not see Users as an option, the account you used to sign in does not have System Admin privileges.
  4. Find the user who needs to be unlocked:
    • Enter a name or email in the search box.
    • Use the filters to restrict the list of users to a subset.
    • Click on the Name, Status, or Previous sign in date columns to sort users.
  5. Click that user's name. The User Details panel opens.
  6. Click Unregister 2FA.

That user is now unregistered from 2FA.

Note

Your authenticator app does not know whether 2FA is enabled or disabled. Each person must remove HighBond from their authenticator app if they no longer wish for it to appear there.

Unregistering yourself from 2FA

If you loose or change your mobile device, you can unregister your mobile device from 2FA. If 2FA is enforced, next time you try to log in, HighBond will prompt you to enroll your new device in 2FA.

  1. Open Launchpad.
  2. From the global navigation bar, select  > My Profile.
  3. Click Unregister device. A pop-up will notify you that if you unregister, you will be automatically logged out.
  4. Select Unregister & Log out which will log you out immediately.
  5. Log into HighBond again and repeat the registration process for accessing your account.