Configuring two-factor authentication (2FA or MFA)
Two-factor authentication (also known as 2FA or MFA) adds an extra layer of security to your Diligent One instance by requiring users to enter a temporary access code in addition to their password. In the event that someone's Diligent One password became compromised, an attacker would remain unable to login without access to that person's 2FA authenticator app, typically requiring their mobile phone.
Permissions
Only System Admins can enforce 2FA, unlock accounts, and disable 2FA.
How it works
System Admins can enforce 2FA in your Diligent One instance. Once enforced, all users of your instance will be unable to access any instance of Diligent One until they do all of the following:
- Download an authenticator app that supports time-based one time passcodes (TOTPs)
- Activate 2FA on their Diligent One account by linking it to their authenticator app
- Enter their code in Diligent One
Which 2FA authenticators we support
Diligent One's 2FA is compatible with the majority of authenticator apps that can provide a time-based on time passcode (TOTP). We have tested on the following apps and know they work, but others should work too.
- Google Authenticator
- Microsoft Authenticator
- Cisco Duo Mobile
- Okta Verify
- Auth0 Guardian
- LastPass Authenticator
What happens when people try to login incorrectly
To prevent brute-force attacks, users of 2FA-enabled instances are limited to 5 failed passwords and 3 failed authentication codes. At this point, Diligent One locks their account. A System Admin will need to unlock it for them.
If you want to use SSO and 2FA together
You can exempt users from SSO authentication. For more information, see Configuring two-factor authentication (2FA or MFA).
If your users access multiple instances
When you enable 2FA in your Diligent One instance, all users of that instance will need to use 2FA to access any instance of Diligent One, including instances that belong to other companies.
Enforcing 2FA
Follow the steps below to enable 2FA for all users in your Diligent One instance.
Preparing people for 2FA
- Most people have encountered 2FA somewhere before, but you should not assume everyone has. Since this is a global change, it's good to advise people this change is coming and what to expect.
- Consider what you want to do for edge cases. For example, should people who do not have access to a mobile device authenticate using an authenticator app on their existing machine?
- If you work for a large organization, prepare for the additional overhead of supporting people in the event that Diligent One has to lock their account.
Making the change to 2FA
- Open Launchpad.
- If your company uses more than one instance in Diligent One, make sure the appropriate instance is active.
- Select Platform Settings > Organization. If you do not see Organization as an option, the account you used to sign in does not have System Admin privileges.
- Click Update Organization.
- Click the Security Settings tab.
- Under Platform-wide two-factor authentication, check Enable.
- Click Save changes.
2FA is now enforced for any person who can access this instance of Diligent One. Next time you log in, you will need to set up 2FA for your own account, like everyone else. For now, you remain logged in.
Disabling 2FA in your instance
You can turn off the enforcement of 2FA in your instance of Diligent One.
Note
This will not automatically turn off 2FA for your users. Each person can choose to continue using 2FA or you can unregister them.
- Open Launchpad.
- If your company uses more than one instance in Diligent One, make sure the appropriate instance is active.
- Select Platform Settings > Organization. If you do not see Organization as an option, the account you used to sign in does not have System Admin privileges.
- Click Update Organization.
- Click the Security Settings tab.
- Under Platform-wide two-factor authentication, clear Enable.
- Click Save changes.
Unlocking a locked account
If someone tries to log in without success too many times, Diligent One locks their account. To restore their access, a System Admin must unlock it.
- Open Launchpad.
- If your company uses more than one instance in Diligent One, make sure the appropriate instance is active.
- Select Platform Settings > Users. If you do not see Users as an option, the account you used to sign in does not have System Admin privileges.
- Find the user who needs to be unlocked:
- Enter a name or email in the search box.
- Use the filters to restrict the list of users to a subset.
- Click on the Name, Status, or Previous sign in date columns to sort users.
- Click that user's name. The User Details panel opens.
- Click Unlock.
The locked user can log into Diligent One again.
Unregistering someone else from 2FA
If someone loses or changes their mobile device, a System Admin can unregister them from 2FA. If 2FA is enforced, next time they try to log in, Diligent One will prompt them to enroll their new device in 2FA. If 2FA is not enforced, this person will no longer need to use 2FA.
- Open Launchpad.
- If your company uses more than one instance in Diligent One, make sure the appropriate instance is active.
- Select Platform Settings > Users. If you do not see Users as an option, the account you used to sign in does not have System Admin privileges.
- Find the user who needs to be unlocked:
- Enter a name or email in the search box.
- Use the filters to restrict the list of users to a subset.
- Click on the Name, Status, or Previous sign in date columns to sort users.
- Click that user's name. The User Details panel opens.
- Click Unregister 2FA.
That user is now unregistered from 2FA.
Note
Your authenticator app does not know whether 2FA is enabled or disabled. Each person must remove Diligent One from their authenticator app if they no longer wish for it to appear there.
Unregistering yourself from 2FA
If you loose or change your mobile device, you can unregister your mobile device from 2FA. If 2FA is enforced, next time you try to log in, Diligent One will prompt you to enroll your new device in 2FA.
- Open Launchpad.
- From the global navigation bar, select > Profile.
- Click Unregister device. A pop-up will notify you that if you unregister, you will be automatically logged out.
- Select Unregister & Log out which will log you out immediately.
- Log into Diligent One again and repeat the registration process for accessing your account.