Multi-Factor Authentication (MFA) for users
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication, also known as MFA or Two-Factor Authentication, is an additional security measure that can be set up on software systems to confirm a user’s identity. It helps to protect a user’s information from hacking, phishing attempts and stolen or lost passwords.
In Webexpenses, the first factor of authentication is a user’s username and password. The second factor is obtained via an authentication app.
How do I set up MFA?
To set up MFA for your company, or as an individual user, follow these few short steps:
For your company
Administrators can set up MFA at both the company and division levels. To do this navigate to Admin > Company Profile > Security.
Select 'Enable Mandatory Multi-Factor Authentication' and a new set of options will appear.
From this list, you can select the user roles that you want to use MFA. You must select at least one role to enable the feature and then click 'save' to make the changes.
Note: Once confirmed, these changes will come into effect for all users with that role against them regardless of the reason they are logging in to the system.
As an individual user
You can choose to set up MFA for your own individual profile in Webexpenses for any role within an organisation.
To do this navigate to My Settings > Security and select 'Configure MFA'. This will start the configuration process.
Configuring MFA as a user
The next step is to configure MFA for the second authentication factor.
If you have turned it on yourself you will be navigated here directly. If it has been turned on by the company it will take you here on the next login.
For both options, you will see instructions on the configuration screen. Follow these steps to start the configuration:
- Open an authenticator app (such as Google or Microsoft Authenticator)
- Choose either QR code or manual to set up authentication in the app
QR code: Use the app to scan the QR code. A code will then be provided by the authenticator app.
Manual: Select the manual option and follow the steps to add an account name. Then, enter the authentication key from the configuration screen. A code will then be provided by the authenticator app. Enter the code provided by the app in the box on the configuration screen - Select Verify
Backup codes
After you have successfully verified the MFA configuration you will be taken to a screen with backup codes. These are the codes that you can use to log in to the system if the device you authenticated with is lost.
Please store these codes securely so that you have them in case this scenario occurs.
Note: If you lose your backup codes you can generate new codes by signing into Webexpenses. Navigate to My Settings > Security and select 'Regenerate Backup Codes'. This will void all previous codes and provide new ones.
Entering MFA details
Once MFA is configured and verified for your user profile you will be asked to enter your MFA details on the next login.
Whilst on the MFA entry page open your authenticator app and enter the 6-digit code provided by the app against Webexpenses.
Entering the correct code here will take you through to the system. On this page, you can select not to be asked to do this process again for 90 days.
Note: If you cannot authenticate via the app you can select ‘try another way’. This will take you to a screen where you can enter a backup code. Each backup code can only be used once.
Ongoing administration of MFA
As an administrator, you can adjust MFA settings to meet your ongoing security requirements. You can add additional user roles, remove user roles, or turn MFA off if you no longer require this layer of security.
To do this navigate to Administration > Company Profile > Security. Change the required setting and save.
Administrators can also reset a user's MFA details if users are struggling to access the system because of lost devices etc. Navigate to Administration > Users. Select the user(s) you want to reset with the check box next to their name and select the reset option.
If MFA is set up at a Company or Division level this will force them to go through the MFA configuration process again on their next login. If they have set this up in their own profile this will completely reset their MFA and they will need to reconfigure it in their own settings again.
FAQ
Follow the FAQ below for further help setting up MFA. If you can't find an answer to your question, get in touch with the Webexpenses team.
What authentication apps can I use?
The process will work with most authenticator apps including Google Authenticator, Microsoft Authenticator, Duo Mobile, LastPass Authenticator, and Twilio Authy.
What if I lost my device?
If you have lost your device you can use one of the backup codes provided when you configured your MFA. Simply select “Try another way” when asked for your MFA details and enter the backup code in the screen provided.
What if I lose my backup codes?
If you know you have lost your backup codes then log into Webexpenses as normal and go to My Settings and select “Regenerate Backup Codes” to create new codes.
What if I lose my device and backup codes?
If you lose both your device and backup codes then your MFA will need to be reset by your administrator. Contact your internal administrator of Webexpenses and ask them to reset MFA for your user profile.
On the next login, you will either be asked to configure the details again with your new device or go to My Settings and configure your MFA again.
I’m concerned someone has seen my backup codes, what should I do?
In this situation log into Webexpenses as normal and go to My Settings and select 'Regenerate Backup Codes' to create some new ones. This will instantly make any old codes invalid.
How should I store my backup codes?
The best way to store backup codes securely is in a secure password manager or vault. Tools such as Keeper or LastPass offer secure storage for important information like this.