As of July 12, 2021, this "Learn Veracross" site has been deprecated. It will remain live through December 2022, but will no longer be updated. All knowledge content has moved to the new Veracross Community. Please update your bookmarks.
Overview
Multi-factor authentication can be enabled for accounts accessing Axiom and Portals. Multi-factor authentication (MFA) is a security mechanism that requires access to more than one device (typically a computer and a phone) to access an application. It is becoming increasingly common for websites with sensitive content such as banks and social media services to encourage, or even require, it of their users. Veracross uses time-based one-time passwords (TOTP), an industry standard mechanism supported by many authenticator apps.
If you choose to use MFA, you need to provide your own recommendations to your constituents on which authenticator app to use. Examples of authenticator apps that support TOTP include Google Authenticator, Authy, Duo, 1Password, Microsoft Authenticator, and LastPass.
Note: several services offer both mobile & desktop apps. If you use a desktop authenticator app, then a mobile device isn't strictly required.
Recommended Pathway to Requiring Multi-Factor Authentication
If you decide that you want to require some or all of your accounts to use MFA, we recommend:
- SysAdmins should first enable MFA for themselves and then a small group of users for testing.
- Make the MFA status optional or transitional at first, then after a period of time make it required.
- Communicate to your constituents well ahead of time about multi-factor and then when each major update comes (e.g., when moving from transitional to required).
See below for more information on the end-user experience.
Set Up MFA in Axiom
There are several MFA statuses available on the person account record:
- Not Allowed: The default, in which case users do not see any change
- Optional: users can enroll if they wish via a link in Axiom and Portals, but will not be prompted during login
- Transitional: users are prompted — but not required — to enroll at every login
- Required: users are required to enroll on next login
- Enrolled: users are enrolled in MFA and must use an authenticator app to log in
Enabling MFA
Anyone with a Sys_Admin1 security role can enable, edit, and remove individuals from MFA.
- For Current Users: You can batch update the “MFA Status” field on the person account detail screen. For instance, batch update MFA status to “Transitional” for a period of time, then batch update it to “Required.” You can also update individual accounts, of course.
- For Future Users: Set the “Default MFA Status” on the Security Roles query.
Impersonation
A user who is not enrolled in MFA cannot impersonate a user who is enrolled. This is to avoid users with only one security check accessing information that may require two security checks with MFA.
The End User Experience
What does an end user actually see when you have enabled MFA? The following screenshots illustrate the initial experience when the MFA account status is set to "required."
If first setting up MFA, after entering their normal login credentials, the user is presented with an MFA screen.
This is an example of scanning the QR code using the Authy app.
The user should enter the final token into the Veracross login screen and click "Verify."
After entering the verification code, the user should write down the recovery code and click "Continue."
In the future, they will need to use their authenticator app to enter a code when logging into Veracross.