Two-factor authentication is an optional security feature that can be enabled by a Firmex Administrator for some or all of a site’s users. Two-factor authentication, shown in the product as “two-step verification”, requires a user to enter their standard password as well as a one-time-use security code when logging in. The security code is delivered to the user by using Email or SMS Text Message, to ensure the user’s authenticity.
How It Works
- Request To Enable Two-Factor Authentication
A Site or Project Administrator must contact their Account Manager or Firmex Client Services to enable two-factor authentication. Once enabled, the site administrator may choose between Email message and SMS Text as a two-factor authentication delivery method.
- Enable Two-Factor Authentication For Existing Users
A Site Administrator may enable two-factor authentication for existing site users through the Site > Users screen.
- Enable Two-Factor Authentication For New Users
When creating a new user, in Step 1 of the Add Users wizard, a Project Administrator may opt-in a new user for two-factor authentication.
- Logging In For The First Time (SMS Two-Factor Authentication)
When a user logs in to Firmex for the first time, after entering their Firmex password, Firmex will ask the user to enter their mobile phone number. Firmex will immediately send a text message to the mobile number with a one-time use verification code. Once the verification code has been entered into Firmex, the user is able to proceed with their log in.
- Logging In For The First Time (Email Two-Factor Authentication)
When a user logs in to Firmex for the first time, after entering their Firmex password, Firmex will send an email to the user’s primary email address containing a one-time use verification code. Once the verification code has been entered into Firmex, the user is able to proceed with their log in.
- Users with access to more than one site
Some users will have access to more than one Firmex site, and one or more of these sites may have two-factor authentication enabled. In this case, when the user logs in either at login.firmex.com or at the site login page, they will need to go through the two-factor process.
The TFA icon next to the site will indicate where two-factor authentication is enabled. The security code will be sent to the user based on their configured method of all the sites where two-factor is enabled. In the case where one site is set to email and another is set to SMS, both an email and an SMS code will be sent to the user.
Frequently Asked Questions
Q: Who manages two-factor settings and at what level?
A: A Site Administrator turns the two-factor option on or off for a Firmex site. Project Administrators who add users to a project can turn two-factor authentication on or off for a user they are creating. A Site Administrator is required to turn two-factor settings on or off for existing site users.
Q: Can I enable two-factor authentication for one project and not for another?
A: No, two-factor authentication is a site-level setting. The user is asked to enter the verification code when they log in to Firmex, rather than when they enter a project.
Q: A user has access to two different sites - one has two-factor authentication enabled and another does not. If the user directly logs into the site without two-factor, will they still be required to enter a code to login?
A: Yes. If a user is part of at least one site with two-factor enabled, they will always be required to enter a code.
Q: Can my site deliver two-factor authentication via SMS texts for some users and Emails for other users?
A: Yes. The Site Administrator can choose each user’s delivery method – either Email or SMS text.
Q: Is there a setting that enables two-factor authentication as a default for all new users?
A: Yes. A Site Administrator may enable two-factor authentication as a site default for all new users from the Site > Settings > Options tab, and enabling “Make mandatory for all New users”. If this default has been enabled, all new users will be opted in to two-factor authentication.
Q: Can two-factor be applied to some users but not others? e.g. Guest users vs. Hosts?
A: Yes, Administrators can manage which users require two-factor. There is not an automated way of applying an “on or off” rule for future users based on type though; it must be managed manually.
Q: Can I import users using the Excel spreadsheet and enable two-factor authentication at the same time?
A: If users are added in bulk using the Excel import, a Site Administrator will have to manually enable two-step verification for those users after they are added (i.e. there is no new column in the import users spreadsheet).
Q: Will individual users be able to opt-in to (or opt-out of) two-factor?
A: No, like other Firmex security features, the Administrators are in control of how settings are applied.
Q: What if a user is having a hard time logging in with two-step authentication?
A: If a user cannot access their code (or loses their phone) and can’t sign in with two-step authentication, a Firmex Site Administrator can turn off two-step verification for that user in the Site Users Screen. The user could also call Firmex Client Services who will try to resolve the issue for them – given the approval of a Site Administrator or authorized client contact.
Q: If the user selects “trust me on this computer/device”, will they need to enter a new code again on a different computer?
A: Yes. Also they will require a new code if they:
- delete their browser’s cookies, or
- are using a different browser, or
- logging in as a different user, or
- a site administrator has disabled and then re-enabled two-step verification for that user
In the last case, the site administrator has essentially “reset” the user’s setting, and the user will have to use a new code next time they log in to any of their computers (it will not kick them out of the product if they are currently logged in).
- Advanced password control
- Set up groups & invite users
- Restrict access by IP address
- Visibility of information in your project
- Where is the Firmex login page?
- I haven’t received my invitation email
- I can’t log in and need to reset a password