Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) adds an additional verification step when users sign in to a Clappia workplace. Along with their usual login method (email ID or phone number), users are required to complete a second verification step before they can access the workplace.

This second factor can be verified using Email, Phone, or an Authenticator app, depending on how the workplace admin has configured the login options.

‍

Why use Multi-Factor Authentication

Passwords alone are often not enough to protect access to workplace data. MFA adds an extra layer of security by ensuring that even if a user’s password is compromised, access is granted only after a second verification step is completed.

Since the second factor is tied to the user’s email, phone number, or authenticator app, it significantly reduces the risk of unauthorised access and helps keep workplace data secure.

‍

Enabling Multi-Factor Authentication (Admin setup)

To enable MFA for a workplace, admins need to configure it from Workplace Settings.

1. From the left navigation panel, go to Workplace Settings > Preferences tab > Login Options.
2. On the right panel, enable Second-factor authentication.
3. Select one or more verification methods:
   
   • Email
   • Phone
   • Authenticator
4. Click Save.

Once saved, MFA becomes active for the workplace and will apply to users of the workplace during sign-in.

‍

Choosing second-factor verification methods

Admins can choose one or more verification methods as the second factor. The selected options determine what users see during login.

For example, let’s say ‘Phone’ is selected as the second factor.

• If a user logs in using their email ID, the user will be prompted to enter their phone number and verify using a code sent to it.

• If multiple options are enabled, users will be able to choose how they want to complete the second-factor verification during login.

This allows flexibility while still enforcing an additional security step.

‍

What users see during sign-in

After MFA is enabled at the workplace level, users will be prompted for second-factor authentication when they try to sign in using their email ID or phone number.

• Users can select a verification method based on what the admin has enabled.
• For Email or Phone, the user must click Send Code.
• A one-time code is then sent to the selected email address or phone number.
• The user enters the received code to complete the sign-in.

‍

Setting up Authenticator-based MFA (User setup)

If Authenticator is enabled as a second-factor option and the user has not previously configured an authenticator, they can complete the setup from their profile.

1. On the MFA screen (when prompted for the second factor authentication), click Edit Profile. This opens the user’s Profile page.

2. Click Authenticator Setup.

3. On the right panel, click Setup Authenticator.

‍

Connecting an authenticator app

Once setup is initiated, a QR code is generated.

1. Open any standard authenticator app on your device.
2. Scan the QR code shown on the screen.
3. The authenticator app will display a message similar to:
   Add account (email ID) so you can access the one-time password code.
4. Click Add account to confirm.

After this, the authenticator app starts generating 6-digit codes for the account.

‍

Using the authenticator during login

After setup is complete, every time the user logs in to the workplace, and opens the authenticator for the second factor login:

• The authenticator app generates a 6-digit code.
• The code is valid for 30 seconds and refreshes automatically.
• The user must enter the currently active code to complete the login.
• If the code expires, the newly refreshed code can be used instead.

‍

Using backup codes

On the MFA verification screen, users also have the option to enter a code manually. Enable the option ‘Use backup code’. This is meant for backup or static codes.

Backup codes are useful when:

• the authenticator app is temporarily unavailable, or
• the user cannot access their device.

Entering a valid backup code allows the user to complete authentication and sign in.

Generating backup codes

After setting up the authenticator app, users can generate backup codes from their profile.

To do this, go back to Edit Profile and open the Authenticator Setup section where the QR code was scanned earlier. Under this section, there is an option to enter the 6-digit code from the authenticator app.

Once a valid code from the authenticator is entered, the system generates a set of backup codes. These codes can be saved and kept securely by the user.

Backup codes act as static second-factor codes and can be used to sign in if the user is unable to access their authenticator app for any reason. Each backup code can be used to complete MFA verification when prompted during login.

Note: It is recommended that users generate and save their backup codes at the time of setting up the authenticator. This ensures that backup codes are readily available if the authenticator app is not accessible later, and helps avoid being locked out of the account.

‍

What happens when multiple MFA options are enabled

Let's say an admin enables Email, Phone, and Authenticator together:

1. The user signs in using their primary login method (for example, email ID).
2. The MFA screen appears, allowing the user to choose a verification method.

3. If Email/Phone is selected, click Send Code. A one-time code is sent to both the email and the phone.
4. If Authenticator is selected:
   
   • The user enters the code generated by their authenticator app.
   • If the authenticator is not yet set up, the user follows the setup process described above.

This allows users to complete MFA using any of the enabled methods, while still enforcing second-factor verification on every login.