Two-factor authentication is a new optional security feature that can be enabled by a Firmex Administrator for some or all of a site’s users. Two-factor authentication, shown in the product as “two-step verification”, requires a user to enter their standard password as well as a one-time-use security code when logging in. The security code is delivered to the user by using Email or SMS Text Message, to ensure the user’s authenticity.
How It Works
- Request To Enable Two-Factor Authentication
A Site or Project Administrator must contact their Account Manager or Firmex Client Services to enable two-factor authentication. Once enabled, the site administrator may choose between Email message and SMS Text as a two-factor authentication delivery method.
- Enable Two-Factor Authentication For Existing Users
A Site Administrator may enable two-factor authentication for existing site users through the Site > Users screen.
- Enable Two-Factor Authentication For New Users
When creating a new user, in Step 1 of the Add Users wizard, a Project Administrator may opt-in a new user for two-factor authentication.
- Logging In For The First Time (SMS Two-Factor Authentication)
When a user logs in to Firmex for the first time, after entering their Firmex password, Firmex will ask the user to enter their mobile phone number. Firmex will immediately send a text message to the mobile number with a one-time use verification code. Once the verification code has been entered in to Firmex, the user is able to proceed with their log in.
- Logging In For The First Time (Email Two-Factor Authentication)
When a user logs in to Firmex for the first time, after entering their Firmex password, Firmex will send an email to the user’s primary email address containing a one-time use verification code. Once the verification code has been entered in to Firmex, the user is able to proceed with their log in.
Frequently Asked Questions
Q: Who manages two-factor settings and at what level?
A: A Site Administrator turns the two-factor option on or off for a Firmex site. Project Administrators who add users to a project can turn two-factor authentication on or off for a user they are creating. A Site Administrator is required to turn two-factor settings on or off for existing site users.
Q: Can I enable two-factor authentication for one project and not for another?
A: No, two-factor authentication is a site-level setting. The user is asked to enter the verification code when they log in to Firmex, rather than when they enter a project.
Q: Can my site deliver two-factor authentication via SMS texts for some users and Emails for other users?
A: Yes. The Site Administrator can choose each user’s delivery method – either Email or SMS text.
Q: Is there a setting that enables two-factor authentication as a default for all new users?
A: Yes. A Site Administrator may enable two-factor authentication as a site default for all new users from the Site > Settings > Options tab, and enabling “Make mandatory for all New users”. If this default has been enabled, all new users will be opted in to two-factor uthentication.
Q: Can two-factor be applied to some users but not others? e.g. Guest users vs. Hosts?
A: Yes, Administrators can manage which users require two-factor. There is not an automated way of applying an “on or off” rule for future users based on type though; it must be managed manually.
Q: Can I import users using the Excel spreadsheet and enable two-factor authentication at the same time?
A: If users are added in bulk using the Excel import, a Site Administrator will have to manually enable two-step verification for those users after they are added (i.e. there is no new column in the import users spreadsheet).
Q: Will individual users be able to opt-in to (or opt-out of) two-factor?
A: No, like other Firmex security features, the Administrators are in control of how settings are applied.
Q: What if a user is having a hard time logging in with two-step authentication?
A: If a user cannot access their code (or loses their phone) and can’t sign in with two-step authentication, a Firmex Site Administrator can turn off two-step verification for that user in the Site Users Screen. The user could also call Firmex Client Services who will try to resolve the issue for them – given the approval of a Site Administrator or authorized client contact.
Q: If the user selects “trust me on this computer/device”, will they need to enter a new code again on a different computer?
A: Yes. Also they will require a new code if they:
- delete their browser’s cookies, or
- are using a different browser, or
- logging in as a different user, or
- a site administrator has disabled and then re-enabled two-step verification for that user
In the last case, the site administrator has essentially “reset” the user’s setting, and the user will have to use a new code next time they log in to any of their computers (it will not kick them out of the product if they are currently logged in).
- Advanced password control
- Set up groups & invite users
- Restrict access by IP address
- Visibility of information in your project
- Where is the Firmex login page?
- I haven’t received my invitation email
- I can’t log in (incorrect username or password)