Multi-Factor Authentication (MFA) is an additional step in the login process that adds extra security to your system. You will sometimes see this referred to as Two Factor Authentication (2FA).

This article is going to cover:

1. How MFA (Multi-Factor Authentication) works in OpenCRM

2. Choosing your MFA app

3. Turning MFA on

4. Setting a user up with MFA

5. Disabling MFA globally or for an individual user

How does Multi-Factor Authentication (MFA) work?

Each of your users will use an app on their mobile device or browser to generate a code, which they then enter after putting in their password.

It means that no one can login as that user without a) the correct username/password and b) access to that specific device.

Logging in with MFA looks a bit like this:

MFA follows the same security policy that you put in place to secure your password access. If an incorrect MFA code is entered too many times then the user account is automatically locked.

Which app is best for MFA?

There are a number of apps available on mobile devices and browsers. Some of our favourites are:

- Google Authenticator

- Microsoft Authenticator

- LastPass

Enabling MFA for your system

To set up a user with Multi-Factor Authentication, it must first be enabled on the OpenCRM system. You will need to be a System Administrator to do this:

1. go to Settings-> Configuration-> Additional Settings

2. Click the "Security" link at the top of the page or scroll down to find the "Security Settings" block

3. Tick "Enable Multi-factor authentication"

Enabling MFA for each user

Once enabled globally (see the previous section), users can set up their own MFA or a system administrator can do it for them.

Important: Bear in mind if setting MFA up for other users, the user will need access to the MFA device or app that you use to configure this. 

To enable MFA for a user simply click the 'Setup MFA" button on the user consult screen.

Then you will:

1. Scan the QR code within your MFA Authenticator App or manually add the code

2. Your Authenticator App will then give you a six digit number

3. Enter that number in the box provided

4. Click Save

You can see which users have enabled MFA on their account from the user list screen. You can click on the "MFA Enabled" column to sort the list and see easily those who have, and have not set this up. 

Disabling MFA 

There are four ways MFA can be disabled for a user. 

Option 1: User disables their own MFA after login

A user can disabled their MFA by either signing in and clicking the "Disable MFA" on their user record.

Users will have to click OK on a popup to authorise this and an email (which as a system administrator you can edit in 'Settings -> Communication Templates -> Email Templates) will be sent to all system administrators. When a user disables MFA all administrators are notified.

Option 2: User disables their own MFA during login

Users can also disable MFA when they initially login, if for example they have lost or forgotten the device with their authenticator app.

This is done by clicking the "Lost your device/Disable MFA?" link on the MFA screen:

Users will then enter their username or email address on the following screen. An email is then sent to them with a link that they will click to disable MFA.

After clicking the link, they will be prompted to log in to the system to confirm and complete the removal of multi-factor authentication. 

Once this is done, the user will be able to login again. All system administrators will receive an email letting them know which user has disabled their MFA.

Option 3: Administrator disables individual user's MFA

This follows the same process as Option 1, it is just done by a System Administrator for another user.

Option 4: Administrator disables MFA for all users

Unticking the "Enable Multi-Factor Authentication" within Additional Settings (Settings -> Configuration -> Additional Settings -> Security) will disable MFA for all users. 

If you untick this, no notifications are sent out.