Multi-factor authentication
- Kelly Collins
As an agency you have the option to either apply MFA to all users, or groups of users. Alternatively, you can allow individual users to apply MFA themselves, within their password settings. If you have SMS messages sent from InTime set up for your agency, then the user will able to select SMS to provide them with a one-time code to enter. Alternatively, they can use an authenticator application.
If you apply MFA as a mandatory setting, and do not have SMS set up against the agency, please make sure that all users have a mobile application authenticator ready for when they next login. Go to multi-factor authentication guide for users for further information.
What is MFA?
Applying MFA to user groups
How do users log in for the first time?: If using an authenticator; if using SMS
What happens if a user has changed/lost their device?
How do administrators with switch agency log in?
What is MFA?
MFA is a two-step process. You will log in to RSM InTime as normal, and then required to enter a one-time password. This adds an additional layer of security to your data and login details, based on a password that only you know, and a one-time password on a device that only you have.
There are 2 ways to do this:
Mobile application authenticator: this will generate a 6-digit passcode. You can download authenticator applications via app stores, the most common ones are google authenticator and microsoft authenticator. When you go into your app, you will be given a one-time password (which is time sensitive) to enter on the RSM InTime login screen. Please note: if you apply QR Code as the authentication method, please make sure that you have a mobile application authenticator ready for when you next login.
SMS: you can receive a one-time 6-digit password (which is time sensitive) by text message to enter on the RSM InTime login screen. Please note: the SMS option can only be selected if you have SMS messages set up as an agency.
Applying MFA to user groups
As an administrator you can apply MFA to groups of users. Go to the system configuration cog in the top right hand corner, and within the system section, click security settings.
Allowing SMS - you may have SMS settings applied, but only wish to use this function for reminders and not allow users to retrieve an authentication code. If you do want SMS as an available option, you must tick enable multi factor authentication over SMS. If you do not tick this option, even with SMS settings enable, the option will not appear for a user to choose.
Suggest multi-factor authentication for user types - this will prompt the user the first time they log in, to select an option. Please note: this is only a prompt, the user can select to not use MFA if they wish. If they select none - do not secure my account using MFA, they will not be asked again.
Require multi-factor authentication for user types - this means when the user next logs in they must select an authentication type, they will not see the option of none - do not secure my account using MFA. They will only get the QR code or SMS (if available) options.
Require single sign on authentication for user types - this allows you to force users to only use single sign on. These users will not have an option to log in to RSM InTime with a username and password. If unticked users will be able to use both methods to log in. For example: All internal users at your agency log in to RSM InTime with single sign on via your intranet page. If you tick require single sign on, they will not be able to log in to InTime outside of your single sign on integration. If you leave the option unticked, users will be able to log in via your intranet using single sign on, and by using the RSM InTime URL outside of your intranet and log in with a username and password.
Scroll to the bottom of the page and click save.
If you do not tick any option below, individual users can apply MFA themselves go to multi-factor authentication guide for users for details.
How do users log in for the first time?
Users will log into RSM InTime with their username and password as normal. They will then be required to select an authentication method. Go to multi-factor authentication guide for users, for a full user guide.
The dropdown will show:
None - do not secure my account using multi-factor authentication - this will only be available if you have ticked suggest multi-factor authentication for user types, giving them the option to choose.
QR code - to be used with a mobile authenticator application.
SMS text message - this will only be available if SMS messages has set up for the agency.
If using an authenticator
If the user selected QR code, the barcode will appear. Using the authenticator, they will need to scan the barcode.
The authenticator app will then produce a one-time 6-digit verification code, they will enter the code in the box provided and click check, a green success box will appear in the top right hand corner, click continue.
They will be logged into RSM InTime.
If using SMS
If the user selected SMS, a box will appear to enter their mobile number. Once entered, they will click send and receive a one-time 6-digit verification code, they will enter the code in the box provided and click check, a green success box will appear in the top right hand corner, click continue. They will be logged into RSM InTime.
Please note: the user must make sure their mobile number is correct before clicking send. If they have entered the wrong mobile number, they will need to ask the agency to reset their passwords and start the process again.
What happens if a user has changed/lost their device?
If a user loses or changes their mobile device, or has reinstalled the authenticator application, they may need to have MFA reset for RSM InTime. Only an admin user will be able to do this.
Within profiles find the user, tick the select box and then click reset and send passwords. This will reset all passwords and disable MFA. The user will then be required to use a temporary password to initially login, set up a new password, and then go through the initial MFA steps again.
Please note: If a user has forgotten their password, and asks
How do administrators with switch agency log in?
If you have multi tenancy, you will only use MFA (if applicable) when logging in directly to an agency. Once you are in an agency, and use the switch agency function MFA will not apply.