What is multi-factor authentication?
Multi-factor authentication (MFA) is means that you need more than one piece of secret information to access your account. The point of having multiple factors is to reduce the risk of an unauthorized person getting access to your user account and personal data.
The first factor is your password which you can provide by typing it in (or using a password manager). The additional factors are secrets which can only be provided by different means, thus reducing the risk of accidentally losing or disclosing them. The most commonly used additional factor is a mobile device which stores the secret information and allows you to prove that you possess it (e.g. by generating a short one-time password which you can type in). By having this additional factor, the risk of your account being compromised is significantly reduced as an attacker would need to know your password as well as have access to your unlocked mobile device.
In some cases the additional factors may be pieces of information that are intrinsic to your network connection or internet client (e.g. IP address, device profile).
It is a good and widely used practice to secure your user account with a second authentication factor, and it is far superior to just having a strong password. We highly recommend that you opt in for multi-factor authentication in BackStage.
MFA in BackStage
Starting with April 27, 2019, ForgeRock's BackStage website (backstage.forgerock.com and sso.forgerock.com) supports multi-factor authentication. The next time you log in after this date, you will be prompted to select your preferred authentication method.
The following options are available:
- Skip: An MFA method will not be registered now, but you will be prompted again on your next login.
- Opt out: An MFA method will not be registered now and you will not be asked again (you can reset this on the profile settings page). This choice is not recommended.
- WebAuthn: Hardware token (e.g. YubiKey) or biometric (e.g. Touch ID) authentication in your browser. Please note that WebAuthn is only supported in the latest versions of Chrome, Firefox and Edge. Read more
- Push Auth: Push message based authentication with a mobile device; requires the ForgeRock Authenticator app (iOS or Android)
- One-time Password: a single-use, 6-digit, limited lifetime password generated by a mobile device. Usable with the ForgeRock or the Google Authenticator app, available in the App Store and the Google Play Store. Read more
Each MFA method generates single use recovery codes which can be used to access your account in case you are unable to authenticate with your chosen second factor. Please print these codes and keep them in a safe place.
If you have trouble logging in, refer to "What happens if you can't log in" below.
If you opted in for MFA, this choice will only affect systems that sign you in via sso.forgerock.com (e.g. BackStage). You can sign in with the same username and password on other sites (such as bugster.forgerock.org), but these sites will not necessarily use the SSO site and will therefore not enforce multi-factor authentication. We are working on bringing these sites under sso.forgerock.com so that they can all support this feature.
Changing your MFA settings
After the initial setup of an MFA device, BackStage will remember your choice and save it in your user profile. The next time you log in, you will be automatically asked to provide the selected MFA credentials. However, if you lost your hardware token or have a new phone, you might need to update your MFA settings.
You can always reset your MFA settings by going to the profile page in BackStage, and clicking Reset in the Multi-factor Authentication box at the bottom of the page. Resetting your MFA device requires you to re-enter your password. The current device will be removed from your account and on your next login you will be asked to set up a new MFA device.
If you previously opted out and wish to opt in now, you can do so by resetting your MFA choice.
What happens if you can't log in?
If you opted in for MFA but cannot log in due to an error, try the following:
- Open a private (or incognito) browsing session or clear your browser cookies, reload the page and try again
- Choose "use recovery code" on the MFA login page and enter an unused recovery code. Recovery codes are one-time passwords. If you had to use a recovery code, you should reset your MFA device as described above
- If you lost your recovery codes, refer to What happens if you lost your recovery codes? below
- If these suggestions above didn't work, contact us at firstname.lastname@example.org
WebAuthn is a new technology and not all browsers support it yet. Note that as with mobile devices, you can only use WebAuthn on the same device where you set it up originally. This is due to the fact that a unique key is stored in on the device which is needed to perform authentication. Unlike other MFA methods, however, WebAuthn happens on the same device where you're logging in via your browser, and is therefore less portable than the other supported methods. If you wish to log in on more than one computer, please select a different MFA method.
What happens if you lost your recovery codes?
Alternative recovery method
If you have lost your device as well as your recovery codes, you can still regain access to your account by selecting "Use alternative method" after failing to provide your MFA credentials:
In order to verify your identity, you will receive two separate One Time Passwords: one as a text message to your phone number and a second one to your email address. You will need to enter both correctly in order to unlock your account. For this alternative method to work, your account needs to have a valid phone number (it has to start with the country code). If you cannot receive either the text message or the email, you will not be able to log in with this method.
We will regularly ask you to update your phone number and email address to make sure that the alternative recovery method is available, should you need it.
If you are unable to use the alternative recovery method, we may be able to verify your identity manually. You can request this by sending a picture of your government issued valid photo ID (e.g. passport, driver's license or national ID card) to email@example.com. We will verify that
- the first and last name(s) in your document matches those in the account;
- the request was sent from the email address registered with the account;
- if your avatar picture associated with your email address is of a human face, it matches the photo on the ID
If all of the above checks pass, your existing MFA device settings will be deleted and you will be able to log in with your username and password. You will also be prompted to set up a new MFA device. Please make sure to print your recovery codes and keep them in a safe place.
Your ID document is sensitive data. To protect your privacy, we will destroy all copies of the picture you sent once the case is closed. Beware of phishing attempts! Make sure to only send your ID documents to firstname.lastname@example.org. If you receive a suspicious email, please let us know immediately on this address.