In this article, we describe how Mnemonica uses MFA (Multi-Factor Authentication).
If you are looking for a guide about enabling MFA on your account, please visit this page.
What is authentication?
When you want to get into a system, the system asks: who are you?
You respond with your username. That is your identity for the system.
The system replies: prove it.
You respond with your password: the first factor of authentication.
With basic security, the system would now let you in.
With enhanced security, the system will say it's not enough: prove it again.
And you must respond with a second factor of authentication.
MFA - Multi-Factor Authentication
Multi-Factor Authentication (MFA) is an electronic authentication method in which a user is granted access to an application only after successfully presenting two pieces of evidence (or factors) proving the identity presented in the username. MFA protects the user from identity thefts.
It is called multi-factor authentication because it allows the user to use several authentication factors even though only two are required at each login:
- username and password
- a factor of your choice among those available.
IMPORTANT: MFA is user account-based, is highly recommended but not mandatory. Nonetheless, some Projects may require it to let the user access.
Please refer to this article to learn more about account security.
How it works
When MFA is enabled, to log in, the user will be asked for a second piece of information in addition to their credentials, a second factor chosen from the available ones.
To enable MFA go to Preferences > Security > MFA > Enable MFA. Once enabled, you can add MFA methods as needed.
In Mnemonica, the authentication factors are set by methods. Available methods are:
- An OTP (one-time-password) generated by an authenticator app (Google Authenticator or similar)
- An OTP received by SMS
- An OTP received on an email address
- A 6-digit secret PIN (Personal Identification Number)
Once the user has enabled at least one of the above methods, Mnemonica Mobile App becomes a method itself. Mnemonica will send a push notification to any logged app every time an MFA check is required on a browser or other mobile app session. By tapping "Yes, it's me" on the received notification, the user allows the new session to authenticate. Mnemonica Mobile App also allows passwordless login.
We warmly suggest enabling at least two methods to avoid unwanted account locks in case of device loss or forgotten information.
Authenticator app method
This is the recommended method. The user will need to install an authenticator app on his mobile device. When enabled, the user will get an auto-generated OTP from the authenticator app to input into the Mnemonica MFA window to authenticate.
Users can add as many authenticator apps as needed, even on different devices. To identify each device, Mnemonica allows to name them during the adding process.
IMPORTANT: Authenticator apps are directly connected to a device, but most of them provide data migration to other devices. We recommend reading the documentation of the chosen authenticator app carefully to avoid unwanted Mnemonica account lock.
Learn more about authenticator apps here.
This is the most common method but has some lows. The user can specify one or more mobile numbers to receive text messages. When enabled, Mnemonica will send a text with an OTP to input in the Mnemonica MFA window to authenticate.
LOWS: to receive SMS, the mobile phone must be under cell coverage (not Wi-fi). Mnemonica sends SMS through AWS SNS; if you didn't receive Mnemonica SMS, please be sure that your phone can receive SMS from unknown senders. Rarely, if you are abroad, your carrier may not be able to receive SMS.
IMPORTANT: At login, you can request only one SMS every 3 minutes.
Email address method
This is a less easy-to-use method. The user can specify one or more email addresses where to receive OTPs to input in the Mnemonica MFA window to authenticate.
If using this method, we warmly suggest protecting your mailboxes.
Secret PIN method
This is an easy-to-use method but has some lows. The user can add a 6-digit PIN to input before logging into Mnemonica.
LOWS: the secret PIN has the same nature as a password (something that the user knows) and could be discovered by an attacker. We suggest that you use this method only accompanied by another of the available methods.
BLOCKED PIN: for security reasons, if a user enters a wrong PIN five times during login, Mnemonica will block the authentication method. The user will be able to request a new PIN, and Mnemonica will email it after 24 hours. In the meantime, the user can use one of the other activated MFA methods to authenticate.
Read this article to learn more about logging in with the PIN.