Multi Factor Authentication
Multi Factor Authentication (MFA) is an additional layer of security that verifies a users identity by requiring multiple sets of credentials.
The purpose of this article is to describe the process of enabling and disabling MFA for Aurora.
Introduction
Multi Factor Authentication (MFA) is a security system that verifies a users identity by requiring multiple sets of credentials. Rather than just asking for a username and password, when enabled, MFA requires other additional credentials, such as a code from the users smartphone. Aurora's implementation of MFA leverages the Google Authenticator framework and app.
Once set up, the Google Authenticator app generates a dynamic code, which changes every 30 seconds. You then provide the latest version of this code when logging into Aurora.
This process is also known as TOTP, and more can be read here.
Enabling MFA on your store will add an extra security layer for your admin users, as even if a user's password is compromised, without access to their Google Authenticator app, their account still can't be accessed.
Enabling Multi Factor Authentication
This setting enables Multi Factor Authentication for your store.
Enable MFA
This setting can be found by navigating to Store > Settings > Security > Multi Factor Authentication
| Option | Description |
|---|---|
| MFA Disabled | MFA will be disabled. |
| MFA Optional | MFA will be enabled on a per admin user basis. It is not enforced, but can be enabled for some users, and not others. |
| MFA Required | MFA will be enabled for all admin users. All admin users will now be required to use MFA when logging into Aurora. |
Setting up Multi Factor Authentication for Users
If MFA is enabled for all users, each user will be promoted to set up MFA when next logging in to Aurora. If MFA is enabled, but optional, it can be enabled on a per user basis:
To enable MFA for a specific user, they should visit Users > Multi Factor Authentication and click the Enable Multi Factor Authentication button.
Users should download the Google Authenticator app from the Google Play Store / Apple App Store.
Using the Google Authenticator app, users should scan the QR code to automatically add their Aurora account. If for some reason the user would like to manually set up their account, they can use the QR code not working link, which will give them a secure string of characters and numbers that can be used to manually add their Aurora account to their Google Authenticator app.
Once the users Aurora account has been added to the Google Authenticator app, either manually or by the QR code, they need to verify this by entering the latest code generated by Google for their account.
Once verified and enabled, each user has a set of recovery codes generated, that can be used to unlock their account, in the absence of the Google Authenticator app. Each code can only be used once. These can be viewed on the Users > Multi Factor Authentication page and should be recorded somewhere secure.
Once all recovery codes have been used up for a user, an alternative user with the appropriate permissions can reset the aforementioned users MFA in Users > Edit User > User Info.
This will force the aforementioned user to re set up MFA on their next login to Aurora, generating a new set of Recovery Codes.
Logging Into Aurora With MFA Enabled
Users begin their login process as normal, entering their email address and password. If the MFA is set as required the input for the authentication code will be shown below the password. If MFA is optional the user will have to click the "Enter Authentication Code" link to reveal the input.
Username, Password and Authentication code must be entered at the same time. The user should enter the current code generated by their Google Authenticator app for their Aurora account.
If either username, password or MFA code is incorrect the User will not be told which one has failed. A generic message of Login Failed will be displayed.
Using Recovery Codes
If a user doesn't currently have access to their Google Authenticator app, or has lost it, they can use a recovery code to still log into Aurora. Click on the Use Recovery Code link when logging into Aurora to use one of your recovery codes. Once a recovery code has been used, it can not be used again. Username and Password must be entered at the same time as the recovery code.
Once all recovery codes have been used up, MFA can be reset for that user, generating a new set of recovery codes.
Reset A Users MFA Credentials
You can reset a users MFA credentials at any time. This can be done on the Users > Edit User > User Info tab.
If the store wide MFA setting is set to MFA Optional, then the Users MFA credentials will be removed - they will be able to log in to Aurora with just their password, and it will be up to them to enable MFA again. If your stores MFA setting is set to MFA Required, the user will be forced to set up MFA again.
Updated 3 months ago