In some instances, you may have need to apply additional layers of security to your system to protect the data that it contains. This is particularly likely if:
- You have attained or are seeking certification to Cyber Essentials
- You have attained or are seeking certification to ISO 27001 and/or its related standards
- Your system contains particularly sensitive data.
To support you in protecting your data, Activ provides all systems with three options that can be applied in addition to the security provided by user permissions and private folders/items. These are:
- IP Whitelisting
- IP Blacklisting
- Multi-Factor Authentication (MFA)
Whilst IP Whitelisting/Blacklisting applies to your entire system, approving access based on the IP that the user is logging in from, MFA can be applied on a user-by-user basis. This enables you to choose between enabling MFA for all users of your system, regardless of their individual permissions, or only enabling it for some of your users (e.g. your Administrators). In addition, Activ’s MFA authorisation is device and browser specific, meaning that:
- An MFA user who has recently authorised their access can use Activ without re-authenticating even if they login from a new network or location, as long as they are using the same device/browser combination and their last authorisation has not expired.
- Any individual who attempts to log into an MFA user’s account from a different device or browser will be forced to authorise their access even if they are accessing the account from the user’s normal IP address.
To provide additional security, Activ also automatically requires re-validation of all MFA user accounts if a user’s mobile number is changed (see Change your Mobile Number when MFA is Enabled) and allows both the user and your System Administrators to clear their ‘Trusted Devices’ at any time (see Clear a User’s Trusted Devices). These features ensure that you can quickly ‘lock down’ MFA-enabled accounts should a user’s device be lost, stolen, or otherwise compromised.
*****
Activ’s Authentication Options
Activ currently allows your users to authenticate their access to their accounts using the following authentication methods:
- SMS Authentication – this will send a one-use authentication code to the mobile number that is recorded within the user’s main Login Permissions
*****
Limitations and Important Notes
When you enable MFA within your Activ system, it is important to be aware of the following:
Activ’s MFA is device-specific – your users will be required to re-authenticate their access on each device they use to sign into their account. This means that if your users access Activ through (e.g.) a laptop and a mobile phone, they will have to authenticate that access twice: once for the laptop, and once for the mobile. This also means that they will have to re-authenticate twice (i.e. on both devices) when the authentication times out, and in the event that their Trusted Devices are cleared (see Clear a User’s Trusted Devices).
Activ’s MFA is browser-specific – your users will be required to re-authenticate their access on each browser they use to sign into their account. This means that if your users access Activ through (e.g.) Chrome and Firefox, they will have to authenticate that access twice even if they are using both browsers on the same device. This also means that they will have to re-authenticate twice (i.e. on both browsers) when the authentication times out, and in the event that their Trusted Devices are cleared (see Clear a User’s Trusted Devices).
Each device and browser has a separate authentication timer – once a user has authenticated their access, they will not be asked to re-authenticate for n days after the time that they last entered an authentication code into their account (note that ‘n’ is determined by your system’s security settings; see Configure MFA for your Activ System). However, this timer is specific to the device and browser that the authentication occurred on. This means that (e.g.) if your system’s MFA is configured to timeout after 14 days and you authenticate on your laptop/Chrome on the 1st, and your mobile/Firefox on the 2nd, Activ will require you to re-authenticate your laptop/Chrome on the 15th and then will subsequently require you to re-authenticate your mobile/Firefox on the 16th.
Each device’s browser can only remember authentication for one user account at any time – due to the way that the authentication is stored, it is only possible for your browser to remember the authentication for one account at any time. This means that:
- If two people use the same device and browser to sign into their accounts, and both accounts are MFA-protected, OR
- One person has multiple MFA-protected user accounts and accesses those accounts from the same device/browser combination (common amongst resellers, consultants, and some system Administrators), then:
The device/browser combination will only remember the last authentication that was completed on that device and browser. For example:
- Company X has configured their MFA to timeout 14 days after each device/browser’s authentication.
- Person A logs into their MFA-protected account on a laptop, using Chrome, and authenticates their account.
- They use their account for (e.g.) 4 days as the only user of that device/browser combination, so are not required to re-authenticate at any point during those four days.
- On day (e.g.) 5, Person B logs into a different MFA-protected account on the same laptop, using Chrome, and authenticates their account.
- On day (e.g.) 6, Person A logs back into their normal MFA-protected account on that laptop, using Chrome, and is required to re-authenticate even though the MFA has not timed out. The device/browser combination has stored the authentication for Person B and overwritten its record of the authentication for Person A, meaning that Activ can no longer find a matching authentication record for Person A on that device/browser.
- Should person B log in on that browser/device again after Person A has re-authenticated, Person B will also be required to re-authenticate. Person A’s authentication will have overwritten the record for Person B’s authentication.
