Public

PageUp supports two-factor authentication (2FA) for users logging in with a password. This is enabled by default when a password is used to log in. This method does not impact any users using Single Sign-On (SSO). The user will be asked to add a 2nd factor using an Authenticator App when they first log in with a password.

The feature Email 2FA code for Employee logins (bEmployeesEmailed2FA) enables a password security option that uses an email-based two-factor authentication. For more information about how this works, refer to the following:

• Employees: Enabling authenticator based two-factor authentication (2FA)
• Employees: Using email based two-factor authentication (2FA)

Legacy configuration

Enabling IP Restriction

To set up two-factor authentication, you need to first enable restriction by Internet Protocol (IP) Address. Depending on which portal you are looking to implement the IP restriction and two-factor authentication, add the allowed IPs to the respective features below:

• Login subnet filtering (Admin system)
• Login subnet filtering (Employee Self-Service)

Enforcing 2FA using subnet restriction

To enable 2FA via token when users are outside of the subnets (specified in the features above), enable the feature External subnet access.

To enforce 2FA for all login attempts, add a local IP address that no user will ever use. Once enabled, and a user tries to log in, they will receive the following message and will be asked to enter a token:

• You have attempted to access the system from outside an approved network.
  
  

For the Admin system, users must have either a mobile number or email set up in their profile for 2FA to take effect.

For the Employee Services, users must have a mobile number set up in their profile for 2FA to take effect.

The user will then receive the security token via email and SMS (SMS charges apply as stipulated in the ASP Agreement).

Example SMS: 

• 123456789 is your security token from PageUp People for access to the system. The token is valid for 10 minutes from the time of request, 5:02pm 29 Mar 2018.

In the event that a user enters the incorrect token, they will need to trigger a new request for a token. The system will not send a new 2FA token when the token is entered incorrectly by a user.