Doc. Number | Article Title | Effective Date | Version |
FHC-XX | Two-Factor Authentication (2FA) | July 15, 2024 | 0.3 |
This article has been developed to describe the Forth system's two-factor authentication (2FA) functionality.
Two-factor authentication (2FA) is an identity and access management security method that requires two forms of identification to access resources and data. The first factor is a password, and the second commonly includes a text with a code sent to your smartphone, a one-time code generated by an authenticator app on your device, or biometrics using your fingerprint, face, or retina.
It allows businesses to monitor and help safeguard their most vulnerable information and networks.
Examples include:
- Hardware Tokens (physical security keys)
- SMS Verification (sending a one-time code via SMS to a user’s smartphone)
- Push Notifications (Using an installed app to approve/deny login attempts)
- One-Time Passcodes via TOTP (Time-based One-Time Password)
NOTE: TOTP is an algorithm that generates a one-time password using the current time as a source of uniqueness. This is a common method of implementing 2FA as it does not rely on internet access or outside systems like SMS.
IMPORTANT: Forth currently supports 2FA through SMS in the US; delivery to international phone numbers is not currently available.
This enhancement creates a new “Access Control” Settings Page at the controlling company level (the highest-level company within an account). This new Access Control settings page is found by clicking the Admin tab and then clicking "Settings" in the Navigation Bar. Finally, click "Access Control" (see the example below).
The page that now appears (see below) centralizes all of our access control functionality.
The left sidebar lists control features such as IP Whitelisting (the default setting) and 2FA.
NOTE: Our IP Whitelisting functionality has been moved here to consolidate your Access Control needs.
The 2FA function is accessed by clicking “Two-Factor Authentication” in the left sidebar (see red highlighted box). 2FA must first be enabled or disabled at an account level by clicking the toggle button (see the small red highlight at the top of the image below).
Once enabled at the account level, specific companies can have 2FA functionality enforced on them. Under the “Manage Company Access” section, select a company from the “Disabled” column that you wish to enforce 2FA on. Click once on the company's name, and then click on the single right-facing arrow (highlighted below). You will then see the company has been moved to the “Enabled” column (see the highlighted section on the right of the image below).
Once active, a notification will appear stating, “You have successfully turned Two-Factor Authentication on for <<Enter Company Name Here>>.”
It will also display text in the SMS Notification section of a user’s “My Settings” profile and on the “Edit User” page (available from the Admin tab > Settings > Navigation Bar shown earlier) to indicate that the number stored there is used with 2FA as well. When enabled for a company, 2FA is enabled for all users within that company. 2FA cannot be controlled at a user level. If a user does not have a cell phone number filled out in their profile, they will be asked to enter and save their cell phone number for use with 2FA upon their next login. If a user does have a cellphone number on file, they will automatically receive a verification code.
With 2FA activated, when logging into the Forth system, you will be presented with the following dialog box, asking you to provide a mobile phone number and then asking you to click the green “Send Verification Code” button.
NOTE: Standard text message rates may apply based on your mobile phone carrier plan.
Check for a text message that provides the 2FA verification code required for access (see the image below).
Once you provide the correct verification code and click the “Continue” button, you will see confirmation that the code was accepted. You will then be automatically logged into the CRM as usual.
Article Version History:
Version | Effective Date | Description |
Basic | 06/27/2023 | Initial Release |
0.1 | 10/23/2023 | Minor formatting changes at the end of the article. No subject matter review was performed. |
0.2 | 04/26/2024 | Added a note regarding the non-use of international phone numbers, as well as minor grammatical updates. |
0.3 | 07/15/2024 | Added details on the general definition of 2FA. |