Multi Factor Authentication (MFA) & Hardware Security Keys

Knowledge Base Security and Compliance
1

Multi Factor Authentication (formerly 2FA or Two Factor Authentication) is where you need an additional bit of information like a one-time use code in addition to your username and password to login. It greatly enhances the security of your account. We have followed industry best MFA practices.

Multi-Factor Authentication is required for all Syncro User accounts. Security is an important core aspect of operating an MSP. Managed Service Providers are contracted by their clients to deploy and maintain their systems so that the client can focus on their business making money. It's important that Syncro has the same security commitment to the Users that are operating on our platform as well. While we have always had the option to enable Multi-Factor Authentication, we feel that the MFA requirement across all accounts as a default behavior helps to ensure businesses stay secure.

What it Does

  • Secures your account by requiring the code from an authentication app or hardware key.
  • Allows for recovery using offline recovery codes and/or an SMS recovery code.
  • Periodically requires a new code for each browser session (default is every 30 days).

What it Doesn't Do

  • Save your passwords or other credentials.
  • Generate passwords. We highly recommend the use of strong passwords and/or the use of password managers like LastPass.

Table of Contents

Enable MFA on your account
Enforce MFA on all accounts
Change time setting to reauthorize MFA
MFA Troubleshooting
Hardware Security Keys
Hardware Security Keys Setup
Hardware Security Keys FAQ

 

Enable MFA on your account

New User accounts will be automatically prompted on first login to configure MFA, starting at step 4 below.

  1. In the upper right, click your name.
  2. In the dropdown menu, click Profile/Password.
  3. Scroll down and click the Enable Multi-factor authentication button and click OK to confirm.
  4. On the MFA screen, click Setup MFA and Access Your Account.
  5. Follow the instructions to download and install an MFA app if you don't have one already.
  6. Now open the MFA app (such as Google Authenticator or Authy) on your smartphone.
  7. Scan the QR code to add the account to your smartphone.
  8. In the Code field in Syncro, enter the Code shown in your authenticator app.
  9. Click Enable Multi-factor Authentication.
  10. You may get a screen asking you to enter a Multi-factor Code again. Check your authenticator app in case the code changed, enter the code, and click Verify.
  11. Great! Now it's enabled. Now click Download Recovery Codes to do that and put them somewhere very safe. You cannot access your account with these if you lose access to that Authenticator Profile you just added.
  12. After saving the codes, click Next.
  13. Now you should really also setup a mobile recovery option. Enter your mobile number and click Confirm Recovery Mobile.
  14. Enter the code you receive on your mobile phone.
  15. Click Confirm.

Now you are done setting yourself up.

 

Enforce MFA on all accounts

MFA is automatically required for all accounts. When a new user logs in for the first time, they will be taken to step 4 above.

You can see who has yet to enable MFA either in Admin > Users or with the below steps.

  1. Navigate to Admin > App Center.
  2. Scroll down to the MFA card and click Multi-factor Authentication.

 

Change time setting to reauthorize MFA

All users under your account will be prompted to re-enter an MFA code every 30 days, on all devices and browsers, by default. You can make this more frequent as follows.

  1. Navigate to Admin > Employees - Preferences.
  2. Click the MFA Time Setting dropdown and select the desired timeframe, from 1 hour to 30 days.
  3. Click Save.

Once that time setting elapses for a user, they will need to enter an MFA code from their authenticator app, regardless of their activity or inactivity. Even if users leave browser tabs open with sessions running, our system checks on every web request.

 

MFA Troubleshooting

If someone gets locked out, an admin on your account can "unlock" a user account by following these steps:

  1. Navigate to Admin > Users > Details for the tech who is locked out
  2. Click Change Password in the upper right
  3. When prompted, enter your own password to gain access to the edit page
  4. At the bottom of the page, click Disable Multi-factor authentication

If you repeatedly encounter an Attempt Failed error message when entering your MFA code, it's likely that one of the following is the cause:

  1. Double-check that you have entered the correct code using the correct MFA Authenticator App.
  2. A time de-sync from the device that is running the Authenticator App is causing incorrect codes to be shown.
    a. Check the device’s time for accuracy. Even a one or two minute discrepancy can cause issues.
    b. Power the device off, then turn it back on (simply restarting doesn’t always update the time correctly).
    c. Check the device’s Time Settings to ensure it’s in the correct time zone.
    d. Attempt to log in once more, using the MFA codes from your Authenticator app. Since the device time is now verified to be accurate, it should work as expected and log you in.

Hardware Security Keys

A hardware security key is a physical device used as a second authentication factor to enhance security. It generates a unique code for each login attempt, which is required in addition to the user's password or biometric data. Security keys are commonly used in two-factor authentication (2FA) or multi-factor authentication (MFA) protocols, which require users to provide at least two forms of authentication to access a system or device.

Hardware Security Keys Setup Instructions

  1. Log into your Syncro account
  2. Access the Profile/Password Page (Click on profile/password in your username menu)
  3. Click Hardware Security Keys at the bottom of the page
  1. Give the security key a unique name
    • A unique name should help you identify what key to remove in case you lose a key
  2. Click Register
  3. Your browser will present you with the rest of the setup screen. It should give you options for both hardware keys (YubiKeys, Titan Keys) as well as platform keys (Windows Hello, TouchID, FaceID)
  4. Click Add Security Key
  5. Add additional keys to reduce the likelihood of getting locked out if you lose or misplace a key

Hardware Security Keys FAQ

What Keys are supported?

  • Any FIDO U2F key is supported (YubiKey, Google Titan Keys)
  • Any hardware+OS that supports WebAuthN

Can I use more than one key?

  • Yes, you can add as many keys as you want. It’s a good idea to have a backup key in case one is lost.

Can I use a key more than once?

  • On different apps (Like Okta or Github) - Yes, you can use the same key for multiple platforms.
  • On Syncro using different Syncro Accounts? - Yes, as long as it’s for a different account. You cannot use the same key twice on the same Syncro account. This means that users cannot share a key on the same Syncro Account.

Can I use still use regular MFA if I enable this?

  • Yes. There is a button on the Security Keys MFA login page that allows you to use your authenticator app for login instead.

Will hardware keys completely stop a bad actor from accessing my account?

  • Unfortunately not. However, it is likely to slow them down and require them to find other ways to gain access.

Can hardware keys share the same nickname?

  • No. Every hardware key on your account must have its own unique nickname.

 

Keywords: Multi Factor Authentication, Multi-Factor Authentication, MFA, Two Factor Authentication, Two-Factor Authentication, 2FA, 2 Factor Authentication, Hardware Keys

2 Likes