Multi-factor Authentication (MFA)

Ryan Knuth
Ryan Knuth
  • Updated

When enabled in your environment, Wicket users can be prompted to confirm their login using Multi-factor Authentication (MFA).

What is Multi-factor Authentication (MFA)?

You’ve most likely experienced multi-factor authentication when logging into your banking or your insurance company website. MFA occurs when you input your email and password into a website and you are prompted to enter a verification code sent to you by email or text.

Multi-factor

Why use Multi-Factor Authentication?

MFA helps ensure the correct and intended user is accessing a website. 

If a non-authorized user obtains your login and password to a website, they are unlikely to have access to your email account. When the verification code is sent to your email, they will likely not receive it, and fail the second authentication.

How can I protect my association with Single Sign On and MFA?

MFA must be configured by the Wicket developers. If you think MFA is right for your organization, please contact Wicket Support or Sales.

How does MFA work with Wicket?

When MFA is enabled, users will be asked to enter a one-time password delivered via email after they enter their email and password on the login screen.

MFA can be set up for the following users and scenarios:

MFA is only available to Wicket administrators, usually in the following scenarios:

  1. When logging into your member database and all connected platforms which have SSO (e.g. Higher Logic, Discourse)
  2. When logging into your website CMS platform (e.g. Wordpress or Drupal)

Multi-Factor Authentication Challenge Triggers and Bypass

By default, multi-factor authentication challenges can be issued to every user on login attempt. This enhances security, but it’s also important to consider how redundant MFA challenges can fatigue users. Using triggers and bypasses, the number of MFA challenges a user will experience can be reduced.  

Triggers are used to limit MFA challenges to your most valuable services and for your most privileged users.  

Bypasses skip MFA challenges when a user has completed an MFA challenge on the same device.

Note: All users are required to use MFA at least once per device

Trigger and Bypass Examples

  • Trigger MFA challenges when the user is accessing specific high-value Services / SSO Websites
  • Trigger MFA challenges if the user has an Administrator role and, therefore, privileged access.
  • Bypass MFA challenges if this user and device has successfully logged in from this location recently.
  • Trigger an MFA challenge if the login attempt is deemed suspicious

MFA using email

When email MFA is enabled in your environment, some or all users must verify their login using a verification code.

  1. Log into Wicket SSO using your regular email and password. You will be prompted to enter a Verification Code sent to your email.
    wicket-sso-mfa-email-verification-code.png
  2. Open your email to copy the Verification Code. 
    wicket-sso-mfa-email-code-email.png
  3. Paste or type this code into the Wicket SSO Login Verification Code field.
  4. Click Login.

If the Verification Code has expired, you may click the "Resend" button.

The expiration time of the Verification Code can be configured for your environment.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.