Skip to main content
All CollectionsSecurity
Multi Factor Authentication (MFA) in PASS

Multi Factor Authentication (MFA) in PASS

This article describes how MFA works within PASS web and the PASSforcare app

P
Written by Product team
Updated over a week ago

What is Multi Factor Authentication

Multi-factor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user's identity for a login or other transaction. Multi-factor authentication combines two or more independent credentials:

  • what the user knows, such as a password;

  • what the user has, such as a security token;

  • what the user is, by using biometric verification methods.

Why do we need MFA

The goal of MFA is to create a layered defence that makes it more difficult for an unauthorised person to access PASS, such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one or more barriers to breach before successfully breaking into the system.

PASS MFA rules

  • Using MFA when log in to PASS will eventually be mandatory for all web and app users. When this happens, this will be enabled by default.
    ​

  • User is able to verify the identity by entering a valid One Time Passcode (OTP) received to their verified email address OR mobile number OR obtained from a valid authenticator app
    ​

  • User is asked for Multi Factor Authentication,

    1. When the user logs in to the web or PASSforcare app for the first time.

    2. After 7 days of successful login on a trusted device. (NB. Users of shared devices may be challenged for MFA more frequently).

    3. When a user uses a new device OR after reinstalling the app.
      ​

  • MFA will not be used after a timeout to get back in to the PASSforcare app. Timeout rules will remain the same.

  • MFA is not used for offline login. Offline working window will remain as 3 days.

  • OTP tokens are sent only to verified email or mobile numbers. User will be forced to verify their own email/mobile before using MFA if they are unverified.
    ​

  • OTP tokens received via email/sms are valid for 3 minutes

Prerequisites

All users must have at least one method (Mobile number, Email address or authenticator app) configured within PASS in order to successfully go through MFA workflow.

How MFA works on PASS

Step 1: User logs in to PASS web or PASSforcare app using their credentials

Step 2: User is taken to a screen where they can select how they would like to receive the OTP code. User will only see verified methods on the list. If none of the methods are verified then the user is presented with the verification workflows. See <<here>>

PASS web

PASSforcare app

Step 3: User selects a suitable method from the available list.

Step 4: User is sent an OTP code. If they chose the authenticator app option then they will need to get the OTP from the authenticator app.

PASS web

PASSforcare app

Step 5: User enters the OTP code received to the dialogue box above and press "verify". if the OTP code is expired or invalid then the user can request another by pressing "Resend".

Step 6 : User is successfully logged in to PASS.

Did this answer your question?