What is multi-factor authentication?
Multi-factor authentication (MFA) means you need more than one piece of secret information to access your account. The point of having multiple factors is to reduce the risk of an unauthorized person getting access to your user account and personal data.
The first factor is your password which you can provide by typing it in (or using a password manager). The additional factors are secrets which can only be provided by different means, thus reducing the risk of accidentally losing or disclosing them. The most commonly used additional factor is a mobile device which stores the secret information and allows you to prove that you possess it (e.g. by generating a short one-time password which you can type in). By having this additional factor, the risk of your account being compromised is significantly reduced as an attacker would need to know your password as well as have access to your unlocked mobile device.
In some cases the additional factors may be pieces of information that are intrinsic to your network connection or internet client (e.g. IP address, device profile).
It is a good and widely used practice to secure your user account with a second authentication factor, and is far superior to just having a strong password. We highly recommend that you opt in for multi-factor authentication in Backstage.
MFA in Backstage
Starting from April 27, 2019, ForgeRock's Backstage website (backstage.forgerock.com and sso.forgerock.com) supports multi-factor authentication. The next time you log in after this date, you will be prompted to select your preferred authentication method.
The following options are available:
- Skip: An MFA method will not be registered now, but you will be prompted again on your next login.
- Opt out: An MFA method will not be registered now and you will not be asked again (you can reset this on the profile settings page). This choice is not recommended.
- WebAuthn: Hardware token (e.g. YubiKey) or biometric (e.g. Touch ID) authentication in your browser. Please note that WebAuthn is only supported in the latest versions of Chrome, Firefox and Edge. Read more
- Push Auth: Push message based authentication with a mobile device; requires the ForgeRock Authenticator app (iOS or Android)
- One-time Password: a single-use, 6-digit, limited lifetime password generated by a mobile device. Usable with the ForgeRock or the Google Authenticator app, available in the App Store and the Google Play Store. Read more
After the initial setup of a MFA device, Backstage will save it to your user profile. The next time you log in, you will be automatically asked to provide the previously registered MFA credentials.
Each MFA method generates single use recovery codes which can be used to access your account in case you are unable to authenticate with your chosen second factor. Please print these codes and keep them in a safe place.
If you have trouble logging in, refer to "What happens if you can't log in" below.
If you opted in for MFA, this choice will only affect systems that sign you in via sso.forgerock.com (e.g. Backstage). You can sign in with the same username and password on other sites (such as bugster.forgerock.org), but these sites will not necessarily use the SSO site and will therefore not enforce multi-factor authentication. We are working on bringing these sites under sso.forgerock.com so that they can all support this feature.
Adding additional devices
Backstage supports registering multiple MFA devices per profile. To register another device, first login to backstage and navigate to the authentication settings page. Here at the bottom of the page you will see a description of each available MFA method with a button to register. Clicking the "Register" button for the method of your choice will prompt you to setup a new device. Simply follow the steps and you'll be returned to the "Authentication Settings" page once complete. Please note that whilst we support multiple WebAuthn devices per Backstage profile, we only support one one-time password device and one push authentication device per profile. Additionally, if you previously opted out and wish to opt in now, you can do so by following the aforementioned steps.
We strongly recommend registering more than one device so that if something happens to one of the devices you're not locked out of your account.
Changing your MFA settings
If you have lost your hardware token or have a new phone, it may be the case that you need to update your MFA settings. You can always delete a device by going to the authentication settings page in Backstage, and clicking the pencil icon for the device you want to update. From here you can change the name of the device or choose to remove it from your Backstage profile. Removing a MFA device requires you to re-enter your password. The selected device will be removed from your account and if this is your only device registered you will be asked to set up a new MFA device on your next login.
If you have used all of your recovery codes, lost them or they were stolen, you should generate new ones on this page. Click the circular arrow button. This will replace any existing codes with 10 new ones.
What happens if you can't log in?
If you opted in for MFA but cannot log in due to an error, try the following:
- Open a private (or incognito) browsing session or clear your browser cookies, reload the page and try again
- Choose "use recovery code" on the MFA login page and enter an unused recovery code. Recovery codes are one-time passwords. If you had to use a recovery code, you should reset your MFA device as described above
- If you lost your recovery codes, refer to What happens if you lost your recovery codes? below
- If these suggestions above didn't work, contact us at firstname.lastname@example.org
WebAuthn is a new technology and not all browsers support it yet. Note that as with mobile devices, you can only use WebAuthn on the same device where you set it up originally. This is due to the fact that a unique key is stored in on the device which is needed to perform authentication. Unlike other MFA methods, however, WebAuthn happens on the same device where you're logging in via your browser, and is therefore less portable than the other supported methods. If you wish to log in on more than one computer, please register WebAuthn for each device.
What happens if you lost your recovery codes?
Alternative recovery method
If you have lost your device as well as your recovery codes, you can still regain access to your account by selecting "Use alternative method" after failing to provide your MFA credentials:
In order to verify your identity, you will receive two separate One Time Passwords: one as a text message to your phone number and a second one to your email address. You will need to enter both correctly in order to unlock your account. For this alternative method to work, your account needs to have a valid phone number (it has to start with the country code). If you cannot receive either the text message or the email, you will not be able to log in with this method.
We will regularly ask you to update your phone number and email address to make sure that the alternative recovery method is available, should you need it.
If you are unable to use the alternative recovery method, we may be able to verify your identity manually. You can request this by sending a picture of your government issued valid photo ID (e.g. passport, driver's license or national ID card) to email@example.com. We will verify that
- the first and last name(s) in your document matches those in the account;
- the request was sent from the email address registered with the account;
- if your avatar picture associated with your email address is of a human face, it matches the photo on the ID
If all of the above checks pass, your existing MFA device settings will be deleted and you will be able to log in with your username and password. You will also be prompted to set up a new MFA device. Please make sure to print your recovery codes and keep them in a safe place.
Your ID document is sensitive data. To protect your privacy, we will destroy all copies of the picture you sent once the case is closed. Beware of phishing attempts! Make sure to only send your ID documents to firstname.lastname@example.org. If you receive a suspicious email, please let us know immediately on this address.