--Note: Google Authenticator MFA has also been added. See that page for more information--

Basic Description

As a default, Prime 16 Web provides the ability to use email in a Multi-Factor Authentication (MFA) setup. This expansion allows your organization to expand on that offering authentication codes via text or phone call. Text and Phone calls are provided using an organization operated Twilio account, phone number, and setup.

All parts of the login experience, including Multi-Factor Authentication may be controlled from easy-to-use administration forms within Prime.

Multi-Factor Authentication Setup

From within Prime 16 Web, navigate to Administration --> Logon and Multi-Factor Authentication (MFA) --> Logon Settings

The Logon Settings allows you to set a number of options for your users:

Check the box next to Require Email Entry in Login to require the entry of Staff Number, Password, and Email in the initial login box. Uncheck this box to only require Staff Number and Password.

Check the box next to MFA is IP Conditional to bypass MFA if the user comes from an approved IP address. Uncheck the box if MFA is always required.

In MFA Bypass, enter the IP address, addresses, or IP address range (separated with commas) to indicate the IP address(es) that are approved to bypass MFA. Use the CIDR notation format to indicate address ranges, for example, 8.8.8.8/24 would cover addresses 8.8.8.1 to 8.8.8.254.

Check the box next to Enable Email MFA to offer email as an MFA option to users. Email MFA comes through the Kemp's Case Works domain email system, so you'll want to be sure to whitelist the kempscaseworks.com domain email system. Uncheck this box if you do not want to use Email MFA. [Note: Email MFA relies on the staff person's settings having a valid email address.]

Check the box next to Enable Text MFA to offer a text message as an MFA option to users. Text MFA uses a Twilio account set up and sustained by your organization to send these text messages. Uncheck this box if you do not want to use Text MFA. [Note: Text MFA relies on the staff person's settings having a valid cell phone number in the Multi-Factor Authentication Phone Number box found in the staff person's preferences settings.]

Check the box next to Enable Phonecall MFA to offer a phone call as an MFA option to users. Phone call MFA uses a Twilio account set up and sustained by your organization to make these phone calls. Uncheck this box if you do not want to use Phone call MFA. [Note: Phone call MFA relies on the staff person's settings having a valid phone number in the Multi-Factor Authentication Phone Number box found in the staff person's preferences settings.]

Login With MFA

Step 1 - ConvergeOne Login

The first step in logging in is to verify that you are a authorized user with ConvergeOne. Input your ConvergeOne user name. This is typically in the format of <firstname>.<lastname>, but may vary if another user has the same first and last name.

Step 2 - Staff Number, Password, Email Address(?)

Step 2 will vary, depending on the setup in the system. If the system is set to require the email address be entered, all three items are shown:

If the system is set not to require the email address, only staff number and password are shown:

Enter the required pieces of information and press Log In

Step 3 - Choose your MFA Method

If MFA is not required (i.e., email, text, and phone call MFA are not checked), this step is avoided, as is the MFA Authentication in Step 4.

If only one type of MFA is allowed (e.g., only email is checked), then it is automatically chosen and the user moves directly to Step 4.

If more than one type of MFA is allowed, the user may choose the method of MFA Authentication. For each type, the system shows a partial snapshot of where the authentication message will be sent:

Choose your desired method by clicking on the circle next to it, and press Send Authentication Code / Proceed.

Step 4 - Enter Authentication Code

Enter the code sent by email, text, or phone call. When entered, press Enter Code. If you need to resend the code, press the Resend Code button. This will take you back to Step 3. You may be able to select a different method there if necessary.

Twilio Setup

Setup of the Twilio setup mirrors that in the Texting Using Prime 16 page. In fact, many organizations may use the same number with Twilio to send MFA messages to staff. If that is the case, you can simply copy and paste information from the other setup page to this one.