Multi-factor authentication
This article describes the possibility of the CleverMaps platform to enforce additional security rules by activating Multi-factor authentication (MFA) and/or shortening Session lifetime.
We use Okta to implement our authentication experience. It is a world-class cloud identity and access management system. It means our implementation is quality and secure. You can read about it more here: Okta | Multifactor Authentication
How to activate MFA for my users?
None of these configurations are accessible by CleverMaps users or admins by themself. If you want to activate MFA, contact our support team at support@clevermaps.io. If you need to configure Multi-factor authentication and session lifetime on your own we recommend using our Single sign-on feature instead. More here: SSO and Identity Providers.
For which users can be MFA activated?
Any of the following settings can be assigned to specific users by their email addresses or an email domain (e.g. all users with login email *@clevermaps.io). We are not able to assign users based on project or organization membership. It means admins of projects are responsible for inviting only those users who have MFA configured or let us know to change the assignment.
Which factor types are supported?
The following second-factor types are available. If more are chosen, the user is allowed to choose the one he prefers (or more of them).
Okta Verify
Okta Verify is a mobile app that verifies your identity in one of two ways. Okta can send you a push notification that you approve using Okta Verify. Alternatively, Okta Verify can generate a six-digit code that you enter into your Okta login screen to access your required app.
SMS Authentication
SMS Authentication uses the text messaging service on your cell phone to send you a one-time login code. You cannot enter this code by approving a push notification as you can in Okta Verify. Instead, you must type it in by hand.
Voice call
This factor calls you via your smartphone or landline and reads an access code aloud. You then type the code into the browser to access your app. This is great for people who don’t have access to a cell phone because it doesn’t require push notifications or text messages.
Google Authenticator
This third-party app generates a six-digit code for you to type into your Okta login screen. You have 30 seconds to input the code before it generates another. If you miss the window, use the next code to log in. After five unsuccessful attempts, Okta will lock your account for protection and you must contact an administrator for help.
FIDO2 (WebAuthn)
FIDO2 offers new methods to authenticate across various websites and devices. If you select Security key or Built-in authenticator at sign-in, Okta prompts you to register an authenticator via Web Authentication. It’s a bring-your-own-authenticator model similar to U2F but built right into your web applications. Web Authentication supports two authentication methods:
Security keys such as YubiKeys or Google Titan
Biometric authenticators such as Windows Hello or Apple Touch ID
YubiKey
Created by Yubico, a YubiKey is a physical MFA device that delivers a unique password called a one-time password (OTP) every time it's activated. Using a USB connector, just press on the YubiKey hard token to generate a new one-time password (OTP) password which Okta will validate.
Security Question
To sign in, select a security question from a list and enter the correct response. The security question is chosen by a user himself from a list of available questions and the user sets an answer. The question could be something like “Your favourite movie?”
Email Authentication (not recommended)
The Email Authentication factor allows users to authenticate themselves by clicking an email magic link or using a six-digit code as a one-time password (OTP). Okta sends these authentication methods in an email message to the user's primary email address, which helps verify that the person making the sign-in attempt is the intended user. If the user doesn't click the email magic link or use the OTP within the challenge lifetime, the user isn't authenticated.
How often is the user forced to use MFA?
It is important to point out, that the user is forced to MFA only when he is forced to sign in. Therefore we recommend considering shortening the session lifetime when using MFA (next section). For MFA prompt frequency one of the following can be configured.
At every sign-in
When signing in with a new device cookie
If users select "Do not challenge me on this device again" on the sign-in widget and authentication is successful, MFA will be remembered for the device cookie. As long as the device cookie is valid, users will not be prompted for MFA when signing in.
When signing in after the MFA lifetime expires for the device cookie
If users select "Do not challenge me on this device for the next 15 minutes" on the sign-in widget and authentication is successful, MFA will be remembered for the device cookie. As long as the configured MFA lifetime for the device cookie is valid, users will not be prompted for MFA when signing in.
How often is the user forced to sign in?
Users are forced to sign in with their password or social login (first factor) whenever their session expires. The session expires after its lifetime passes or earlier when the user is inactive for some time. It is important to point out, that the user is forced to MFA only when he is forced to sign in. Therefore we recommend considering shortening the session lifetime when using MFA.
Maximum session lifetime
Setting a maximum session lifetime reduces the risk of session cookie misuse or hijacking. Global sessions will expire even if no maximum idle time is set. Default to “No time limit”.
Maximum session idle time
A global session will expire when the user is inactive for a specified amount of time, regardless of the maximum global session lifetime. Defaults to “30 days”.
Caveats
Currently, our current login form at secure.clevermaps.io/#/login does not support Multifactor authentication. If a user tries to sign in and MFA is activated, the current login form shows “Wrong E-mail or Password“. Users need to use our new alternative form hosted at login.secure.clevermaps.io. We recommend you to instruct your users to bookmark this new login form. In the future, we will deprecate the current login form and switch to a new one. Apologize for the temporary inconvenience.
We are not able to assign users based on project or organization membership. It means admins of projects are responsible for inviting only those users who have MFA configured or let us know to change the assignment.