Configuring MFA using email security codes
This configuration documentation is designed for System Administrators and is protected from public access.
See also: https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/3410198529
This feature is designed to address some very limited use cases. We recommend that highly-security-conscious clients be encouraged to use SSO with a partner that implements robust MFA itself, or to fund the implementation of https://heuristicsolutions.atlassian.net/wiki/spaces/LBDEV/pages/3191210296.
Enabling MFA
MFA can be enabled on a per-Role basis, but must currently be configured from the Sys Admin area.
It is controlled by two App Config settings:
Setting | Notes |
|---|---|
| A comma-separated list of The Sys Admin role is ID 1, and the default Administrator role is ID 2. For other Role Ids, view your specific Admin → Roles list page. |
| The number of minutes after which an emailed security code expires. This defaults to 30 minutes but can be adjusted if needed to meet client specific requirements. (The lower this is set, the greater the chance that delayed processing by the recipient’s email server will cause the code to timeout before the user is able to use it) |
MFA with Account Switching
MFA is NOT enforced during Account Switching, even if the Organization being activated has a Role that requires MFA but the staff member does not.
MFA is enforced during initial authentication (login), it is not enforced at any other point.
Account Switching is not a form of authentication and therefore does not invoke or enforce any MFA requirements.
What this means is that, if you intend to use MFA and Account Switching together, you should probably configure MFA consistently at the Organization level and for the staff members that could “account switch” into that Organization.