Multi-factor Authentication (MFA)

Ryan Knuth
Ryan Knuth
  • Updated

When enabled in your environment, Wicket users can be prompted to confirm their login using Multi-factor Authentication (MFA).

What is Multi-factor Authentication (MFA)

You’ve most likely experienced multi-factor authentication when logging into your banking or your insurance company website. MFA occurs when you input your email and password into a website and you are prompted to enter a verification code sent to you by email or text.


Why use Multi-Factor Authentication?

MFA helps ensure the correct and intended user is accessing a website. 

In the event that a hacker obtains your login and password to a website, it is unlikely they have access to your cell phone or email account. So when the verification code gets sent to your email or text, they will likely not get it and fail the 2nd authentication.


How can I protect my association with Single Sign On and MFA?

MFA must be configured by the Wicket developers. Please contact Wicket Support or Sales if you think MFA is right for your organization.


How does MFA work with Wicket?

When MFA is enabled, after admin users provide an email and password they will be asked to enter a one-time password delivered via email or Google Authenticator.

Note: MFA does not apply to members logging into your associations website.


MFA can be set up for the following users and scenarios:

MFA is only available to Wicket administrators, usually in the following scenarios:

  1. When logging into your member database and all connected platforms which have SSO (eg MailChimp, EventBrite)
  2. When logging into your website CMS platform (eg Wordpress or Drupal)


Multi-Factor Authentication Challenge Triggers and Bypass

By default, multi-factor authentication challenges are issued to every admin user on every login attempt.  This enhances security, but it’s also important to consider how redundant MFA challenges can fatigue users.  It's possible to reduce the number of MFA challenges a user will experience using Triggers and Bypasses.  

Triggers are used to limit MFA challenges to your most valuable services and for your most privileged users.  

Bypasses skip MFA challenges when a user has already completed an MFA challenge on the same device.

Note: All users are required to use MFA at least once per device

Trigger and Bypass Examples

  • Trigger MFA challenges when the user is accessing specific high-value Services / SSO Websites
  • Trigger MFA challenges if the user has an Administrator role and, therefore privileged access.
  • Bypass MFA challenges if this user and device has successfully logged in from this location recently.
  • Trigger an MFA challenge if the login attempt is deemed suspicious

MFA using email

When email MFA is enabled in your environment, some or all users will need to verify their login using a verification code.

  1. Log into Wicket SSO using your regular email and password. You will be prompted to enter a Verification Code sent to your email.
  2. Open your email to copy the Verification Code. 
  3. Paste or type this code into the Wicket SSO Login Verification Code field.
  4. Click Login.

If the Verification Code has expired, you may click the "Resend" button.

The expiration time of the Verification Code can be configured for your environment.

MFA using Google Authenticator

Registering MFA

After confirming your account and setting a password, upon your first login to the Wicket admin panel, you'll be prompted to register your device with CAS (the login service used by Wicket).


  1. Start by downloading the Google Authenticator app on your Apple or Android device. Other apps or plugins may be available for your web browser or computer. Look for reputable apps that support Google Authenticator.
  2. Next, Print or copy the Scratch codes and store them securely. These can be used as login tokens should you not have access to the Google Authenticator app in the future. Note: You have a limit of 5 scratch codes available to you. Only use these when absolutely necessary.
  3. Open the Google Authenticator app on your device and tap the "+" icon to add a new site.
  4. Tap "Scan a QR code" and use your device's camera to scan the QR code on the Wicket admin login screen. Alternatively, tap "Enter a setup key" and enter the alphanumeric "Secret key" shown on the Wicket admin login screen.
  5. Back on the Wicket admin login screen, click "Confirm."
  6. A popup will appear asking you to confirm the registration by completing the following:
    1. Enter a Token that is generated within the Google Authenticator app. To access this number, navigate to the Google Authenticator app on your device and find the generated code.

      Note: The generated codes refresh every 30 seconds. The code will turn red prior to refreshing.
    2. Enter a Device Name - This will auto-populate and can be left as-is.
  7. Click "Register." Your device is now registered.
  8. On the next screen, you'll be prompted to enter a new Token from the Google Authenticator app. Navigate to the app to see the token. Enter the Token back on the Wicket admin login screen and click "Login."
  9. You are now logged into Wicket admin.

Log in using MFA

  1. To log in as a Wicket administrator, enter your email and password as usual. Click "Login."
  2. You'll then be prompted to enter a new Token from the Google Authenticator app. Navigate to the app to see the token. Enter the Token back on the Wicket admin login screen and click "Login."
  3. You are now logged into Wicket admin.


Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request



Article is closed for comments.