How to set up a multi-factor authentication device for two-factor authentication in the RiskSense platform.
The RiskSense platform requires two-factor authentication (2FA) to access vulnerability data. Two-factor authentication requires that users provide two different items to authenticate their login: first, something that the user knows (their password) and second, something the user has (a security token from either their email or a multi-factor authentication [MFA] device).
To set up an MFA device, click your initials in the top-right corner of the screen and click User Settings.
In the Security section, click the drop-down menu under Two Factor Authentication Type and select MFA Device.
Several blue buttons appear; before clicking anything else, you must download and install an authenticator application for your phone. Download Google Authenticator or another MFA application from your phone’s app store (e.g., DUO Security, LastPass Authenticator, etc.). For this guide, we will use Google Authenticator.
Back in RiskSense, click the Save button. A QR code pops up on the screen. Above the QR code is a written-out code. If the QR code scan is not an option, use the written-out code for manual entry.
Open the MFA application on your device (in this instance, Google Authenticator). Click the Plus (+) button in the upper-right hand corner of the application; this will allow you to add a new login code.
The easiest way to do this is to click Scan Barcode and use your phone’s camera to scan the QR code displayed in RiskSense. Either scan the code or manually enter the code into the authenticator application. A new RiskSense security token will be added to your authenticator application.
Next time you log into RiskSense and it prompts for a code, open the authenticator application and type in the code displayed on the screen under RiskSense.
Once your MFA device is set up, we strongly recommend generating recovery codes. These codes allow the user to access the platform in case of device or application loss/failure. To generate recovery codes, click the Generate New Codes button.
The platform prompts you for your security question. Enter the answer and click Submit.
When the recovery codes dialog box appears, copy the codes to a safe location. Once a code is used, it is no longer valid and cannot be reused.
The following list describes the available buttons in the Two-Factor Authentication Type settings.
- Save: Save the selection if changing from email to an MFA device or vice versa.
- Show Code: Generates a code for your authenticator or shows the currently used code.
- Update Code: This generates a new two-factor authentication code.
- Generate New Codes: This button generates 10, one-time use codes. If your MFA device is lost or destroyed, these 10 codes give you a way to access the platform without the device and set up a new one.