Multi-factor authentication (MFA) provides a method to verify a user's identity by requiring them to provide more than one piece of identifying information. This ensures that only valid users can access their accounts even if they use an email and password that may have been compromised from a different application.
It is enabled at the Organization level and will enforce MFA for all users that have access to that Organization. This allows organizations to manage their policies across all of their Agility CMS instances.
When a user signs up for an Agility CMS account or an existing user has access to an Organization that requires MFA to log in, they will be prompted during login to enroll in MFA. They will not be able to log in until they have completed the MFA setup.
Enforcing MFA is a feature only enabled for Pro and Enterprise plans.
Enabling Multi-Factor Authentication for All your Instances
You can enforce MFA for email/password login for your entire organization. In order for this to be effective, we also recommend disabling all other login types for your organization. This ensures all users log-in via email/password and have the same MFA experience. If you do not disallow other login types, users may be able to bypass your MFA by logging in via Google or Microsoft with a verified email address that matches your account's email address.
In the near future, you'll be able to manage all of these settings in the Organization Security Center. This will be released in Q1 2021. In the meantime, please contact email@example.com to manage this for you.
Enrolling in Multi-Factor Authentication
If Multi-factor authentication (MFA) is enabled for your organization, you will be prompted to enroll in MFA when you login to Agility CMS.
You will need to use an Authenticator app (see below for options) on your phone that is capable of scanning the enrollment QR code and complete the handshake required to enroll. Then, you will use that same Authenticator app for reference when you are prompted to enter your one-time code.
Supported Authenticator Apps
The following authentication apps have been tested and officially supported.
Looking for additional app support? Please contact firstname.lastname@example.org and we'd be happy to look into your request.
Saving your Recovery Code
Once you've established a connection with your app, you are presented with a recovery code you may use to reset your MFA enrollment if you lose your phone or are otherwise unable to access your authenticator app anymore. Keep this code in a safe place.
Logging-In with Multi-factor Authentication
Once you've enrolled, when you login you will be prompted for your one-time code using the authenticator app that you originally enrolled with. Open your app and type-in the code.
If your are logging-in on a trusted device, check the box Remember this device for 30 days to prevent having to authenticate using MFA each time you login.
Unable to Provide One-Time Code with Authenticator App
If you lose your phone or uninstall your authenticator app that you originally enrolled with, or are otherwise unable to provide a one-time code, you can try another method.
You can use your previously recorded recovery code. If successful, this will provide you with another recovery code and allow you to login. Store the new recovery code in case you need it in the future.
Still Can't log in?
Please contact email@example.com where we can verify your identity and reset your Multi-factor authentication enrollment.