Skip to main content
Mitratech Success Center
Client Support Center

Need help? Click a product group below to select your application and get access to knowledge articles, webinars, training content, and release notes or to contact our support team.

Authorized users - log in to create a ticket, view tickets status and check your success plan details.

 

Enroll Multi-Factor Authentication (MFA) for Non-SSO Users

  1. Last updated
  2. Save as PDF

Multi-factor authentication (MFA) has been introduced in CMO to enhance the security of non-SSO web applications. Users must enroll in MFA by linking their accounts to the Google Authenticator app on a mobile device. This process involves generating a unique secret key, which can be shared with the app through a QR code or a manual entry key. Upon successful enrollment, the Google Authenticator app generates one-time passwords (OTPs) for each login attempt, providing an additional layer of security.

Please refer to the image below for a step-by-step guide on installing and configuring the Google Authenticator app

clipboard_e4b4190d2dd036dbbdff5d2758aa25125.png

Once the authentication key is entered and authenticated, an OTP is generated. To configure the Google Authenticator app on your linked device, enter the OTP in the “Enter OTP Code” field below the QR code.

Note

  1. Enrolling in the MFA is a one-time process. After enrollment, the user can log in using Google Authenticator One-Time Password (OTP) from the next login attempt.

  2. Suppose the initial OTP validation fails due to system issues or other reasons, and the user refreshes the page before the validation is successful. In that case, a new authentication key and QR code are generated.

After installing the Google Authenticator app on the user’s linked mobile device, when the user logs into the web application, the system redirects to the second layer of authentication, where an OTP must be entered to log in to the application. When the user lands on the OTP page, the Google Authenticator app displays the OTP on the user’s mobile. Enter the OTP and log in to the application successfully.

Note: The OTP expires every 30 seconds, and the user is locked out for 15 minutes after five invalid attempts. A warning message appears when the user is locked out.

Trust this Device

If the user selects the "Trust This Device" option on the OTP page, the system skips MFA for 24 hours. If the browser is closed or left idle for 24 hours, the user will not need to enter an OTP again, provided the user does not log out of the application.

Reset MFA

This is an Admin-only functionality to reset the MFA for users with enrolled MFA but do not have access to their linked device for secure login. In such a case, the user can inform the Admin to reset their MFA. 

Steps to Rest MFA

  •  Go to Admin > Users > MFA Enabled checkbox.

  •  Check the MFA Enabled checkbox and click Search. The system displays the list of MFA-enabled users.

  • Click the cog wheel and select the Reset the MFA option.

  • A new Delete confirmation pop-up window is displayed. Select Yes to reset the MFA.

  • Follow the MFA enrollment process again to install the Google Authenticator on the available device. 

 

Web Configuration Prerequisites

MFA 

 

If your application requires users to go through multi-factor authentication (MFA) before logging in, you need to allow access to:

  • MFALogin.aspx – where users enter their credentials or initiate MFA.

  • MFAOTPValidate.aspx – where users enter the OTP (One-Time Password).

 

The following code changes have to be updated under the existing page permissions.

 <location path="MFALogin.aspx">

   <system.web>

     <authorization>

       <allow users="*" />

     </authorization>

   </system.web>

 </location> 

<location path="MFAOTPValidate.aspx">

 <system.web>

  <authorization>

   <allow users="*" />

  </authorization>

 </system.web>

 </location> 

 

QR Code Generation

 

If your MFA enrollment process uses QR code generation with apps like Google Authenticator, then QRCoder is likely the library generating those QR codes. This redirect ensures the correct version is used at runtime.

The below dependent assembly for MFA enrollment needs to be added under the runtime assembly binding section:

<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">

  <dependentAssembly>

    <assemblyIdentity name="QRCoder" publicKeyToken="c4ed5b9ae8358a28" culture="neutral" />

    <bindingRedirect oldVersion="0.0.0.0-1.6.0.0" newVersion="1.6.0.0" />

  </dependentAssembly> 

</assemblyBinding>



 

Locking Out due to Multiple Failed Login Attempts

The following code section in the web.config can be configured to enable or disable the block log in by updating the values.

 <add key="Security.Login.Blocking.ByLoginName.Enabled" value="" />

    <add key="Security.Login.Blocking.ByLoginName.AttemptsCount" value="" />

    <add key="Security.Login.Blocking.ByLoginName.DeactivationTime" value="" />

    <add key="Security.Login.Blocking.ByLoginName.TimeBetweenAttempts" value="" />

    <add key="Security.Login.Blocking.ByIPAddress.Enabled" value="" />

    <add key="Security.Login.Blocking.ByIPAddress.AttemptsCount" value="" />

    <add key="Security.Login.Blocking.ByIPAddress.DeactivationTime" value="" /> 

 

Example

If a false value is given

Disable blocking - set. enabled value as false

Deactivation Time - Lock out duration in minutes, eg, 15 

Attempts Count - no. of failed attempts, eg, 5

 

Default (if the value is left empty) 

Enabled - true

Attempts Count - 5

Deactivation Time - 15 mins

 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
  2. Tags
    1. cleanup keep
    2. CMO MFA
    3. MFA
    4. MFA for non-SSO users
    5. Multi-factor authentication
    6. non-SSO users