Multi-Factor Authentication Setup

Exploring

This program lets you configure your preferred authentication method when first logging into SYSPRO (after Multi-Factor Authentication has been enabled).

Things you can do in this program include:

  • Configure your preferred authentication method

  • Send a test email to your configured email address when using Email Authentication.

This program is accessed from the Program List pane of the SYSPRO menu:

  • Program List > Administration > Security

Multi-Factor Authentication (MFA) is the process of identifying a user by validating two or more methods of authentication from independent credential categories.

This authentication method ensures that a user is only granted access after successfully presenting two or more pieces of evidence to an authentication mechanism.

The three most commonly used authentication factors are:

  • Knowledge: something only the user knows (e.g. a user name and password, a PIN or answers to security questions).

  • Possession: something the user has (e.g. a smart-phone, Time-based One-time Password (TOTP) or smart card).

  • Inherence (or biometrics): something unique that proves the user's identity (e.g. a fingerprint, iris scan or voice recognition).

The principle of Multi-Factor Authentication is that there is no perfect authentication factor. Any one factor that is implemented will have its strengths and weaknesses. For this reason, the concept of Multi-Factor Authentication is that a second or third factor compensates for the weakness of the other factors and vice-versa.

The Time-based One-Time Password algorithm (TOTP) is an extension of the HMAC-based One-Time Password algorithm (HOTP) which generates a unique one-time password based on the current time.

It has been adopted as Internet Engineering Task Force standard RFC 6238, is the cornerstone of Initiative For Open Authentication (OATH), and is used in a number of two-factor authentication systems.

The one-time password must validate over a range of times between the authenticator and the authenticated because of latency (both network and human) and unsynchronized clocks.

Both the authenticator and the authenticatee compute the TOTP value, then the authenticator checks if the TOTP value supplied by the authenticated matches the locally-generated TOTP value.

Some authenticators allow values that should have been generated before or after the current time in order to account for slight clock skews, network latency and user delays.

Topics

Multi-Factor Authentication

Programs

MFA Operator Configuration

MFA Operator History Query

MFA Operator History

Query programs

MFA Operator History Query

Starting

You can restrict operator access to activities within a program (configured using the Operator Maintenance program).

You can restrict operator access to the fields within a program (configured using the Operator Maintenance program).

You can restrict access to the eSignature transactions within a program at operator, group, role or company level (configured using the eSignature Setup program). Electronic Signatures provide security access, transaction logging and event triggering that gives you greater control over your system changes.

You can restrict operator access to programs by assigning them to groups and applying access control against the group (configured using the Operator Groups program).

You can restrict operator access to functions within a program using passwords (configured using the Password Definition program). When defined, the password must be entered before you can access the function.

The following configuration options in SYSPRO may affect processing within this program or feature, including whether certain fields and options are accessible.

The System Setup program lets you configure your SYSPRO environment. These settings can affect processing within this program.

SYSPRO Ribbon bar > Setup > General Setup

  • Multi-Factor Authentication

    • Multi-factor authentication required
    • User applicability
    • Specific operator configuration

  • Authentication methods

    • Email authentication required
    • Email configuration
    • Google authenticator required

This configuration is required if you select to use the Email authentication method.

  • SMTP server IP address
  • Outgoing email address
  • Username
  • Password
  • Server port
  • Use SSL

  • Multi-Factor Authentication is not currently available for the following (i.e. an operator configured for Multi-Factor Authentication won't be able to login to these platforms):

    • SYSPRO Supply Chain Portal

    • SYSPRO Espresso

  • SYSPRO operators cannot be enabled for simultaneous use of Multi-Factor Authentication and Single Sign-on (Active Directory user).

Solving

These messages are displayed when you select the Send test Email function of the Multi-Factor Authentication Setup program and some Email/SMTP settings are not configured correctly or the SMTP server is not available.

Ensure that your SMTP server is online and available.

In addition, ensure that the following options are configured correctly on the Email/SMTP settings tab of the System Setup program:

  • SMTP server IP address
  • Outgoing email address
  • Username
  • Password
  • Server port

This message is displayed when you launch SYSPRO for the first time after Multi-Factor Authentication has been enabled against your operator code. The system needs to validate and configure your preferred authentication method.

Complete the required fields of the Multi-Factor Authentication Setup program and save your entries.

Then log into SYSPRO using the new authentication method defined.

The following auditing and logging capabilities are available to ensure that Multi-Factor Authentication is managed and tracked correctly:

The system automatically records when Multi-Factor Authentication is enabled, disabled, suspended or resumed for an operator using the MFA Operator Configuration program.

These entries are stored in the AdmMfaAuthEnabled table and you can use the System Audit Query program to view the history.

This table includes which operator changed the authentication status and the operator that was changed.

The system automatically tracks each operator's configured authentication method when they use the Multi-Factor Authentication Setup program.

These entries are stored in the AdmMfaAuthConfig table.

This program lets you view the history of successful MFA authentications for the company.

SYSPRO automatically tracks each time an operator successfully authenticates themselves to SYSPRO through Multi-Factor Authentication and logs which authentication method is used. Its purpose is to assist system administrators in effectively managing system security.

The entries are stored in the AdmMfaAuthHistory table which records each time an operator successfully logs into SYSPRO using Multi-Factor Authentication. It includes the date and time they were prompted for the additional authentication, as well as the method used to login and the computer name from which this was done. The MFA Operator History Query program lets you view the history.

Although failed login attempts are not currently logged, this will be addressed in a later software release.

When you login as an operator requiring Multi-Factor Authentication, the following rules apply to the AdmOperator table of your system-wide database:

  • The AuthenticationType entry must be M (indicating multi-factor authentication).

  • The OperatorType entry must be N (indicating normal operator).

  • The OperatorStatus entry must be A (indicating active).

  • The operator code cannot be prefixed with underscores (e.g. __BOT)

  • The operator cannot be locked out (i.e. the OperatorLockedOut entry must contain spaces and not an L entry).

An operator code that is configured for Multi-Factor Authentication can't be used to access applications that use e.net.

When disabling Multi-Factor Authentication for an operator, all the MFA-configured information is removed; only the history is retained.

Operators who are disabled for MFA revert to entering the traditional user name and password to access SYSPRO.

Disabling MFA for an operator is useful when that operator no longer requires an additional authentication method to access SYSPRO.

When suspending Multi-Factor Authentication for an operator, the additional authentication is effectively paused; all the MFA-configured information and history is retained.

Operators who are suspended for MFA revert to entering the traditional user name and password to access SYSPRO.

Suspending MFA for an operator is useful when that operator requires temporary suspension from the additional authentication requirement.

For example:

If an operator is configured to use Google authentication and they lose their phone, they can't access SYSPRO to configure or validate another method. Suspending their MFA allows them to do this.

Using

The following describes how a system administrator configures Multi-Factor Authentication in SYSPRO:

  1. From the Multi-factor authentication pane of the System Setup program, indicate that Multi-Factor Authentication is required against all, or specific operators.

  2. Use the MFA Operator Configuration program to view and configure additional MFA requirements (e.g. enabling, disabling, suspending or resuming an operator's MFA requirement).

  3. Once MFA is enabled for operators, they are automatically prompted by the Multi-Factor Authentication Setup program when next they login to SYSPRO.

    Operators use this program to configure and validate their preferred authentication method.

  4. Each subsequent login to SYSPRO requires the one-time, time-based pin from the configured MFA method, before the operator's login is validated.

  5. Use the System Audit Query program to review an audit log of all operators enabled for Multi-Factor Authentication.

Referencing

Field Description

Authentication method

Indicate the authentication method you want to use:

  • Email authentication sends an email to MFA-defined operators containing a Time-based One-time Password (TOTP) required as part of login verification.
  • Google authentication uses an app to generate a QR code for first time user configuration and a Time-based One-time Password (TOTP) is required as part of the verification process for subsequent logins.

Select Default Method

Select this option to indicate your default authentication method.
Field Description
Deactivate Email Authentication

Select this option to deactivate the defined email authentication and change to another method of authentication.
Email authentication

 

Information

This field provides summary information about the email authentication process.

Notification email address

This option is only available if the Operator can set own email address option within the Email configuration of the Multi-Factor Authentication pane is enabled.

Indicate the email address that must be used for the email authentication.

This is the email address to which the PIN will be emailed.

Test email

Select the Send test Email option to send yourself a test email to verify that the email address has been entered correctly and that it's working as expected.

Enter PIN

Enter the required PIN.

Verify

Select the Verify PIN option to validate that the PIN entered is correct.

Status

This indicates the current status of your Multi-Factor Authentication.
Field Description
Deactivate Google Authentication

Select this option to deactivate the defined Google authentication and change to another method of authentication.
Google authenticator

 

Information

This field provides summary information about the Google authenticator application's process.
QR code This displays the QR code that you can scan to receive the PIN required to validate the authentication method.
Supplied key This indicates the key allocated to the QR code (useful if you are unable to scan the QR code itself).

Enter PIN

Enter the required PIN.

Verify

Select the Verify PIN option to validate that the PIN entered is correct.

Status

This indicates the status of your Multi-Factor Authentication.