Search Posts

How to Manage and Set Up Two-Factor Authentication within ISI Central

Print Friendly, PDF & Email

How to Manage and Set Up Two-Factor Authentication within ISI Central

 

Purpose of Document

How to set up and enable Two-Factor Authentication also known as 2FA. This increases the security and prevention of unauthorized access to ISI Central Reporting and Setups. This is especially important for ISI Central Setups, as tampering with the information there can adversely affect the operations of the store. 2FA is set up on a per organization basis and will globally affect all users in that organization. 

 

Setting up Two-Factor Authentication

For the purposes of this documentation, we are using a test organization.

 

  1.  Log into ISI Central and click on the “Setups” button.

     

2.  Click on the “User link under “Administration”.

   

3.  Search for the user using one or more of the fields within the search page. 

4.  Click on the user listed in the search results.

5.  The page will load to the user edit screen.

6.  Click on the “Modify button under the “Organization Reports Permission.

   

7.  This will display the “Manage Organization Membership” window.

   

8.  Click on the organization name you wish to edit (not the check box). The organization name will turn red when clicked on.

9.  Click on the “Edit…” button.

10. Place a check mark in the Two-Factor option boxes you wish to activate.

 

 

11.  Click on the “OK” button.

12.  The user window will be displayed. At the bottom of this screen, click the red “Save button.

 

Require Two-Factor Authentication – select to activate 2FA for the organization. By selecting this option, all sub organizations of the current organization will also use 2FA (see Notes for additional information).

 

Allow User Setup at Login – it is highly recommended to select this option so users can add and validate contact information for 2FA during their first login subsequent to setting up 2FA. The contact information will be saved in fields separate from the email and phone number already stored with a user account. The 2FA contact fields do not default to the existing user account contact fields. Once 2FA is active, these new contact fields become visible in the user information. If this option is not selected, the organization administrator will need to add valid 2FA contact information (email, phone) to every user account.

 

Allow Remember this Device – the option gives users the opportunity during login to remember the device they are using, so 2FA will not be required for 14 days. This functionality only works for one device/browser at a time.

 

Allowed Methods – select the contact methods to make available in the organization for 2FA.

 

IMPORTANT: If the organization is already set up and you remove one or more allowed 2FA methods, it will remove that option for everyone in the organization and may adversely affect logins.

Logging into ISI Central with Two-Factor Authentication

When a user has 2FA activated, upon submitting their username and password, they will be presented with the 2FA code generation and entry screens.

  1.  When logging in the first time after Two-Factor Authentication has been enabled if the user has no contact methods configured they will either be prompted to configure them before logging in or will be blocked from accessing the site until their group admin configures their methods
    1. If setup at login is not allowed they will be shown:

2.  When setup is allowed at login the user will be prompted to configure the contact methods allowed to them:

3.  When Validate is pressed a code will be sent to the configured contact method and the user must enter and validate the code before they can continue.

    1. At least one contact method must be validated before the values can be saved.
    2. All methods provided a value must be validated before anything can be saved.
    3. The normal Two-Factor Authentication login process is skipped after saving.

4.  When their contact methods are configured, at the next login the user will select a 2FA option by clicking on one of the radio buttons next to the preferred authentication method, then clicking on, “Send Code”.

5.  The user will receive an automated email, text message, or phone call with an authorization code. Enter the code provided into the “Authentication Code” field and click on the “Validate” button. The user can place a check mark in the “Remember this device?” if the device they are using is a personally secured and trusted device. The user can also click on “Choose another method” to go back to the previous screen.

Two-Factor Authentication Deactivation

To deactivate Two-Factor Authentication, complete the steps under “Setting up Two-Factor Authentication” in this document, and uncheck the 2FA options.

 

Notes

  • When 2FA is required for an organization it is automatically required for all sub organizations. 
  • If an Allowed Method (Email, Text Message, Phone Call) is not selected for an organization, then that contact method cannot be used for sub organizations under that organization. 
  • If Allow Remember this Device is not selected for an organization, then Allow Remember this Device cannot be used for sub organizations under that organization. 
  • If a user is associated with any organization that does not Allow User Setup at Login or Allow Remember this Device then they will not be allowed to use those options. 
  • If the user is associated with any organization that allows a contact (Email, Text Message, Phone Call) method then they can choose that contact method, even if they are also associated with a different organization that does not allow the method.
  • Only configured and allowed contact methods will be displayed during the login process.
  • The Remember this device option will be saved for 14 days. Only one device/browser can be remembered at a time.