Introduction
Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a username/password. Usually, it requires something the user possesses so that no one else with just the username and password is allowed to log in. For example, along with the password, users might be asked to enter a code sent to their email or phone, answer a secret question, scan a fingerprint, or use an Authenticator app compatible with TOTP (Time-based one-time password).
Frotcom's MFA implementation is based on the TOTP standard adopted by the IETF (Internet Engineering Task Force). In simple terms, it refers to an App in a smartphone that, once configured with a token generated by Frotcom, generates 6-digit passwords that are only valid for that user to log in to Frotcom. These passwords expire in 30 seconds, after which a new one is generated automatically. The Frotcom authentication system is able to generate a same-time-based password for the same token, so it can compare and validate the login. This way, only someone with access to the smartphone with the Authenticator App previously configured can log in to Frotcom. The configuration of the Authenticator App can be done effortlessly by scanning a QR code with the phone camera.
There are many free Authenticator Apps available. Anyone who is fully compatible with TOTP will work with Frotcom. However, because it is not possible to know all of them in order to provide good support, Frotcom will only recommend two of the most used ones: Google Authenticator and Microsoft Authenticator. Both are supported on Android and iOS phones.
Frotcom is fully aware that enhanced security, most of the time, makes apps less convenient. In fact, with browsers saving our passwords securely, logging in to Frotcom is very convenient, requiring only a click on the login button since the credentials (username and password) are filled in automatically. But, in a world with increasing cybersecurity threats, extra care is required. With that in mind, our implementation of MFA allows the user to select the level of security they require:
- No MFA (not recommended) - use this option if you are not afraid of compromised passwords. If you select this option, it is even more important that your password is complex, randomly generated, and changed periodically.
- MFA requested when IP changes (our recommendation) - with this option, you don't feel the inconvenience of having to get the one-time password from the Authenticator App on your phone every time you log in. Anyone trying to log in from a different location (different network) will have a different IP and will not be able to log in without the Authenticator App properly configured, something only you can do after logging in.
- MFA is always requested (recommended if you cannot trust your network). With this option, the one-time password is always requested on every login.
Setup
After you log in to Frotcom Web, you will see the following popup:
If you don't set up an MFA, this message will be displayed up to five times. After that, you can use your User preferences menu to set your security level.
By clicking on the Setup button you can increase the security of your account:
You can activate it with one of the following options:
- MFA on different IPs - Accessing Frotcom Web requires a code from your authenticator app only when the IP differs from the last login after your correct login and password (Default option);
- Always MFA - Accessing Frotcom Web always requires a code from your authenticator app after your correct login and password.
Now, you must make sure to have an Authenticator app (Google Authenticator, Microsoft Authenticator, or any other authenticator app of your choice; we suggest using Google Authenticator).
To link your authenticator app with Frotcom Web, you must select one of the two following options:
- Scan QR Code (take a picture of the QRCode presented);
- Enter a setup key manually into your authentication app. The characters below the QR Code are NUKKKKKKCEY2HHJW, for example.
Note: Do not share your QRCode image or the characters below the QRCode. This will allow others to have your additional key code to enter Frotcom Web.
A new app Frotcom Web will be added to your list of applications in the Authenticator App, and you will see a 6-digit code in your authentication app, like the example below:
You must introduce this code in the previous Frotcom Web window to pair your Authenticator with your login within 30 seconds and then click on Setup. The blue circle on the right decreases the 30 seconds, when reach the 30 seconds a new code is generated and the old one is no longer valid.
Click on the Setup button. Once confirmed, you will see the following confirmation popup:
Changing and removing MFA
You can change your MFA choice at any time. to do so, find the option MFA settings under your profile icon:
By selecting Security, now you can review and change your MFA setup:
You can click on Configure MFA to change the configuration. this can be done at any time:
Logging in using MFA
Once your MFA is set up, whenever you perform a login to Frotcom Web and depending on your security option, you can see the following:
After setting up your credentials, you may see the following:
You must now use the code/token generated using your authenticator app. Insert the 6-digit code to log in to Frotcom Web:
With the correct code, you will have access to Frotcom Web.
With the invalid code, you will see this message:
Check your Authenticator App to see if you are using the correct code of the Frotcom Web app.
If you can not log in, please contact your FCP partner.
Generating a new pairing code
Use this option only if your authenticator app or phone is compromised. This means that someone has your QRCode or pairing code or your phone unlocked.
To do so, click on the following button:
A new QRCode will be available, and you need to pair the Authenticator app again with your Frotcom Web login by scanning the QRCode or entering it manually.
When using this option, make sure you keep only the last Frotcom Web entrance on your Authenticator app (some Authenticators will replace the existing one, others create a new one) by deleting old entrances of Frotcom Web (on Google Authenticator Swipe to left the Frotcom Web entrance you will see the delete button). Otherwise, you will get 2 or more codes and may use an old one, making it impossible to log in to Frotcom Web.
Users Security setting
If you have Administration permission, you will see the current MFA settings of your users in the column Frotcom MFA:
Also on the User details, you can his/her setting and the audit information:
Comments