Multi-Factor Authentication
NOTE: Multi-Factor Authentication is an optional, licensed feature of Workzone. For details on adding this to your license, please contact us.
Multi-Factor Authentication (MFA) adds an extra security layer to Workzone's log in process. This extra step ensures that only a verified user can log in. Once enabled, logging in requires a user to provide both a password and a secondary login code from an authentication app or secondary email address to access Workzone.
IN THIS ARTICLE
Enabling MFA for Users
Workzone's MFA must first be enabled by an Administrator in the settings (gear icon) for All Workspaces. The setting for this is found on the Security page under Global on the left side, as shown here:
The setting for MFA can be set as Disabled (default), Optional, or Required. With Optional, a user individually opts in to MFA at their next log in or from their My Settings page. Optional will allow a user to configure MFA the next time they log in with this prompt:
- If Enroll now is selected, the user can continue and then engage the setup process as described in the Required Individual Setup section below.
- For Remind me later, the user continues without configuring MFA, and the next log in will provide the same prompt, as shown above.
- Choosing No, don't remind me will dismiss the prompt and the user will continue in to Workzone and can then go to the My Settings page and configure MFA later on, as described in the Optional Individual Setup section below.
With Required, the user will be forced to set up their MFA process during their next log in, described in the Required Individual Setup section below.
After an Administrator makes a selection, they must click OK to confirm. Individual users will then complete their personal setup process (depending on whether Optional or Required was selected) as follows in the section(s) below.
Optional Individual Setup
If an Administrator has set Multi-Factor Authentication to Optional, this will allow a user to configure MFA the next time they log in with this prompt:
If Enroll now is selected, the user can then engage the setup process as described in the Required Individual Setup section below.
For Remind me later, the next time the user logs in will provide the same prompt, as shown above.
Choosing No, don't remind me will dismiss the prompt and the user will then be able to to the My Settings page and configure MFA later on, as described in the Optional Individual Setup section below.
A user can later set up MFA by going to the My Settings page and selecting Multi-Factor Authentication on the left side, as shown here:
On that page, the user selects either the Configure Authenticator App or Configure Email button, proceeding with the steps as shown below.
For Configure Authenticator App, a user then follows the displayed instructions:
...followed by the verification step:
For Configure Email, a user follows the displayed instructions:
...followed by the verification step (with a timer counting down 10 minutes):
After successfully verifying one of the two methods above, that user will then be required to perform a verification step when logging in to Workzone.
NOTE: Administrators can reset a user's MFA configuration(s) on the Edit an Existing User page.
Required Individual Setup
If an Administrator has set Multi-Factor Authentication to Required (as described above), the next time a user logs in they will receive the following prompt:
The user will have to select either the Authenticator App or the Email button to continue. If the Authenticator App is selected, then this prompt will display:
...if the Email button is selected, then this prompt will display:
After configuring the app or entering the email, the relevant verification will display as shown below.
NOTE: Administrators can reset a user's MFA configuration(s) on the Edit an Existing User page.
Logging in with MFA Setup
Once a user has MFA properly configured, they will be presented with a prompt to enter their MFA code each time they log in. If using an authentication app, the prompt will appear like this:
If using email, the prompt will appear like this (with a timer counting down 10 minutes):
If the user has both set up, they'll first be presented with a prompt like this:
After entering the code from the relevant source, the user should be successfully logged in!
If a user need to make changes to their MFA process, like removing an existing configuration or adding a different email address, they can do so in the Multi-Factor Authentication section of the My Settings page:
Reporting on MFA Activity
When enabled, MFA activity is represented by a MFA Configurations column on the Usage Summary report, providing Administrators and Managers details on whether a user has an authenticator app, email, or both configured for MFA based on the icons in the column, as shown here: