What is it?

MFA is a form of authentication where the user must confirm her identity twice: once during the initial authentication and again via a separate method immediately afterwards.  

This is often configured in Google G Suite, most often by requiring a text message when a user logs in to Google at a new device or via a new service.  If this is enabled Google will handle this process when the user logs in to access StratoQ, whether through the browser, when registering a proximity card, or when logging in at a MFD.  After the MFA is completed Google will redirect the user back to StratoQ.

Example of MFA during the Google login process at a device.

How does StratoQ use MFA?

StratoQ supports use of the Google Authenticator app for Android and iOS to confirm the user's identity.  This can be done after an SSO login or a prox card login to help prevent malicious logins.

When MFA is enabled the user will be asked to enter the 6-digit code generated by the Authenticator app on the mobile device.  This code changes every 60 seconds, and the initial signup process (where a user does a full username/password authentication through the Google OAuth flow) gives us extra assurance that the user accessing our app is legitimate.

How to set it up?

An administrator of StratoQ can require MFA for all users and devices by logging into the desktop browser app and going to Account Settings and checking the box.  This is a per-customer setting.

Users will now be required to enter the 6-digit code from the Authenticator app whenever they access a device.

User experience?

Once the users set up Authenticator at StratoQ.com they will have access to the code on their mobile device.

After a login the user will be required to enter the current Authenticator code at the device.  If the code is incorrect the user will be able to try again.  The user can always skip the authenticator code and login via google if needed.