What is Multi-factor Authentication (MFA)?
Multi-factor Authentication (MFA) essentially adds an additional layer of security to your online accounts. Verifying your identity using a second factor of authentication such as your phone, or security token prevents anyone but you from logging in an application such as INSZoom, even if they know your password. Passwords are increasingly becoming easy to compromise whereas MFA is separate and independent from your username and password. Thus, even if the password is compromised, no unauthorized person will be able to access the application using your login credentials. Looking at the new workforce and the nature of work, which is becoming more remote day by day; even technology giants have realized the importance of using a second form of authentication to grant access to their applications.
What does it offer?
Multi-factor authentication service enhances login security for all INSZoom users of your Firm and your clients. It provides additional security by requiring a second form of authentication such as a push message on a phone, passcode, security key, etc. to login to INSZoom application.
Multi-factor Authentication offers the following values to users:
- Improved Security- It adds an additional layer of security, keeping user accounts secure even if the password is compromised or hacked by an unauthorized entity.
- Increased Flexibility and Employee Productivity- INSZoom users can securely access the application from virtually any device or location without any risk of identity theft or unauthorized access.
- Easy to Use, Fast and Reliable- One-touch authentication using push messages on the phone and/or security keys such as ‘YubiKey’ is quite swift and provides a fast way for users to securely login INSZoom.
- Highly Scalable- New users, clients, and devices can easily be added to benefit from this secure technology without requiring any significant effort, IT infrastructure change or training.
Getting Started with Multi-factor Authentication
- Multi-factor Authentication is a Subscription feature and thus, INSZoom superusers/administrators of your firm need to subscribe to the feature from the INSZoom Subscriptions module to let users get started with Multi-factor Authentication.
- Once Multi-factor authentication is subscribed and enabled, users can start using Multi-factor authentication from their added devices or ‘YubiKey’ security keys after one-time enrollment of their mobile devices or security keys.
How does it work?
Multi-factor Authentication fundamentally has a simple three-step process:
- Subscription: Superuser/administrator subscribes to MFA from the subscription module.
- Configuration & Enablement: Superuser/administrator selects and configures MFA for their Firm’s INSZoom users.
- Enrollment: Users register their device or security key to verify their identity and securely access the INSZoom application.
How to enable and use Multi-factor Authentication?
Subscription and Setup for Multi-factor Authentication
INSZoom Superusers from the Firm can subscribe to Multi-factor Authentication from the Main navigation menu, hover over Setup > Click on Subscriptions.
Navigate to Security and Privacy category and click on the ‘Subscribe’ button for MFA.
INSZoom accounts team will get in touch with your organization to confirm subscription request and activate the feature for your organization.
After Multi-factor Authentication is subscribed and activated for your organization, you may click on "MFA" in the Subscriptions module to manage Subscription Plan, Configuration, Enrolled Users and monitor usage.
A.2 Enabling MFA for Case Managers and Corporation:
After Multi-factor Authentication is subscribed and activated for your organization, you could enable MFA for all Internal staff/ Case Managers and/or Corporations, Foreign Nationals. While enabling MFA for Corporation Users and Foreign Nationals, you could choose to enable MFA for all your Corporate clients or Users of specific Corporations.
A.2.1 Case Managers: MFA can be enabled for all the case managers in your Firm by clicking on the ‘Enable for All Case Managers’ button.
A.2.2 Vendor Case Managers: MFA can be enabled for all vendor case managers by clicking on the button ‘Enable for All Vendor Case Managers’.Vendor Case Managers- MFA can be enabled for all vendor case managers by clicking on the button ‘Enable for All Vendor Case Managers’.
A.2.3 Corporation Users and Foreign Nationals: You could enable MFA either for all Corporate customers or specific customers.
A.2.3.1 All Corporations and Foreign Nationals: Choose this option if you intend to enable MFA for all your Corporate clients. If selected, this provides an option to enable MFA for Corp Users and/or Foreign Nationals.
a. ‘Enable for All Corp Users’ This enables MFA for Corp Users of all Corporations.
b. ‘Enable for All Foreign Nationals’- This enables MFA for Foreign National Users of all Corporations.
A.2.3.2 Specific Corporation and Foreign National: Choose this option if you intend to enable MFA only for specific Corporate clients. If selected, this provides an option to enable MFA for Corp Users and/or Foreign Nationals of specific Corporation.
You can select a specific corporation from the drop-down and add it to the list of corporations for which MFA needs to be enabled.
A.2.4. Count of Total Users Enabled: Firm administrators can keep a tab on MFA enabled user count with the help of counter available in the Configuration section for all user roles such as case managers, vendor case managers and/or corp users, foreign national users.
A.2.5 List of Enrolled Users: After MFA is enabled for your organization, the case managers will receive an email alert notifying them that MFA has been enabled for their INSZoom account. This alert essentially invites the case managers to start enrolling their devices or security keys to act as an additional layer of security for authentication. Administrators can look at the list of all users who have enrolled their devices or security keys using the ‘Enrolled Users’ section. This also includes the utility to search for users by Name/Organization.
Corp Users and Foreign Nationals are provided with On-screen instructions about device enrollment upon first login attempt post MFA enablement.
A.2.6 Reset MFA Enrollment: There can be scenarios where MFA enrollment of an enrolled user may need to be reset. Few of such scenarios are-
- The enrolled user needs to change the second form of authentication from his/her mobile phone to a security key such as ‘Yubikey’.
- The enrolled user has changed his/her mobile device or mobile phone number.
- The enrolled user has reset his/her mobile device.
- The enrolled user’s INSZoom account has been deleted.
In such cases, INSZoom superusers/administrators can choose to Reset/Delete MFA enrollment of the enrolled users. You can click on the ‘Reset MFA Enrollment’ button against the specific user’s name to reset the MFA Enrollment.
A.2.7 MFA Usage Tracking: 'MFA usage' interface provides visibility for the Firm admin to view the MFA License Count, Total number of MFA users enrolled and Unutilized MFA licenses. MFA License Count is same as the contracted MFA license subscribed by the Firm.
When a firm utilizes all the subscribed MFA licenses, users who are MFA-enabled but not currently enrolled will not be able to enroll their devices; however, these users will be allowed to bypass MFA registration and be able to log into the INSZoom application (with single factor authentication). Users who are MFA-enabled and have successfully enrolled will continue to be enforced with MFA.
Note: To resume MFA registration and enrollment for enabled users, you must increase your Firm's subscribed MFA licenses.
A.2.8 Email notification to Firm Admin on MFA usage: Firm admins will receive an email notification when the MFA License usage reaches 80% and 100% of the total MFA License subscribed.
A.2.9 Recycling of MFA license of disabled user accounts: MFA license can be reused anytime an enrolled user is disabled/deactivated. INSZoom application will automatically reset the respective MFA seat for a user on the following scenarios:
- INSZoom Case Manager/Vendor Case Manager user account is disabled.
- Foreign National/Client portal access is disabled or the Foreign National record is inactivated.
- Corp User portal access is disabled or Corp user record is inactivated.
Enrolling users with Multi-Factor Authentication (MFA)
Once MFA is successfully enabled, Users can start enrolling their device or security key upon the first login attempt to INSZoom. Adding a device or security key is a one-time activity. After enrollment, users can directly authenticate their accounts using MFA to enter INSZoom.
1. Access using devices such as an Android or Apple Mobile Phone-
Procedure to use an android phone, iPhone or any other similar handheld device is quite simple.
1.1 Install the Duo Mobile App from Google Play Store or Apple App Store depending on the operating system of the device.
1.2 Enter the phone number and country code of the device on which Duo Mobile Application has been installed.
1.3 Scan QR code in Duo Mobile Application and add the device to Duo Security.
1.4 After the device has been added to Duo Security, users have two options to choose from to authenticate their INSZoom account using the enrolled device:
1.4.1 Duo Push- If users select Duo Push then they will get a login request sent right on their phone. This login request allows users to enter INSZoom.
- When the Duo Push notification shows up on a user’s device screen, then the user is supposed to tap where indicated on the device screen to view the available actions: ‘Approve’ or ‘Deny’.
- Tapping on the push request notification itself (instead of tapping the notification actions) takes users to the full Duo Push screen in Duo Mobile application.
- Users can simply tap ‘Approve’ to finish logging into the INSZoom application.
- If users get a login request that they weren't expecting, then they can tap ‘Deny’ on the device screen to reject the request.
- If users don't recognize the authentication attempt as their own, then tapping ‘It seemed fraudulent’ rejects the login attempt to INSZoom and notifies the Duo administrator about the suspicious request.
- If users just want to cancel a login request that they made, then they can tap ‘It was a mistake’ to deny the request without reporting it.
1.4.2 Passcodes- There can be a scenario where users don’t have an internet connection available on their mobile phone or there is no mobile network operator cell service available. In such a situation, users can use a Passcode instead of a Duo Push to use the same device for application authentication. This is because Passcodes work anywhere, even in places where there is no internet connection or mobile network operator cell service. A user could tap the down indicator on the Duo device screen to get a one-time passcode for login. They can enter the Passcode on the INSZoom login screen on their computer to log in.
2. Security Keys
Security Keys offer secure login approvals resistant to phishing attacks combined with the same one-tap convenience provided by Duo Push. Security keys can be used by firms in scenarios where users generally don’t have access to their mobile devices when they log into their INSZoom accounts. A security key plugs into the USB port of the computer and when tapped or when the button located on the top of the key is pressed, it sends a signed response back to Duo to validate the login.
2.1 Procuring a Security key- Security keys from ‘Yubico’ or ‘Feitian’ are good options to purchase and use with Duo Security. Supported USB security keys such as WebAuthn/FIDO2 security keys can be bought from online marketplaces such as Yubico Store, Feitian Store, Amazon online, etc.
2.2 Enrolling a Security key- Users can enroll their security key during the self-enrollment process as an alternative to using a mobile phone.
a. Users can select Security Key as the preferred device to add for Multi-factor Authentication and then click Continue. Users shall make sure that they are not blocking pop-up windows for the enrollment site before continuing.
b. Users can insert Security Key in the Computer USB Port and tap on the key to enroll. The security key enrollment window automatically tries to locate the connected security key for approval. Depending on the security key model, users will need to tap, insert, or press a button on their device to proceed. When enrolling their security key, users may possibly be prompted to tap to enroll the security key more than once. Users may also be asked if they want to allow Duo to access information about their security key (Users should click Allow or Proceed as applicable).
c. Authenticating with a Security key- The next time users log in to INSZoom using Duo, they can simply tap or insert their security key to log in. Some types of keys also flash as a prompt for users to tap on the key and authenticate.
d. Upon successful second factor authentication, the user is redirected to the INSZoom homepage.