ChannelEngine: multi-factor authentication

About this article

This article describes when multi-factor authentication (MFA) is required by users and how to enable MFA on your ChannelEngine environment.

Table of contents

Introduction

MFA for logging into ChannelEngine

MFA for sensitive actions

Authenticator-based MFA

One-time password

Introduction

Multi-factor authentication enhances security by requiring multiple forms of verification. On ChannelEngine, MFA is required for logging in. To perform sensitive actions on ChannelEngine, MFA is also required.

ChannelEngine supports two MFA methods: authenticator-based MFA and one-time password (OTP). 

MFA for logging into ChannelEngine

MFA is required for logging into ChannelEngine. If you do not use single sign-on (SSO) through your organization to log into ChannelEngine, then log in to ChannelEngine via either of the methods described in this article.

If you already use SSO to log into ChannelEngine, then you do not need to set up an additional authentication option for logging in. However, to perform sensitive actions, you still need to use one of the MFA options described in this article.

MFA for sensitive actions

Some parts of ChannelEngine require recent multi-factor authentication (MFA) confirmation to proceed.

MFA is required for the following sensitive actions:

• Changing your password

• Managing users

• Managing roles

If you have not confirmed your identity via MFA within five to 15 minutes of starting a sensitive action, ChannelEngine prompts you to re-authenticate with MFA before continuing. How often you need to re-authenticate depends on the action.

Currently, the window to re-authenticate is five minutes for changing your password and 15 minutes for managing users and managing roles.

Authenticator-based MFA

Authenticator-based MFA is the fastest and most secure MFA method on ChannelEngine. 

How to enable authenticator-based MFA

To enable authenticator-based MFA on ChannelEngine:

1. Log in to your ChannelEngine environment. If you have multiple accounts in the same tenant, MFA is applied to your user for every account you can access.
2. Click on your account name in the top right-hand corner of the screen, and select Account settings.
   
   
    
3. Go to Preferences, and enable the Using two-step verification setting. Click Save.
4. Scan the QR code with your chosen authenticator app, or enter the code manually into your app.
5. Your authenticator app returns a six-digit verification code. Enter this code in the Verification code field. Click OK.  
6. After 15 minutes of inactivity on ChannelEngine, you are prompted for your verification code before you can log back in. If you log into ChannelEngine via SSO, you are not prompted for your verification code to log back in. 

Disable authenticator-based MFA

If you still have access to your authenticator and can log in to ChannelEngine, follow the steps listed above, disable the Using two-step verification setting, and click Update.

If you no longer have access to your MFA app (e.g.: you have a new phone and forgot to back up the codes from the previous phone), contact ChannelEngine's Support team to disable MFA for your account. Note that ChannelEngine must verify your identity before taking action.

One-time password

If you have not set up authenticator-based MFA on ChannelEngine, you will receive a short-lived 6-digit OTP at the email address that is registered on ChannelEngine every time you start a sensitive action.

If you have enabled authenticator-based MFA on ChannelEngine, you will not receive the OTP email.