Ask the Community
Groups
Enabling Multi-Factor Authentication in BMS - Connect IT Community | Kaseya
<main> <article class="userContent"> <p>Introduction</p> <p>BMS implements Multi-Factor Authentication (MFA) aiding in enhanced security. Administrators can enforce MFA on all users or end users can enable this in their profiles.</p> <p>You can use any generic authenticator products like Passly, Google Authenticator, Duo, and others. You can use your organization's IDP to implement this extra security or use the built-in service by BMS to enforce MFA.</p> <p>Prerequisites</p> <ul><li>An active employee or contact in the system.</li> <li>An authenticator application on your mobile device.</li> </ul><p>Features</p> <ul><li>Enforce MFA for few or all users.</li> <li>MFA will work in parallel with your current SSO and SAML IDP authentications.</li> <li>MFA enabled/disabled value columns are listed in Employee and Contact listing pages.</li> <li>MFA can be disabled for multiple users at once using batch actions under Contacts.</li> </ul><p>Setup</p> <h4 data-id="as-an-admin">As an Admin :</h4> <ol><li> <ol><li>In BMS, navigate to <strong>Admin > My Company > Auth and Provision</strong>.</li> <li> <strong>Require MFA for non-SSO users</strong>: Yes</li> </ol></li> </ol><h4 data-id="existing-sso-users">Existing SSO users: </h4> <div>Enabling MFA for non-sso users button applies MFA on all the login accounts. If the user has an existing SSO, they would still have to log in to their profile and enable MFA. This is a <strong>one-time</strong> setup for SSO users. MFA will not be asked for any subsequent logins. </div> <ul><li>SSO Provider interface > BMS App > My profile > Enable MFA > Logout of BMS</li> <li>SSO Provider interface > BMS App > Loads BMS profile using SAML</li> </ul><p> Authentication will show MFA enabled, and the user authentication type under HR for this user will be SAML SSO.</p> <h4 data-id="as-an-end-user">As an end-user :</h4> <ol><li> <ol><li>Open "My profile page", Enable MFA</li> <li>Once MFA is enabled for an account, you will have to set up your mobile device to help you generate code during your next login. <ul><li>Scan the QR code shown on your screen</li> <li>Generate code, use it in the" Verify MFA Code" box, click Enable. </li> </ul></li> </ol></li> </ol><p>If your app doesn't support a code scanner you can also use the following steps to configure the code manually. </p> <ol><ol><li>Click on the "Show secret Key for manual configuration" </li> <li> <a name="token" id="token"></a> On your device, Add a new setup key and use the secret token from BMS.<img src="https://us.v-cdn.net/6032361/uploads/migrated/Y4M354QCPEGL/mceclip2.png" alt="mceclip2.png" width="200" height="150" class="embedImage-img importedEmbed-img"></img></li> </ol></ol><p>Once MFA is enabled, you will also see an option to generate an <strong>MFA recovery</strong>, Click on the link and save the code somewhere secure.</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/XB622T8JD3UX/mceclip0.png" alt="mceclip0.png" class="embedImage-img importedEmbed-img"></img><img src="https://us.v-cdn.net/6032361/uploads/migrated/7ZZNWG8G46F4/mceclip1.png" alt="mceclip1.png" width="200" height="100" class="embedImage-img importedEmbed-img"></img></p> <div> <strong>Note</strong>: On your next login, you will be prompted for your <strong>Username, Password,</strong> and authentication code <strong>OTP</strong> generated by an authenticator application. Change in authentication type requires users to refresh their logged-in session.</div> <p>Lockout recovery</p> <p>If you do not have access to your mobile device to generate a code, you can either use the <a rel="nofollow" href="#token">Recovery key</a> or reset your MFA.</p> <ol><ol><ol><ol><ol><ol></ol></ol></ol></ol></ol></ol><ul><li>Copy the recovery token that you saved from the 'My Profile' page during the MFA setup.</li> <li> Enter it into the <strong>MFA Code</strong> field when you log in. This code expires after the first use. You’ll need to get a new recovery code and store it in a secure place for future use.</li> </ul><p> <img src="https://us.v-cdn.net/6032361/uploads/migrated/XB622T8JD3UX/mceclip0.png" alt="mceclip0.png" class="embedImage-img importedEmbed-img"></img></p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/7V2NYGXND162/mceclip3.png" alt="mceclip3.png" class="embedImage-img importedEmbed-img"></img></p> <h4 data-id="reset-mfa">Reset MFA</h4> <ul><li>Reach out to someone with an <strong>Administrator</strong> role in the system, and have them reset your MFA.</li> <li>Reset path : Navigate to <strong>Admin > HR >Employee</strong>s if the user is and employee and <strong>Contacts > CRM > Contact> Client portal access </strong>for a client portal user.</li> <li>Choose <strong>Reset MFA</strong>. You will be asked to set up MFA again on your next login.</li> </ul><p> <img src="https://us.v-cdn.net/6032361/uploads/migrated/OFR9N0IPO00V/mceclip5.png" alt="mceclip5.png" class="embedImage-img importedEmbed-img"></img></p> <p> </p> <p> </p> </article> </main>