MFA Methods Available
Enabling Prompt to Set Up MFA at Login
Enabling MFA for Your User Account
Removing MFA from Your Account
Auditing MFA Adoption
Resetting MFA for Other Users
Too Many Failed Authentication Attempts
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) strengthens security by requiring multiple verification methods to access an account. This reduces the risk of unauthorized access, even if a password is compromised. Apaleo currently supports Time-Based One-Time Passwords (TOTP) generated through authentication apps or password managers.
MFA is a user-specific security feature, meaning each user can enable or disable it for themselves. MFA cannot be enforced through the Account Admin.
Since MFA is applied at the user level, a user’s MFA credentials and TOTP remain the same across all accounts they can access.
MFA Methods Available
Currently, MFA can be set up using the following methods:
- TOTP via an authentication app (e.g., Authy, Google Authenticator)
- TOTP via password managers (e.g., 1Password, Bitwarden)
Recommendations
- On computers and shared devices, use browser extensions of password managers that support TOTP for seamless and secure authentication.
- During setup, verify your account and authentication method to prevent losing access or misconfigurations.
- Ensure your device's time is correctly synchronised with your browser and PC by checking time.is. This helps prevent issues during MFA setup.
Enabling Prompt to Set Up MFA at Login
The prompt to set up MFA is enabled by default for all users. As MFA is a user-controlled feature, this prompt is optional and can be skipped. The account admin can choose to hide the prompt for all users of the account.
- If the login prompt is enabled: Users will see the MFA setup process when logging in. They can choose to complete the setup or skip it. Apaleo does not enforce session logouts; the prompt only appears after a user logs out or their session expires.
- If the login prompt is hidden: Users will not be prompted to set up MFA at login but can enable it manually at any time from the Security & Authentication section in Account Management (top right corner of the screen).
Enabling MFA for Your User Account
Users can enable MFA in three ways:
- During login: If the login prompt is enabled, follow the on-screen instructions to complete the setup.
- Through user settings: Navigate to Account Management Security & Authentication and follow the setup instructions.
- Through admin email reminders: Admins can trigger email suggesting MFA setup, user can access the setup process through this email.
Removing MFA from Your Account
Users can disable MFA at any time from Security & Authentication in Account Management.
Important: To remove MFA, you must have access to your authentication code. If you cannot access it, refer to the Resetting MFA for Other Users section.
Once MFA is disabled, it can be re-enabled by following the setup process again.
Auditing MFA Adoption
Admins can track MFA adoption at two levels:
- Account Level: View and manage MFA settings for all users within an account. Overview of MFA adoption.
- Property Level: Track MFA adoption for specific properties.
Boosting Adoption
Currently, enforcing MFA usage is not possible. It is recommended to regularly audit and encourage adoption to enhance account security.
To simplify this process, account admins can use Apaleo to send email reminders to users of the account who have not yet enabled MFA.
Resetting MFA for Other Users
Only account admins can reset MFA for other users in their account.
If a user loses access to their MFA method, an administrator must reset it. The user will then be able to set up MFA again from scratch.
Too Many Failed Authentication Attempts
- If a user enters an incorrect authentication code 10 times, their account will be locked for 30 minutes.
- During this lockout period, neither account administrators nor Apaleo Support can unlock the account.
- After 30 minutes, the user can attempt authentication again.