Setting up multi-factor authentication (MFA)
To heighten security for your Polaris accounts, you can set up multi-factor authentication (MFA) in your system. MFA adds extra layers of protection, beyond a password, in case passwords are in some way compromised.
Polaris supports temporary one-time password (TOTP) and email authentication methods of MFA.
Users can be allowed to set up methods themselves. Administrators can also set up email authentication on behalf of users.
Administrators can also:
- On a per user basis, make using at least one MFA method mandatory
- Choose to either require email authentication every time the user logs in, or to specify a re-verification frequency
MFA authentication is device-specific, so users will need to verify each device they use with Polaris.
MFA only works with Polaris authentication, and doesn’t apply to single-sign on (SSO) users.
Setting the MFA frequency
To specify how often users need to use email authentication when they log in:
- Go to Administration > System and Security > Security Settings.
- From the Multi-Factor Authentication Timeout setting, choose one of the following:
- After 30 days - you can update the number of days to your desired frequency. Users will need to use MFA when they log in if that number of days have passed since their last MFA authentication.
- Always check - users will need to use MFA authentication every time they log in
Making MFA mandatory
To improve the security of your system, you can require users to use an MFA method.
You can enable this functionality for one user at a time, or you can mass edit users to enable this option for many employees at once.
Users with this option enabled will not be able to access Polaris unless they have at least one MFA method enabled. If a user doesn't have at least one MFA method set up, they will be prompted to set one up the first time they log in after the mandatory MFA option is enabled for them. MFA cannot be set up using Replicon Mobile or the Polaris PSA app.
If you’re concerned about users losing access to their Polaris account, you might want to enable MFA on their behalf, or communicate the date when you’ll make this change to affected users in advance, to give them a chance to set up MFA before doing so becomes required.
To make MFA mandatory:
- Ensure you’ve either set up email authentication for each user, or you have given them permission to set up MFA.
- Go to Administration> Employees and Organization > Users.
- Select a single user name. Or, to select multiple users, check the boxes beside the users’ names and click Edit.
- In the Multi-Factor Authentication section of the user profile, enable the Require Multi-Factor Authentication to be enabled check box.
Now, when users without an MFA method log in to Polaris, they’ll be shown a page where they’ll be required to set up at least one MFA method before they can access the rest of Polaris.
You can set a default setting for this option that will be applied to any new users you add to Polaris on the Administration > Employees and Organization > User Settings page.
Allowing self-serve setup of MFA
To allow users to enable MFA for themselves:
- Go to Administration > Employees and Organization > Permission Sets.
- In permission sets based on the User type, enable the Edit Multi-Factor Authentication Methods.
- Assign this permission set to users.
Setting up email authentication
With email authentication, when a user attempts to log in, they’ll be emailed a code that they’ll need to enter into the login field before authentication will proceed.
For a single user
To set up email authentication for a single user:
- Go to Administration> Employees and Organization > Users.
- Select a user.
- On the User Profile tab, from the Multi-Factor Authentication section of the user profile, click Add Authentication Method.
A dialog with an Email Address field displays. This field will be populated with the user’s Polaris email by default.
- Update the user's email address, if necessary.
- Click Add Email Authentication.
A verification email will be sent to the user; they’ll have to click a button in that email to complete setup. You’ll know they’ve completed this step when the Waiting Verification status in their user profile changes to Enabled.
For multiple users
You can use the user mass edit feature to set up email authentication for multiple users at once, using the email address already entered in each user’s user profile.
To set up email authentication for multiple users:
- Go to Administration> Employees and Organization > Users.
- Select the check boxes beside the users’ names.
- Click Edit.
- Select this option located on the main user profile page: Enable email authentication using the User’s Email Address.
- Click Save.
Resending verification emails
If you’ve added email authentication for one or more users, but their user profile still says the account is awaiting verification, you can send the verification emails again.
To resend the email for one user, click the Resend Verification Email link on the main page of their user profile.
To resend emails to multiple users, you can use the mass edit users feature:
- Go to Administration > Employees and Organization > Users.
- Select the check boxes beside the users’ names.
- Click Edit.
- Select this option located on the main user profile page: Re-attempt any Authentication Methods Waiting Verification.
- Click Save.
Revoking an authentication method
If you want a user to stop using a particular authentication method, click the Revoke link located beside that method on the main page of their user profile.
FAQs
Do CloudClock users need to use email verification when scanning in?
No, MFA only applies to administrators when provisioning CloudClock, not to CloudClock end users.
Related links
Setting up account lockout
Setting user sessions to automatically time out
Setting password complexity and expiry rules