What is MFA?
Multi-factor authentication (MFA) is a secure user verification method that requires more than one type of user validation. It prevents bad actors from accessing an account even if they've acquired the username and password.
MFA works by requiring additional verification information (known as factors). Users can't log in using only user names and passwords. They must provide further proof of identity to log in.
Additional security credentials could be:
- Something you are - like a biometric
- Something you know - like a one-time password (e.g. salesforce/okta 1-time codes)
- Something you own - like a device
By requiring multiple forms of authentication, MFA provides an additional layer of security beyond just a password, making it more difficult for unauthorized users to access sensitive information.
TABLE OF CONTENTS
How MFA works?
This feature allows users to enable and disable Multi-factor Authentication on a self-service basis, giving them an additional layer of security on their First AML account. It also allows administrators to disable MFA for a user if they have been locked out of their account.
This is available to all customers regardless of tier and model (self-service & managed service).
All users are able to enable or disable MFA for their own logins. Certain users are able to enable and disable MFA for other users. These users are:
- Platform Administrators
- Compliance Officers
- Team Administrators
- First AML Administrators
The default setting is ‘MFA disabled’ for all users. Customers will need to enable MFA for their users. If you wish to bulk enable MFA for all users, please get in touch with First AML Support for further information.
How to Enable MFA
MFA settings are controlled within the ‘Profile’ screen. This screen can be accessed by clicking on your login user icon (located in the bottom left) of your screen once you log on. Click the ‘Profile’ section to navigate to the page.
The ‘Profile’ screen (screenshot below) contains your user information. MFA is disabled as a default for all users. To enable MFA, click the ‘Enable MFA’ button.
MFA is now enabled for your login. You will be prompted to set up MFA when you next log in to First AML.
How to Set Up MFA
At your next login to the First AML platform, after inputting your email address and password you will be prompted to set up MFA.
You will be prompted to add another authentication method. The available options include an external authenticator app e.g. Google Authenticator or Security Key.
Select your preferred authentication method. The following screenshots show the set-up experience using an authenticator app. Scan the QR code using the authenticator app. Your app will prompt you to enter a one-time security code. Click ‘Continue’ after inputting the code.
To use your security key, please follow the onscreen instructions to connect your security key.
After clicking ‘Continue’, you will be prompted to note down a recovery code. This recovery code allows you to log in without your MFA device should you need to. We suggest you note this down and store it somewhere safe e.g. password manager.
Tick ‘I have safely recorded this code’ and then click ‘Continue’.
Optional: Trust this Device
After setting up your MFA device, you can choose to trust the current device you are currently logging in on. If you don’t wish to do so, select ‘Remind me later’ or ‘Not on this device’. This will allow you to log in faster on your current device.
If you do choose to trust your current device to allow for an easier login flow, you will see the below success page once you complete registration.
Once you have logged in, you can navigate to the profile screen to confirm the MFA setup. The profile page will log each device and the last login time for your login.
This step can also be undertaken as you are logging in. You can tick the box below where you enter your one-time code to allow for the device to be remembered for:
- 30 days OR
- After 7 days of not logging in
If you do not check 'remember this device' when logging in, you will be prompted to reenter code at refresh / idle.
How to Remove Devices
If you wish to change authentication devices, please navigate to the Profile screen. Select the three dots next to the last login time under the ‘Last Use’ column. You will have the ability to select ‘Remove’ to remove this device.
Once you click remove, you will see the screen below confirming that this device has been removed.
How to Disable MFA
Navigate to the Profile tab and select ‘Disable MFA’
Once you disable MFA, the Multi-factor authenticator section will show the ‘Enable MFA’ button. This allows you to re-enable MFA if needed.
Managing MFA within the Users Admin Screen
For users with the ability to add users to the platform, you will also be able to enable MFA when adding new users to the platform and manage the MFA settings for all users within your office/firm.
After clicking ‘Add a new user’, there is a toggle under the Role dropdown. The default is MFA disabled.
To enable MFA for a new user, click the toggle to enable MFA and then click ‘Save user’.
You can manage MFA for all users using the MFA column.
Click the pencil icon to the far right to edit an individual MFA status.
You can use the toggle to enable or disable MFA for a user.
I am an SSO customer and would like to enable MFA.
For customers configured for single sign-on, it will not be possible to configure MFA. You will need to disable SSO to configure MFA. Please speak to First AML Support if you would like to switch from SSO to MFA.
Can I enable MFA for all of my users?
Currently, the MFA enablement is enabled on a user basis. If you have a large number of users you wish to enable this for, please speak to your First AML Customer Success Manager who will help you with this process.
Where can I go for additional support/questions?
Please raise a support ticket via the First AML help centre with your query. The team will then get in touch with any additional information they require and if needed, guide you through the setup process