Multi-Factor Authentication

What is it?

Multi factor authentication essentially means that you need more than one way to prove your identity when logging in. In addition to knowing your password, you need to have a secondary method of proving your identity. In the case where your password is compromised, the attacker would still need to have access to your secondary method of proving your identity. Generally, access to your device is required.

Supported Methods

At the moment, we only support One Time Passwords (OTP) via an authenticator app.

There are many authenticator apps available in the market, such as Google Authenticator, Authy, Microsoft Authenticator, Duo, 2FAS, Aegis, etc. Any of them can be used as the 2nd factor.

NOTE: OTP via SMS or Email based 2FA is not supported at this time.

Enabling MFA

Multi-factor Authentication is set at the account level (aka Primary Organization). See this article for more details on Pipe17 support of single (aka primary) organization or multi-organization setup.

In a multi-org setup, once enabled on the primary organization, MFA is enforced on all secondary organizations within that primary, including the primary organization.

As an example, Joey Joe Joe Jr. is a user of Wile E. Coyote Crust Co. which is a secondary org of ACME. Because ACME enforces MFA, Joey Joe Joe Jr. will be required to setup MFA when he logs in.

MFA Enforcement

Multi-factor Authentication is an enforcement feature, meaning enabling this feature will enforce MFA for ALL users. It is not an opt-in feature at user level.

Each user configures their own Multi-factor Authentication. Once configured at the user level, user will be prompted for the 2nd factor when logging into any organization, even if the organization does not have MFA enabled.

For example, say Joey Joe Joe Jr has access to 2 different primary orgs ACME and FOOBAR. If the admin of ACME has enforced MFA, as soon as Joey Joe Joe Jr logs in, the system will force him to setup MFA. Once the MFA is configured, Joey Joe Joe Jr will be prompted for an MFA code no matter which org he is using.

Even though MFA enforcement is at the primary organization level, the MFA configuration is per user. Once the user has enrolled in MFA, anytime user logs into any organization, irrespective of the MFA enforcement, user may be prompted for the 2nd factor.

Enabling Multi-Factor Authentication

As of now, this feature can only be enabled by Pipe17 administrators (and support). If you are interested in enabling this feature in your primary organization, please file a support ticket here.

Disabling Multi-Factor Authentication

MFA enforcement can be disabled by filing a support ticket here.

Disabling MFA enforcement only applies to new users, meaning new users added to the org will not be required (and prompted) to either setup MFA or provide OTP during login.

Users that already have MFA configured will continue to be prompted for the 2nd factor even after disabling the enforcement.

To completely avoid being prompted for MFA, 2 conditions must be met:

1. None of the organizations (or their primary organizations) the user is associated with enforce MFA
2. Any existing MFA enrollment is removed

Verifying Account / Setting Up Multi-Factor Authentication

When you login for the first time after an org has enforced MFA, you will be prompted to setup your OTP. You will be presented with a QR code page that you can use with any authenticator apps such as Google Authenticator, Authy, Microsoft Authenticator, Duo, 2FAS, Aegis, etc. 

TIP: The OTP setup also works with many of password management apps such as 1Password.

Once you scan the QR code with an authenticator app, the app will give you a rolling 6 digit code that updates every 30 seconds. When prompted to enter your one-time code, you need to enter a valid 6 digit code from you configure authenticator app.

Here is a screenshot of enrolling in MFA with a QR code:

Here is how you would setup on Google Authenticator. 

1. Download the App from your mobile's app store

2. Open & sign into the Google Authenticator app

3. Click on the + sign at the bottom right

4. Select Scan QR Code

5. Point it to the QR code screen shown on the Pipe17 app

6. You should see a new entry added to Google Authenticator for "Pipe17: <your email>"

How-To Videos for Various Authenticator Apps

Here is an how-to video for using Google Authenticator - https://youtu.be/h000FgWyKJA?si=lcO8W0xwBT7iwQgy&t=68

Here is an how-to video for using Authy - https://youtu.be/tmnS821wCyc?si=1c0sKjjAFV93tDvz&t=70  

Here is an how-to video for using 1Password - https://youtu.be/be0z43pmzWc?si=g8Mq1E_OGE8d4lr_&t=78

Remember Device for 30 Days

After enrolling in MFA, every reload of the Pipe17 app will ask for OTP unless the user checks the Remember this device for 30 days checkbox.

This is fine, because as mentioned previously, an attacker would need the password as well as access to the device to log in. Most of the time, the attacker will not have access to the device.

Resetting Multi-Factor Authentication

If you have lost your MFA configuration, or it is not working for some reason, you can request support here to clear your MFA configuration. Once cleared, you will have to go through the setup process describe above. 

Troubleshooting

The code I entered is not valid

If you reload quickly after using a code and try to use the same code, your code will be rejected as it can only be used once for 30 seconds. You should wait 30 seconds for a new code and consider checking Remember this device for 30 days.

I lost my code

If you successfully setup MFA but then later on found you didn’t save the rolling code to your authenticator app, you will need to ask support to Reset MFA so you can set it up again – and save it this time!!!