Multi-Factor Authentication (MFA) for External Users
MFA is available for users who are added to your repository as External Users. External Users are usually people from outside of your organization that require access to documents over an extended period of time for collaboration or other purposes.
- Setup MFA for external users for your repository
- Enroll Authenticator
- Verify Factor
- Request the reset of the user's factor
- Complex factor reset scenarios (users change the email address or username)
Multi-Factor Authentication (MFA) is an authentication method in which a user is only granted access after successfully presenting two or more pieces of evidence (or factors). In this case, a NetDocuments Username and Password, and a code provided by the MFA application.
NetDocuments MFA uses the industry standard TOTP protocol and works with any standards compliant app such as those from Microsoft, Google, DUO or Okta.
Setup MFA for external users for your repository
To enable MFA for your repository, go to the Repository Administration page > Security Center > Advanced Authentication, and select the MFA tab.
To enable MFA for this repository, select the Require external users to use multi-factor authentication to access this repository check box and save your changes.
When you have enabled MFA for your repository, external users will be able to enroll a device the next time they try to log in.
External users will see the following screen:
When users select Enroll, the information screen will appear providing a bar code to scan with an authenticator application on a mobile device, or a code to copy and paste.
Note that for security reasons, if users do not complete enrollment within 5 minutes indicated in the lower-left corner of the screen, they will have to restart the enrollment process by logging in again.
The example below shows the Google Authenticator App on an Apple iPhone (IOS) device:
After external users have entered the factor from the Authentication Application, they can enable the Remember this device for 30 days option. This means that their browser on a laptop or desktop computer will cache these credentials and remember them for 30 days. Users will not need to enter their second factor during every login session.
Users select Enroll to complete the procedure. At any point, users can select Bypass to circumvent the enrollment, and access any repositories of which they are members, and for which MFA has not been configured.
If users make a mistake entering the code from the mobile app, they will see the error message as shown below. The code is only valid for a short period, and the authenticator app will indicate when a code is about to expire (for example, in the Google Authenticator app the text will turn from blue to red)
The screenshot below is the example of verifying the factor.
If users receive the error stating the code is invalid, they have only 10 attempts to enter the right code or select the I have lost access to my factor link (for example, if the mobile phone with the app is lost).
If users enter the wrong code more than 10 times, their access to MFA protected Repositories will be blocked and they will receive the following email:
Request the reset of the user's factor
After selecting the I have lost access to my factor link during verification, the confirmation dialog box appears. To proceed, users need to select Confirm.
Then, a message will be sent to the Repository Administrator. Users can continue to access any Repositories of which they are the members if these Repositories are not secured by MFA.
Users will receive an email with instructions and a link that will take them to the reset page.
Selecting the link in the email will bring users to the following page:
If the administrator resets the MFA for this account, the user will receive the email:
Your Multi-factor authentication [name] factor was reset. Please re-enroll it.
If the administrator rejects the request for a reset, the user will receive the email:
Your request about factor reset was rejected. Please contact with administrator if you have any questions.
Complex factor reset scenarios (users change the email address or username)
If users change the username or their email address, that presents the Repository Administrator (or Group Administrator) with what is called a complex reset, rather than the simple reset scenarios described above.
When users change either the username or the email address, they have 2 weeks to reset their MFA factor.
When users log in and the MFA screen appears, they must select the I have lost access to my factor link and then confirm the action.
The administrator will receive an email with two links:
Selecting either link will take the Administrator to a page where they will confirm their acceptance or rejection actions.
The user will then receive an email notification of the reset or the rejection as shown above.