Effective November 3, 2023, all users will be required to utilize multi-factor authentication (MFA) as a mandatory security measure each time they log into isolved.
Each client and employee can select their own way of providing their multi-factor authentication. In addition to the two-factor authentication options of text and email you already have in isolved today, additional methods of authentication will become available with this release:
- Third-Party authentication applications: authenticate with applications that generate time-based, one-time passwords. There are many apps available, including Google Authenticator, Microsoft Authenticator, and Authy.
- FIDO2 passwordless authentication security keys: these small physical devices are easy to use because there’s nothing to install and no codes to enter. Security keys are a great solution if mobile devices aren’t an option for users. Keys are available from manufactures like YubiKey.
- Platform authenticators: use a desktop application or a mobile device’s built-in authenticator service, such as Windows Hello, Touch or Face ID. Each user would need to enable these native options on their device of choice to use them.
What is multi-factor authentication (MFA)?
MFA is an effective way to increase protection for user accounts against common threats like phishing attacks, credential stuffing, and account takeovers.
How does MFA work?
MFA adds another layer of security to your login process by requiring users to enter two or more pieces of evidence – or factors – to prove they are who they say they are. One factor is something the user knows, such as their username and password combination. Other factors are verification methods that the user has in their possession, such as an authenticator app or security key.
Will we be required to enable MFA?
MFA will automatically be enabled for you. This will be a requirement for all users accessing isolved. Each client and employee can select their own way of providing two-factor authentication.
Why is isolved requiring MFA?
The confidentiality, integrity, and availability of each client’s data is vital to their business and the protection of that data is taken very seriously. As the global threat landscape evolves, implementing these security measures is essential for the safety and well-being of your business and employees.
What is the advantage of MFA to me?
Clients will have a greater ability to protect their company’s and employee’s data utilizing additional options to authenticate seamlessly with a more intuitive user interface.
When does this go into effect?
A: The requirement for MFA will go into effect for all isolved users on November 3, 2023.
Is there anything I can do to prepare my employees?
Yes! While employees already have the option to authenticate using their email, you should encourage ALL employees to ensure they also have a phone number registered to their account. This will ensure they can authenticate regardless of using the new options we have added.
What impact will this have on users?
Users will now be asked to authenticate each time they login, as opposed to once every 30 days or when a new IP address is identified.
How long are user sessions?
15 minutes and then the system will ask whether you would like to stay logged in or not.
Can users have password-less access on multiple devices?
Yes, each device will allow and recognize what was set up on that device and use that as a default. Some password-less options can be used on multiple devices.
How frequently must users provide a verification method when logging in directly?
As part of this update, users will need to provide a verification method every time they log in to isolved.
What authentication options can be used?
- Platform Authenticators: Easy MFA verification using a desktop or mobile device’s built-in authenticator service, such as Windows Hello, Touch ID, or Face ID.
- Each user will need to enable these native options on their device of choice to use them. If someone does not have Face ID enabled on their device, then they will not be prompted to use this frictionless option.
- Third-Party Authenticator Apps: Authenticate with apps that generate temporary codes based on the OATH time-based one-time password (TOTP) algorithm. There are many apps available, including Google Authenticator, Microsoft Authenticator, and Authy.
- FIDO2 Password-less Authentication Security Keys: These small physical devices are easy to use because there is nothing to install and no codes to enter. Security keys are a great solution if mobile devices are not an option for users. Keys are available from manufacturers like YubiKey.