Table of Contents


Enabling and Configuring Two-Factor Authentication

Two-Factor Authentication (2FA) adds an extra layer of security for users, with a verification code sent via SMS or Email. Users are prompted to enter this authentication code after they log in with their account username and password, providing enhanced protection against unauthorized access.

Understanding Two-Factor Authentication Options

Authentication Methods

Administrators can choose from two 2FA enforcement approaches:

Risk-Based Authentication (Enforce only for unrecognized devices)

  • Users are prompted for second authentication when using new devices or browsers
  • Evaluates authentication requests based on cookies and IP address
  • Checks cookies for previous user logins in the browser
  • Matches IP addresses of previous logins with current authentication request
  • If either criterion matches, two-factor authentication is bypassed
  • Recommended for balancing security with user convenience

Every Login Authentication (Enforce for every login)

  • Users are prompted for verification code each time they sign in
  • Provides maximum security but may impact user experience
  • Suitable for high-security environments or sensitive data access

Delivery Methods

  • Email: Verification codes sent to user's registered email address (default)
  • SMS: Verification codes sent via text message (requires Twilio Connected App configuration)

Edition and Compatibility Requirements

Edition Limitations

Two-Factor Authentication is not available for the Professional edition of Magentrix.

Authentication Method Compatibility Two-Factor Authentication does not apply to users using the following authentication methods:

  • SAML for single sign-on
  • Social sign-on in organizations or Custom Portals
  • Custom Login Pages
Note: Two-Factor Authentication does apply to Custom Portals when applied through Security Role configuration.

Requirements

To configure Two-Factor Authentication, you must have:

  • Administrator System Role permissions
  • Higher-tier Magentrix edition (not Professional)
  • For SMS: Twilio Connected App configuration (optional)

SMS Provider Setup (Optional)

Twilio Integration for SMS Delivery

To use SMS Two-Factor Authentication, you must configure Twilio as a Connected App:

About Twilio

  • Twilio (https://www.twilio.com/) is a third-party service that provides SMS messaging capabilities
  • Currently the only SMS provider supported by Magentrix for 2FA delivery

Setup Requirements

  1. Twilio Account: You must have an active Twilio account with SMS messaging capabilities
  2. Connected App Configuration: Configure Twilio as a Connected App in your Magentrix instance before setting up 2FA SMS delivery
  3. SMS Provider Selection: Once configured, select your Twilio Connected App configuration from the SMS Provider dropdown

Important: The SMS Provider dropdown displays all your Connected App configurations. You must select the specific Connected App configuration that corresponds to your Twilio SMS service setup.

Enabling Two-Factor Authentication

Step 1: Enable System-Wide 2FA

  1. Navigate to the Setup Home page
  2. Click Manage > Company Preferences
  3. Select the Security Settings tab
  4. Click Edit
  5. Under Authentication Settings, check Two-Factor Authentication Enabled
  6. Click Save

Configuring Two-Factor Authentication Settings

Accessing 2FA Configuration

  1. Navigate to Setup Home > Company Preferences > Security Settings tab
  2. Under Authentication Settings, click Manage Two-Factor Authentication Settings

Configuration Options

Authentication Method

  • Enforce only for unrecognized devices: Risk-based authentication for new devices/browsers only
  • Enforce for every login: Verification code required for all login attempts

SMS Provider(Optional)

  • Select --None-- to use email delivery only
  • Select your Twilio-related Connected App configuration for SMS delivery
  • Available options vary based on your Connected App configurations

Security Code Timeout Select verification code validity period:

  • 2 minutes: Immediate use required
  • 5 minutes: Standard timeout
  • 15 minutes: Extended validity
  • 30 minutes: Longer-term validity
  • 60 minutes: One-hour validity
  • 4 hours: Extended session validity
  • 12 hours: Maximum validity period

Maximum Invalid Attempts Select failed attempt limits before lockout:

  • 3: Strict security (recommended)
  • 5: Balanced approach
  • 10: Lenient attempt limit
  • No Limit: Unlimited attempts (not recommended for security)

Security Role Configuration

Enabling 2FA for Specific Security Roles

Two-Factor Authentication must be enabled at both the system level and Security Role level:

  1. Navigate to Setup Home > Security > Security Roles
  2. Select the Security Role requiring 2FA protection
  3. Click Edit
  4. Select the Additional Settings tab
  5. Check Two-Factor Authentication for User Interface Logins
  6. Click Save & Close

Result: Users with this Security Role will be required to use 2FA based on the configured authentication method.

Implementation Strategy

Gradual Rollout Approach

Phase 1: Administrator Testing

  • Enable 2FA for Administrator Security Roles first
  • Test both email and SMS delivery methods
  • Validate authentication flow and user experience

Phase 2: Internal Users

  • Roll out to Employee Security Roles
  • Provide user training and support resources
  • Monitor adoption and address user questions

Phase 3: External Users

  • Extend to Partner and Customer Security Roles based on security requirements
  • Consider risk-based authentication for better user experience
  • Plan communication and support for external users

Security Role Strategy

High-Security Roles

  • Administrator System Roles: Always enable 2FA
  • Financial or sensitive data access roles: Enable 2FA with "every login" method

Standard Business Roles

  • Employee roles: Enable risk-based 2FA
  • Partner/Customer roles: Consider based on data sensitivity and user experience requirements

Low-Risk Roles

  • Basic access roles: Optional 2FA based on organizational security policies

Best Practices

Configuration Recommendations

Authentication Method Selection

  • Risk-based: Recommended for most business environments to balance security and usability
  • Every login: Reserve for high-security requirements or sensitive data access

Timeout and Attempt Settings

  • Security Code Timeout: 15-30 minutes provides reasonable balance of security and convenience
  • Maximum Invalid Attempts: 3-5 attempts prevents brute force while allowing for user error

User Experience Optimization

Communication Strategy

  • Notify users before enabling 2FA on their Security Roles
  • Provide clear instructions for authentication code retrieval and entry
  • Establish support procedures for 2FA-related user issues

Support Considerations

  • Plan for users who lose access to SMS/email during authentication
  • Establish administrator procedures for temporarily disabling 2FA for user account recovery
  • Document troubleshooting steps for common 2FA issues

SMS vs Email Considerations

Email Delivery Advantages

  • No additional configuration required
  • Works for all users with email access
  • No additional costs or third-party dependencies

SMS Delivery Advantages

  • Faster delivery than email in many cases
  • Works without email client access
  • May be more secure than email in some environments

SMS Delivery Considerations

  • Requires Twilio Connected App configuration
  • May incur SMS messaging costs
  • Dependent on cellular service availability

Ongoing Management

Monitoring and Maintenance

Regular Review Tasks

  • Monitor 2FA adoption rates and user feedback
  • Review failed authentication attempts and lockout patterns
  • Validate SMS provider connectivity and delivery success rates

Security Monitoring

  • Track authentication patterns for unusual activity
  • Monitor bypass rates for risk-based authentication
  • Review Security Role assignments with 2FA requirements

User Support and Training

Documentation and Training

  • Maintain user guides for 2FA setup and usage
  • Provide troubleshooting resources for common issues
  • Train support staff on 2FA-related user assistance

Account Recovery Procedures

  • Establish clear procedures for users locked out due to 2FA issues
  • Plan for users who lose access to SMS or email during authentication
  • Document administrator override procedures for emergency access

Two-Factor Authentication provides essential additional security protection that significantly reduces the risk of unauthorized access while maintaining reasonable user convenience when properly configured and managed.

See more:

 

<< Configuring Social Links | Using the Theme Builder >>


Privacy & Security StatementTerms & Conditions
Copyright © 2025 by Magentrix Corporation - All rights reserved.
Powered by Magentrix