Two-Factor Authentication (2FA) — Customer Success Guide

Two-Factor Authentication (TFA/2FA) adds a second proof of identity on top of a username and password. In our platform, the second factor is a one-time code sent by SMS ?. This article explains how to enable, configure, use, and troubleshoot TFA for your users.

At a Glance

• Factor #1: Email/username + password
• Factor #2: One-time code delivered by SMS
• Roles involved:
  • Level 3 Support (L3): Enables TFA capability for a room and can change frequency
  • Portal Administrator: Turns TFA on for individual users and manages their phone numbers
  • End User: Enters SMS codes at sign-in; can generate emergency backup codes

Enable TFA for a Room (L3 Support) ?

1. Sign in and go to Support Panel > Manage Groups, then locate the room.
2. In the Features column, open the dropdown and check Enable Two-Factor Authentication.
3. Choose the default TFA validation interval (how often users must re-enter an SMS code).

Note: Enabling TFA at the room level does not automatically enable it for users. It only allows Portal Admins to enable it per user.

Configure TFA for a User (Portal Admin) ?️

Prerequisite: L3 Support has enabled TFA for the room.

1. Go to Configuration > User access management.
2. Select the user and click the pencil icon to edit (or create a new user).
3. Check Enable two-factor authentication for this user.
4. Enter the user’s phone in international format (e.g., +15551234567 or +33611223344).
5. Click Confirm.

Sign-in Flow for Users (What They See) ?

1. User enters username/email and Password.
2. They’re taken to a Two-Factor Authentication page.
3. An SMS code is sent to their saved phone number.
4. User types the code (case-sensitive) to finish signing in.

Manage TFA from the User Profile

• Go to User profile > Edit and scroll to Two-Factor Authentication.
• Update the phone number for SMS codes when needed.
• Click Generate My Security Codes to create one-time backup codes (for when SMS is unavailable).

Best practice: Ask users to securely store backup codes (e.g., a photo in their phone’s secure vault) and never in plain text ?.

How Often Are SMS Codes Required? ⏱️

The TFA frequency/interval determines how often a user must re-enter a code from the same IP address. L3 Support can set a room-wide default and/or per-user frequency.

• Example 1 (24h interval): If a user validates at 16:00 from work, then signs in again from the same office network at 10:00 the next day, no new code is required.
• Example 2 (24h interval): If they validate at 16:00 from work but sign in at 20:00 from home, a new code is required (different IP).

Changing the TFA Interval (L3 Support) ?

Changing how often codes are requested is a security change and must be done by L3 Support. It requires oral and written consent from the authorized representative.

• Room-wide change: Update the frequency in the room settings.
• Single user change: Update the frequency in the user’s profile.

Users in Multiple Rooms with Different TFA Settings ?

When a user belongs to multiple rooms, the platform applies the most restrictive setting:

• If any room requires TFA, the user’s account uses TFA.
• Among different frequencies, the highest frequency (most frequent prompts) wins.

Troubleshooting TFA ?

1. Restart the phone (this resolves most issues).
2. Check SMS reception from other numbers. If no SMS are being received, the user must contact their mobile operator.
3. Ask the user to use one of their backup security codes.
4. If no backup codes are available, qualify urgency (e.g., meeting time) and inform the user that L3 Support will call to provide an emergency code.

Providing an Emergency/Backup Code to a User (Support Procedure) ?

1. Locate the user’s stored security codes (see the User section above).
2. Call back the user on the phone number listed in their profile (to avoid impostors).
3. Validate identity by asking account-specific questions (e.g., number of rooms, room name, board title).
4. Read one security code to the user and stay on the line while they sign in.
5. Once in, show the user how to generate and store their own backup codes and remind them of best practices.

Why not email? Because email is already factor #1. The second factor must be independent (SMS or backup code), not email ?➡️❌.

FAQs ❓

Can we add TFA for a user without sponsor approval?

Yes. Enabling TFA increases security. Ideally the Portal Admin does it, but L3 Support can also enable it if needed.

Can we remove TFA for a user without sponsor approval?

No. Removing TFA reduces security. L3 Support must first obtain oral and written consent from the authorized representative.

How often are SMS codes sent?

As defined by the frequency/interval chosen by L3 Support (room default or per-user). Users won’t be prompted again within the interval from the same IP.

How do we change the frequency?

L3 Support changes it after receiving the authorized representative’s consent. Changes can be room-wide or per-user.

What happens with multiple rooms and conflicting settings?

The platform applies the most restrictive policy (TFA required if any room requires it; highest prompt frequency applies).

Why can’t we send an emergency code by email?

Email is already used as the first factor. For true 2FA, the second factor must be independent (SMS or backup codes), not email.

Security & Privacy Notes ?

• Always verify user identity before disclosing or reading codes.
• Never store backup codes in plain text; advise secure storage.
• Document approvals (oral + written) for any security-reducing change (e.g., removing TFA or lowering frequency).

Glossary

• TFA/2FA: Two-Factor Authentication
• L3 Support: Level 3 Support team with advanced admin capabilities
• Portal Admin: Customer administrator who manages users/settings
• Backup/Security Codes: One-time codes generated by the user for emergency access