Summary
Add two-factor authentication (2FA) to your portal, to help protect your portal from malicious login attempts. This method is a form of multi-factor authentication (MFA).
This feature is available to all customers.
Two-factor authentication in LearnUpon: overview
Two-factor authentication helps verify the identity of the person logging in, by requiring a confirmation code, sent to a device associated with the genuine user.
For LearnUpon, users must set up an authenticator app on their mobile phones or desktops, and link the app to their LearnUpon account, to generate the code. Two-factor authentication works with or without SSO (single sign-on) enabled.
Once 2FA is active on a user's account, the user needs to provide a 2FA code for every new session. Logging out, timing out of a session, or changing portals means the user's next login requires a 2FA code.
At setup, LearnUpon provides several single-use backup codes to let a user log in if they can't access their authenticator app. Users need to record these codes outside of LearnUpon, and keep them safe.
You can set up 2FA:
- as optional for users to enable for their own accounts
- as required, so each user must provide authentication to access their account
Note: The required 2FA feature applies to all users in your portal, including admins, as soon as you enable it. Existing users, who previously accessed LearnUpon with a password alone, can't log in without completing the setup.
As an admin, make sure you:
- provide clear communications to users, and advice and support about using 2FA
- download and set up your own 2FA app
Authenticator applications for mobile
LearnUpon supports the following 2FA apps:
- Google Authenticator
- Microsoft Authenticator
- LastPass Authenticator
- Twilio Authy
- HID Approve
Tip: This list is not exhaustive. You can use any authenticator app that can successfully generate 2FA codes from scanning LearnUpon's QR code.
Consult your organization's internet security team about other options if required.
Supporting users who lose access to their app
If a user loses access to their device - loses their phone, or sets up a new device from scratch - their first option is to use their backup codes to log in, then set up a new device from their profile.
If a user has no device and no backup codes, an admin can disable 2FA from the user's profile, until the user can set up a new authentication device.
First-time setup: optional 2FA for users to access in their profiles
Two-factor authentication is available on your portal by default. You need to turn on the feature to start using it. As admin, you enter your password to reach the 2FA options.
Users still need to turn on the feature for themselves through their user profiles.
- From main navigation go to Settings > Two-Factor Authentication, and enter your password in the dialog.
- Select Allow users to enable 2FA.
- Save to finish.
The following screenshot shows the default settings for 2FA.
Set up required 2FA for all users
When an admin changes the 2FA setting for a portal from optional to mandatory between user visits, all users need to set up 2FA at their next login.
- From main navigation go to Settings > Two-Factor Authentication, and enter your password in the dialog.
- Select:
- Allow users to enable 2FA
- Enforce 2FA on all user accounts
- Save to finish.
Two-factor authorization and multiple portals
When you create a new portal, sub-portals do not inherit the 2FA settings of their top-level portal.
Once 2FA is active on a user's account, the user must provide a 2FA code for every new session. Changing portals using the portal switcher counts as starting a new session.
You can set 2FA on top-level and sub-level portals differently. For example you can make 2FA:
- optional on all portals - learners decide whether to set it up for themselves
- optional on the top level, but required for sub-level portals
- required for top level, but optional for sub-level portals
- required for all portals - every login requires a 2FA code
Switching portals with 2FA
Once 2FA is active for an account on a portal, users need to enter a 2FA code every time they log in to that portal. It doesn't matter if 2FA is optional or mandatory for the portal. When it applies to the user, the effect is the same.
When switching between portals:
- user moves from portal with 2FA on their account to a portal with no 2FA on their account - no code required
- user moves from a portal with no 2FA on their account, to a portal with 2FA enabled on their account - code required
- user moves between portals which have 2FA set up on both accounts - code required each time
Using 2FA does not affect a user's password.
Tip: if you're not certain of the effects of 2FA, test it with a sample learner account to see it in practice.
See: