INTRODUCING TWO-FACTOR AUTHENTICATION.
Two-factor authentication (2FA) is being introduced to Definitiv.
2FA adds an additional layer of security to Definitiv. It helps to protect user accounts from unauthorised access by requiring users to supply a secure six-digit code, along with their username and password when logging into Definitiv.
Due to new ATO requirements, when released, 2FA will be mandatory for users with access to other people’s tax and super information. For all other users, it will not be mandatory; however, we encourage you to enable 2FA globally for enhanced security.
With the introduction of 2FA on Wednesday 2 January 2019, existing users who have a role that requires 2FA will still be able to log in normally with only their username and password. Upon logging in, they will be prompted to set up 2FA (see the ‘Setting up 2FA’ section below).
To give these users adequate time to set up 2FA, there will be a four-week migration period. After the four weeks has ended, they will be required to use 2FA.
Configuring 2FA for users
- Navigate to the User Roles page;
- Click on the View button (located under the Options column) for the role you want to enable 2FA;
- Select the newly added checkbox; Requires 2FA. This new checkbox is located to the right of the Is Default For New Users checkbox; and
- Scroll to the bottom of the page and click Save.
When the Requires 2FA checkbox is enabled, any user with this role will be required to use 2FA to log in.
As mentioned above, 2FA will be mandatory for any users with permissions that fall within the ATO’s mandated requirements for 2FA.
To make it easier for you to manage, each permission that falls within the ATO’s mandate will have a Requires 2FA marker. This marker can be found to the right of the Self column in the Edit Authorisation Role page, as shown below.
The indicated permissions only require 2FA if granted to any level above self, as it is only mandatory if you are viewing other people’s information.
Understanding the Requires 2FA marker;
- Showing as grey – If the permission is only set as self, the Requires 2FA marker will show up as grey, meaning 2FA is not required for this specific permission.
- Showing as blue – If, for example, the permission is set at line manager level, then the Requires 2FA marker will show as blue, meaning 2FA is required for this user role.
If a Requires 2FA marker is showing as blue for at least one permission held by a role, any users assigned to that role will automatically be configured with 2FA. This is the case, even if the Requires 2FA checkbox hasn’t been checked for this role.
2FA affects all users assigned to a role
In some cases, employees and managers may be assigned the same role within Definitiv. Most commonly named ‘Employee’, this role allows for employees to be promoted to line manager or project manager in Definitiv without them having to be assigned to a new user role. This is because a permission may be set up at self, line manager and project manager level.
In this instance, if 2FA is required for a permission above self-level in this user role, i.e. line manager level, then everyone on this role will be required to use 2FA. This is even if an employee on this user role has no line manager permissions (i.e. no subordinates in the organisation chart) within Definitiv.
If you do not wish for your regular employees with only self-level access for permissions to have 2FA enabled, we suggest setting up separate employee and manager roles.
SETTING UP 2FA
Users with 2FA configured will be prompted on login with an instructional screen on how to set up 2FA.
For new users, once they have received their New User Invitation email and have created their password, they will then be shown the same 2FA instructional screen (as shown below).
New login process
Once an account is set up with 2FA, the user will begin seeing the below login screen after entering their username and password. The six-digit code to be entered will be generated by their authentication app of choice. Once the code is entered, the user will be logged into their Definitiv account.
The code is valid for 24 hours within a browser. Users will not have to continuously enter their code throughout the day, it will only be required once per day.
Lost 2FA devices
If a user loses or breaks the device that contains their 2FA token, they will no longer be able to access their Definitiv account until a new device is set up.
To streamline this process for system administrators, there is a new “Reset User Two-Factor Authentication” feature within the User Listing page. Once you have selected this option, the user will be emailed with a link that will allow them to go through this process themselves. After accessing their email and following the link, users will still be required to enter their password before being able to link a new 2FA device.
For clients utilising Definitiv’s single sign-on feature, 2FA is still a requirement. This means that all of the above is still applicable. Users who require 2FA will still be prompted to set up a 2FA device on the first login, and once set up they will be prompted with the above login page. This will occur after a user has logged in within the Identity Provider eg. ADFS.