This article explains why and how to use two-factor authentication. If you're an admin user and encounter someone unable to log in due to difficulty accessing their two-factor verification code, fear not! This article has got you covered with solutions.
Jump immediately to the right topic:
- Information for admin users
- Why should I set up Two-factor authentication for my firm?
- How can I set up Two-factor authentication?
- What if I no longer wish to use Two-factor authentication?
- The feature has been disabled, but a user is still asked to log in with two-factor authentication. Why?
- I wish to disable two-factor authentication for one user because this account will be used by multiple users. Is this possible?
- A user gets an error message when trying to login via two-factor authentication or lost his smartphone with his Authenticator. How can I help?
- General information about two-factor authentication
Information for admin users
Why should I set up Two-factor authentication for my firm?
Two-factor authentication will always require a user to complete a second step, namely entering a code generated in an "Authenticator" into Silverfin. A user can choose to perform this step only once every 30 days on their trusted computer.
In other words, to enhance security, as an office, you can mandate that every user, both internal and external, must begin using two-factor authenticartion for their Silverfin account within your environment. Two-factor authentication is not enabled for users connecting via SSO. In this case, the rules set by you or your IT partner for SSO will apply.
How can I set up Two-factor authentication?
As an admin user, you can enable two-step verification by navigating to the office level, then selecting Users, followed by User configuration, and finally clicking on Enable Two-Step Verification.
Then confirm by clicking the green button Enable Two-Step Verification.
Once two-factor authentication is enabled, each user will be prompted during their next or first login attempt to set up two-factor authentication. A user can skip this once, but must set it up the next time they log in.
The notification includes an explanation of account protection and how it functions. Users will have the option to skip this step once. By clicking the green Continue Setting Up button, users can proceed to set up two-factor authentication.
What if I no longer wish to use Two-factor authentication?
As an admin user, you can disable this feature at the office level in the same way that you can enable it. However, it's important to note that any user who has already set up two-step verification will still need to log in using it. You can contact support to remove two-factor authentication for these users. This action is not mandatory; individual users can choose to continue using two-factor authentication. However, to have it removed entirely two-factor authentication needs to be removed on the office level.
The feature has been disabled, but a user is still asked to log in with two-factor authentication. Why?
If you've disabled two-step verification and a user still needs to log in with it, it's because for security reasons, it won't be unexpectedly disabled for users who had already set it up, without their awareness. Two-factor authentication is associated with a user's email address.
There might be two reasons why a user still needs to log in with two-step verification:
1. A user needs to set up two-step verification for another office that mandates it.
2. A user had set up two-step verification when it was enabled for your office.
If a user hasn't set up two-step verification for another environment and two-step verification is now disabled within your office or environment, you can contact support to request disabling two-step verification for this user. Note: This is only possible if two-step verification is indeed disabled for your office. If it's still enabled, it cannot be disabled for just one user.
I wish to disable two-factor authentication for one user because this account will be used by multiple users. Is this possible?
We do not recommend sharing accounts among multiple individuals, and we advise creating separate accounts in Silverfin for each person. However, if you still wish to proceed with sharing, using an "Authenticator" in a password manager may be a viable option, as it often allows for code sharing. Please note that disabling two-factor authentication for one user is not possible as long as the two-factor authentication setting is enabled.
A user gets an error message when trying to login via two-factor authentication or lost his smartphone with his Authenticator. How can I help?
As an admin users have the ability to reset the two-factor authentication for other users. This will send a new qr-code to a user, enabling them to set up their 2FA app again. They can follow steps described here: Why am I seeing a two-factor authentication screen and how can I set it up?
You can do this by going to the user's profile at firm level and clicking on the button reset authentication:
After the reset, it is important for a user to delete the previous Silverfin account from the authentication app they were using. In Google Authenticator, the old account may persist until you manually remove it by pressing the trash can icon to confirm deletion.
General information about two-factor authentication
Why am I seeing a two-factor authentication screen and how can I set it up?
When you log into Silverfin and encounter the screen below, it indicates that a decision has been made to enable two-factor authenticaton within the office environment. The system operates straightforwardly, as you may have observed on other platforms. Even if your password were to be compromised for any reason, you can still prevent unauthorized access to your Silverfin Account by entering a newly generated code from the Authenticator every time. If the term "Authenticator" is unfamiliar to you, don't worry. We'll explain it to you below.
1. Once you've logged into Silverfin and reached the screen below, simply click on the green Continue to setup button.
You will be taken to the following screen:
As indicated on the above screenshot you will be asked to install "Authenticator". The Authenticator is typically available by default on your smartphone (recommended), but it is also available as a computer program or can be integrated into various password managers.
An Authenticator is an application that generates a new temporary password or code every 30 seconds. You must enter it within this time frame. If the code is about to expire, it is best to wait until a new one is generated.
2. Install the "Authenticator"
If you do not already have an "Authenticator" installed, you can install one of the listed below.
If you already have one installed, you can go to the next step.
Here are a few options third party authentication apps you can use to set up Two-factor authentication:
- Google Authenticator for iOS or Android (mobile app)
- Authy for iOS, Android (mobile app)
- WinAuth (desktop app)
- Microsoft Authenticator for iOS of Android (mobile app)
- Password Manager (Authenticator is most of the time not offered for free, but can be used on multiple devices and shared among multiple users).
3. Scan de code that you see on the screen with your "Authentication" app.
4. Once Silverfin is added to the Authenticator, it will generate a code. You can enter the access code on the screen you see.
5. If you wish, and your computer is a trusted device, select Trust this browser for the next 30 days. By doing so, you won't need to enter a code each time you log in when using the same browser or computer.
6. Press Continue to complete the activation of two-step verification.