This setting is available to Site Administrators. If you want to enable Two-Factor Authentication but are not a Site Administrator, please contact Firmex Support or reach out to your Account Manager. If your company is using Single Sign On (SSO), Two-Factor Authentication will be configured through your identity provider. Please contact your IT Administrator.
What Is Two-Factor Authentication?
Two-Factor Authentication (TFA) - shown in the Firmex product as “Two-Step Verification” - is an optional security feature that can be enabled by a Firmex Administrator for some or all of a site’s users. TFA requires a user to enter their standard password, in addition to a one-time use security code when logging in. The security code is delivered to the user via an authenticator app such as Google Authenticator, via an email message, or via an SMS text message, to ensure the user’s authenticity.
TFA provides administrators with an additional layer of security to better manage and control user access. For users, TFA offers a simple and secure way of accessing Firmex, especially when coupled with an authenticator app.
How Two-Factor Authentication Works With Firmex
- Enable Two-Factor Authentication
Once TFA is enabled, the site administrator may choose a default method for Two-Step Verification delivery for each user: Via the Authenticator App, Email message, or SMS Text.
- Enable Two-Factor Authentication for Existing Users
A Site Administrator may enable two-factor authentication for existing site users through the Site > Users screen. See this article for step-by-step instructions.
- Enable Two-Factor Authentication for New Users
When creating a new user, in Step 1 of the Add Users wizard, a Project Administrator may opt-in a new user for two-factor authentication.
- Logging In for the First Time (SMS Two-Factor Authentication)
When a user logs in to Firmex for the first time, after entering their Firmex password, Firmex will ask the user to enter their mobile phone number. Firmex will immediately send a text message to the mobile number with a one-time use verification code. Once the verification code has been entered into Firmex, the user is able to proceed with their log in.
- Logging In for the First Time (Email Two-Factor Authentication)
When a user logs in to Firmex for the first time, after entering their Firmex password, Firmex will send an email to the user’s primary email address containing a one-time use verification code. Once the verification code has been entered into Firmex, the user is able to proceed with their log in.
- Logging In for the First Time (Authenticator Two-Factor Authentication)
When a user logs in to Firmex for the first time, after entering their Firmex password, Firmex will prompt the user to set up their Authenticator app for use with Firmex. The user will be asked to install the Authenticator app on their smart device and then scan the QR code or enter a 32-digit code into the Authenticator App. Finally, the user will enter the verification code from the Authenticator App into Firmex and once verified, the user able to proceed with their log in. See this article for step-by-step instructions.
- Users with access to more than one site
Some users will have access to more than one Firmex site, and one or more of these sites may have two-factor authentication enabled. In this case, when the user logs in either at login.firmex.com or at the site login page, they will need to go through the two-factor process.
The TFA icon next to the site will indicate where two-factor authentication is enabled. The security code will be sent to the user based on their configured method of all the sites where two-factor is enabled. In the case where one site is set to Email and another is set to SMS, both an email and an SMS code will be sent to the user. If Authenticator App is set on any site, the user will always log in with Authenticator App only, as it is the most secure method of two-factor authentication available.
- Reset a User's Authenticator App
In cases where a user loses their access to the Authenticator App that they have set up with Firmex (lost or new phone, factory reset on a phone, etc.), they will need to reset their Authenticator App configuration within Firmex. This will require the assistance from a Firmex Site Administrator to edit the user’s Two-Step Verification settings and click the “Reset Authenticator App” button. This will remove the user’s Authenticator App configuration in Firmex. On the user’s next login, they will need to set up their Authenticator App again as described above.
Frequently Asked Questions
Q: Who manages two-factor settings and at what level?
A: A Site Administrator turns the two-factor option on or off for a Firmex site. Project Administrators who add users to a project can turn two-factor authentication on or off for a user they are creating. A Site Administrator is required to turn two-factor settings on or off for existing site users.
Q: Can I enable two-factor authentication for one project and not for another?
A: No, two-factor authentication is a site-level setting. The user is asked to enter the verification code when they log in to Firmex, rather than when they enter a project.
Q: A user has access to two different sites - one has two-factor authentication enabled and another does not. If the user directly logs into the site without two-factor, will they still be required to enter a code to login?
A: Yes. If a user is part of at least one site with two-factor enabled, they will always be required to enter a code.
Q: Can my site deliver two-factor authentication via SMS Texts and Emails for some users, and via the Authenticator App for others?
A: Yes. The Site Administrator can choose each user’s delivery method through the Site > Users window.
Q: Is there a setting that enables two-factor authentication as a default for all new users?
A: Yes. A Site Administrator may enable two-factor authentication as a site default for all new users from the Site > Settings > Options tab, and enabling “Make mandatory for all New users”. If this default has been enabled, all new users will be opted in to two-factor authentication.
Q: Can two-factor be applied to some users but not others? e.g. Guest users vs. Hosts?
A: Yes, Administrators can manage which users require two-factor. There is not an automated way of applying an “on or off” rule for future users based on type though; it must be managed manually.
Q: Can I import users using the Excel spreadsheet and enable two-factor authentication at the same time?
A: If users are added in bulk using the Excel import, a Site Administrator will have to manually enable two-step verification for those users after they are added (i.e. there is no new column in the import users spreadsheet).
Q: Will individual users be able to opt-in to (or opt-out of) two-factor?
A: No, like other Firmex security features, the Administrators are in control of how settings are applied.
Q: What if a user is having a hard time logging in with two-step authentication?
A: If a user cannot access their code (or loses their phone) and can’t sign in with two-step authentication, a Firmex Site Administrator can turn off two-step verification for that user in the Site Users Screen. The user could also call Firmex Client Services who will try to resolve the issue for them – given the approval of a Site Administrator or authorized client contact.
Q: If the user selects “trust me on this computer/device”, will they need to enter a new code again on a different computer?
A: Yes. Also they will require a new code if they:
- delete their browser’s cookies, or
- are using a different browser, or
- logging in as a different user, or
- a site administrator has disabled and then re-enabled two-step verification for that user
In the last case, the site administrator has essentially “reset” the user’s setting, and the user will have to use a new code next time they log in to any of their computers (it will not kick them out of the product if they are currently logged in).
Q: Is there a way of enforcing a user to enter a Two-Step Verification code on every login?
A: Yes. A Site Administrator may choose to enforce a site-wide rule that users must authenticate with Two-Step Verification on every login. The option is available through the Site Settings > Options screen. Enabling it will remove the “trust me on this computer/device” option on the Site and Global login screen (the checkbox is still displayed on the mobile and desktop app, but the user will still be prompted to enter an authentication code).
- Advanced password control
- Set up groups & invite users
- Restrict access by IP address
- Visibility of information in your project
- Where is the Firmex login page?
- I haven’t received my invitation email
- I can’t log in and need to reset a password