Two-Factor Authentication

Two-factor authentication (2FA) enhances security by requiring two distinct forms of identification to access accounts: something you know (password) and something you have (phone/token).

To enable 2FA on your site, log in as an Admin and go to Control Panel > Site Settings > Security > Two-factor Authentication and toggle the switch next to "Require Two-Factor Authentication" to on (blue).

Next, select the passcode delivery method. The three options are as follows:

• Email: This method, though not as secure as an authenticator app or SMS, will provide the most convenience for your users, who will not have to download an app or add a mobile number to their profile in order to use this.
• SMS (text): This method will send an SMS message to the user's phone. This method is not as secure as an authenticator app but more secure than e-mail.
  NOTE: If the user does not yet have a phone number that can receive SMS messages associated with their account, or if the user opts out of receiving SMS messages, they will receive an e-mail instead until they add a mobile number that can receive SMS messages.
• Authenticator App: A TOTP-compatible authenticator app, such as Google Authenticator or 2FAS, is the most secure method for implementing multi-factor authentication. The user will need to download an authenticator app to their phone in order to use this method. Click the link below this option on the site to see a list of popular TOTP authenticator apps.

Lastly, on the right side of the screen under "Remember User's Device?", select the length of time the system should remember a user's device before requiring them to log in via 2FA again. Setting it to "Forever" will never require them to log in with 2FA again, and turning this off forced the user to log in with 2FA every time they log in.

Be sure to click the blue Update All button when finished.

When users first log in after 2FA has been enabled, they will be emailed a six-digit code they will need to enter on the site. The following step will depend on what passcode delivery setting has been set:

• Email: After entering the code, the user will immediately be brought to the Recovery Code Screen (see below).
• SMS (text):  After entering the code, the user will be brought to a screen directing them to enter their cell number to receive SMS texts from the system. If they do not opt in and enter their number, they will receive codes via email any time they're required to log in via 2FA.
• Authenticator App: After entering the code, the user is shown a screen with directions on where to download an authenticator app (such as Google Authenticator or Microsoft Authenticator) and given a choice of scanning a QR code or entering a secret code into the app. Once that is done, the app will display a 6-digit code to continue. After this part is complete, the user will only need to check their app and provide the 6-digit code when logging in via 2FA.

Regardless of 2FA type, after the initial setup, each user will be brought to the "Save Your Recovery Code" screen (see below). This provides a code the user should copy (via clicking the "Copy" key) and keep in a safe but accessible location. If the user ever loses access to their phone or email, they can still use this code to log into the site. This code CANNOT be reset. The only way to generate a new Recovery Code is for an Admin, Super-user, or Sub-admin to delete the user and recreate them.