Multifactor Authentication (MFA) using email security codes

Owned by Seth Petry-Johnson
Last updated: Dec 16, 2022
3 min read

See also: https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/3360096518

This feature is not compatible with the Alabama Interactive payment gateway. (LB-3249)

Additionally, take care enabling this for Roles that are expected to make payments using a Hosted Pages style checkout process. The 3rd party redirect back to LearningBuilder could potentially cause the user to go through MFA again. Payment-specific testing is encouraged if MFA is enabled in that scenario.

Overview

LearningBuilder currently supports two different mechanisms for implementing multi-factor authentication (MFA):

  • Email users a security code during the login process

  • Use SAML to implement SSO with a 3rd party identity provider that handles the MFA itself

This document covers the first use case.

How it works

MFA can be enabled on a per-Role basis, for instance requiring it for privileged administrators but not for Practitioners.

When a user logs in with their LearningBuilder password, and they have a Role that requires MFA, they must pass an additional authentication check before gaining access to the site.

These users are automatically sent an email containing a security code. (The content of this email is controlled by a template and can be modified to include additional information)

Sample email content

Users must enter this code into LearningBuilder to finish the authentication process.

MFA prompt during login

Once the security code is validated, the user will gain full access to LearningBuilder.

Using MFA in conjunction with Single Sign-On (SSO)

MFA can be enabled in LearningBuilder even if the primary authentication is handled via SSO through a 3rd party.

If configured this way, then the MFA check will be performed after a successful SSO process, the same way it works following a successful local login.

LearningBuilder has no knowledge about the authentication methods employed by the SSO provider; if the provider implements MFA as well then users could potentially be forced to pass multiple security checks to log in.

Supporting end users that are having MFA issues

There are a few scenarios in which the MFA requirement could block legitimate users from logging in:

  1. The user’s email service is temporarily down;

  2. The user’s email service takes too long to deliver the message, and the code expires before it is received;

  3. The user no longer has access to the email address configured in LearningBuilder.

Administrators can use the Admin → Member Profile page to support users in these scenarios. When MFA is enabled, a user’s current security code is displayed (and can be reset) in the left-hand sidebar of the page:

Configuring MFA

MFA can only be configured by System Administrators. See: https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/3410264088