What is Multi-Factor Authentication (MFA)?
Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to an online application.
The user name and password is one method; the second method for APS cloud applications once MFA is enabled will require the user to use either SMS or any cloud authentication app as the second method before the user can login.
Why would you want to enable MFA?
By enabling MFA it’s granting an additional layer of security to ensure the user that is logging into your cloud application is who they say they are. Traditional passwords aren’t secure enough anymore. By enabling MFA for the practice, you are:
- Ensuring you secure against identity theft via stolen passwords;
- Protecting the practice information from weak employee passwords;
- Enabling compliance with government authorities of ensuring secure information.
Presently information in the APS cloud application has no direct connection to any government authority information (eg. ATO/IRD). As a result MFA is ‘optional’ for the practice to enable.
As the APS+ range builds out more features this will no longer be ‘optional’ but a mandatory requirement as direct connections are made to government systems. To prepare users for this transition, enabling MFA now will ensure your team are ready for this transition when it will become mandatory.
What APS cloud applications does MFA work on?
Once MFA is enabled on the practice APS cloud tenant it will work on all APS cloud applications including Cloud Timesheets and any of the APS+ applications.
For those practices that have only enabled Cloud Timesheets, and not enabled Contacts+ they will need to enable Contacts+ to be able to manage the MFA component through the User Management+ that comes with Contacts+.
To ensure the practice has control over who can reset MFA on a user, then User Management+ is a pre-requisite to enable MFA.
How does MFA work?
The practice needs to request activation. The APS team will check you meet the pre-requisites and advise if any additional work is required before MFA can be enabled.
Once enabled, the activation of MFA is immediate. The next time a user needs to login to any APS cloud application, they will be prompted with the following:
Step 1:
Login to the APS application as normal, press Continue
Step 2:
User to select one of the two options for additional authentication.
Setup MFA using authentication app
Many authentication apps are available to be downloaded and used for this process. This maybe a firm preference as to which app is used. The most common applications are: Microsoft Authenticator; Google Authenticator.
Users can scan the QR code into the app or enter the code provided. The app will then provide the 6 digit code for the user to enter then press Continue.
Setup MFA using SMS
The Countries supported for SMA are:
- Australia
- New Zealand
- United Kingdom
Validation will be done on the phone number entered to ensure it meets these requirements. If the user select ‘Other’ this is not supported, and will be asked to select another country or use an authenticator app instead.
Once the phone number is entered (spaces accepted) press Continue
The user will receive the 6 digit code on their phone and enter then Verify to open the application.
If the code expires the user can select Resend.
Step 3:
User creates a ‘recover PIN’.
The Recovery PIN can be used so the user can access their account in the event they lose access to the device and cannot receive multi-factor authentication codes.
MFA has now been enabled for the user.
As a user, I change my phone number can I reset my MFA myself?
Yes – when the user logs in, they can choose the ‘Can’t access your device’ option
The user will then be prompted to enter in their Recovery PIN
Then select Revoke MFA, which will then come back to Step 1 of setting up MFA again using current credentials:
What happens if a user forgets their recovery PIN?
In this instance, the user would be prompted to contact us. Our advice will be to ask the System Administrator of the practice will need to login to User Management+ and reset the users MFA status once they have verified the user is who they say they are.
The relevant person in the practice with User Management+ access will then be able to complete the task from here: http://users.aps.reckon.com
- Select the user and the draw will open with that information of the user on the right hand side of the screen;
- Select the […] option top right hand side and select Reset MFA that will then prompt the user to set up the MFA again.
What happens if nobody in our practice has access to User Management+?
In this instance please log a support call, and our APS support team members will run through some identification and security checks to confirm user is who they say they are and grant access to User Management where needed and / or reset the user as required.
As a user of multiple APS cloud applications why do I have to sign into each app and complete MFA for each application?
Presently the applications are independent. Further work is being completed around single sign on (SSO) that will be available to implement at a later date.
How long does sign in of applications last?
This will vary between applications – generally speaking this will be 24hrs before login is requested again.
This will change in future as APS+ applications grow, and inactivity of an application may require a user to sign in again after 15 minutes if in-activity as per the ATO Guidelines once direct connection with ATO applications and potentially IRD applications are made in future APS+ releases.
More information specifically regarding the at ATO requirements can be found here: https://softwaredevelopers.ato.gov.au/operational_framework
Do our machine to machine users set up for Integration purposes need to be enabled for MFA (eg. Connectworks, ATOmate, FuseSign, BGL etc)?
Currently no, the authentication for the machine to machine users will not require MFA setup.
Video