Finance Staff - Abila Access Instructions
MIP Multi Factor Authentication (MFA) Guide
This is a guide to setting up and using MFA in the MIP Cloud Hosted Environment
Multi Factor Authentication (MFA) is a way to enhance security access beyond just using a password.
MIP uses the One Time Passcode (OTP) method for MFA. This means that when you log in you will be prompted to enter additional information (a 6-digit code) to complete the login. This code can be obtained either from an authenticator app on a device or via email if a device is not an option.
The MIP MFA is designed to work with a variety of authenticator apps such as Google Authenticator, DUO, Apple Authenticator, Microsoft Authenticator, Free OTP and others.
MFA will have a phased rollout to all Cloud customers in 2023. After MFA is turned on for your organization:
-All users must complete the MFA Setup Process
-All logins will be subject to MFA security at least once a week.
Setting Up MFA with a Device
The preferred method of setting up MFA is with a device. This could be an Android or Apple Phone or Tablet. It does not require a phone number or data plan, just internet access.
1- Verify or Install an Authenticator Application
You should make sure that you have an authenticator app installed on your device. If you already have an authenticator app you can use that. If you do not have an authenticator app then you will need to download and install one from your App store. If you are unsure which authenticator to use, then go with the Microsoft Authenticator, as it is already used by all Liberty employees to access your account.
2- Get the MFA Setup Email.
After MFA has been turned on for your organization when you log in (https://portal.mip.com/) you will get prompted to Set up MFA for this user
Click the Send Setup. This will send an email to the email address associated with the user.
In the email there will be a link to start the setup process.
3- Setup Security Questions
The first thing it will do is ask you to set up at least three Security Questions.
You can use the recommended questions or type your own. Click “Save” to go to the next screen.
This brings up a screen with QR Code authentication information on it. This is where you will use the Authenticator App.
A- Open the Microsoft authenticator app on your device.
B- Select the plus sign in the top right corner to add a new account and then select “Other account” for the account type.
C- Point your devices camera at the screen and it should automatically scan the QR code and register the account.
If the QR Code does not work
A- On your authenticator app choose to enter a Setup Key or Add Account Manually.
B- Fill in the information as required. Since the Setup Key is quite long it may be best to click the copy button at the end of the key and then paste it into an email that you open on your device. Copy it from the email into your App.
You will notice at the bottom of the screen there is a Recovery Code. It is a good idea to store this code somewhere. This code can be used to change the device used for authentication in the future.
After the device is set up go ahead and log into MIP again.
Logging in Using MFA and a Device
After the device is set up you are ready to use it to generate the code and log in.
1- Get prompted for Passcode
If you are Logging into the MIP Classic (RDP) interface, you will still be prompted for your username and password at the point and when the program opens. But you will also get a new screen asking for your MFA Passcode.
2- Get the Passcode from your Authenticator App
To get the passcode open the authenticator program on your device.
Select the Account that you set up and get a passcode. A new passcode will regenerate every 30 seconds but once you start entering a code you have a few minutes to complete the entry.
Once the passcode is entered click Verify and it will continue to the login process. You will still be required to enter your password as normal.
Failed attempts and Account Lockout
If you miss type the code 3 times you will get a message that you are locked out.
Wait 5 minutes and try again. There is no need to call support to have your account unlocked.
If you try to sign into any machine (not just the one you were locked out of) you will get a lockout message.
Wait 5 minutes and try again. Your account will automatically unlock. There is no need to call support to get your account unlocked.
Setting up New or Replacement Devices/Lost Devices
If you no longer have access to the device that was registered for MFA or if you want to use a new or different device, follow these steps.
1- Get to the New Device Setup Screen
Proceed with your regular Login. When you get the MFA Prompt look at the bottom for the “Setup New Device” Link.
2- Choose a Reset/Recovery Method
Once you are in the recovery screen on the left-hand side you have 3 options for resetting MFA. Any of these options will ultimately de-register the device you were registered on and allow you to re-register a new device.
A – Answer Security Questions
By answering the security questions that you set up when you first registered the account with MFA you can easily reset your device.
If you select the option to use recovery code, then you can type in the recovery code that you saved from your initial setup.
If you can’t use the security questions and don’t have the recovery code, you can contact support to have the account reset. The quickest way is via support chat. You can also call support at the listed number. Once you have contacted an analyst and a case is created you will click the “Send My Info Now” button to confirm your request. This will generate a request email receipt to the email on record as well as sending info to support.
In addition to contacting a support agent this will require that support send you an authorization form that must be signed by someone in your organization who is an Administrator on the hosted system.
NOTE: To be processed the request must have an associated case number and signed form. Requests made by simply clicking “Send my Info Now” will not be processed.
After the request is processed it will be given to our hosting team and you will receive an email when it is reset.
NOTE: Support cannot register new device for you or transfer your registration to another device. Support can only reset the account to allow you to register a new device.
Question – What happens if I decide to cancel my request, say I found a device I thought was lost?
Answer- Contact customer support with the case number to cancel the request. If we have not processed the request, you can continue to use the old device. If we have already processed the request, you can re-register the same device.
Depending on the method used you will either get a screen or a link to register your new device or you may be prompted to set up MFA again when you log in.
Open the authenticator app on your device.
Select the option for New Account and Scan QR Code.
Point your devices camera at the screen and it should automatically scan the QR code and register the account.
If the QR Code does not work
On your authenticator app choose to enter a Setup Key or Add Account Manually.
Fill in the information as required. Since the Setup Key is quite long it may be best to click the copy button at the end of the key and then paste it into an email that you open on your device. Copy it from the email into your App.
You will notice at the bottom of the screen there is a Recovery Code. It is a good idea to store this code somewhere. This code can be used to change the device used for authentication in the future.
NOTE: Your previous recovery code will no longer work after the reset. Be sure to record this new recovery code.
After the device is set up go ahead and log into MIP again and use the passcode generated by the new device.
NOTE: Depending on the reset method used you may be prompted to enter or update your security questions.
Setting up MFA without a Device
If you are unable to use a Device, you can still setup and use MFA.
After MFA has been turned on for your organization when you log in you will get prompted to Set Up MFA for this user
Click the Send Setup. This will send an email to the email address associated with the user.
In the email there will be a link to start the setup process.
2 – Setup Security Questions
The first thing it will do is ask you to set up at least three Security Questions.
You can use the recommended questions or type your own. Click “Save” to go to the next screen.
The next screen is where you are prompted to register your device. If you don’t have a device, you can ignore this.
Your account has already been setup at this point.
It is still a good idea to save the recovery code. This will speed up the process if you ever need to reset your MFA or if you start using a device.
After you have saved your recovery code go back to the MFA login Screen. There is an option to “Get a Passcode”.
Logging into MFA Without a Device
If you need to log into MIP and you either have no registered a device or the device is temporarily unavailable, you still have the option to validate via email.
When you get to the MFA prompt there is a link to “get a passcode.”
If you click on that link, it will indicate that an email was sent to the email address on record for the account.
You should receive the email. It will contain a passcode.
Enter this passcode into the MFA prompt and complete the login process.
I forgot my Device; how do I use MFA?
If you have registered a device but do not have access to it, you can still log in.
You would use the directions for logging in without a device. These apply even if you have a device registered.
You click the Get a Passcode link at the MFA prompt and chose to be emailed a code. Then enter the code into the MFA prompt.
If you are going to be without the registered device for an extended period, you may wish to consider registering a different device.
Question- Can Specific User IDs be exempt from MFA?
Answer – No. MFA is turned on at an organization level. Once it is turned on all users for that organization are subject to MFA.
Question - Can MFA be used with a push notification though my Authentication App rather than having to enter a code?
Answer – No. MFA can only be done via Pass Code entry.
Question - Can MFA be done via Text or SMSS Codes?
Answer – No. MFA can only be done via codes through an Authentication App.
Question – If I have verified with one interface will I have to verify with the other?
Answer – Yes. You will need to verify the Classic and Modern Logins separately as they use different login methods.
Question- Will I have to verify every time I log in?
Answer – It depends. When you verify the system will put a cookie on the machine you logged in with. This will remain there for a week. So, in normal practice you only must verify once a week.
If you log into a different machine, you will still have to verify on that machine.
Also, if you clear cookies in your web browser or do not allow them you will need to verify more often.
Question – I am locked out because I typed the wrong code too many times. How do I get unlocked.
Answer- Wait 5 minutes and try again. There is no need to call support to unlock.
Question – Can I have multiple devices registered at the same time?
Answer- The system is only designed for once device at a time to be registered.