Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA)

by on ‎08-13-2015 09:39 AM - edited on ‎01-24-2018 11:58 AM by Community Manager (11,217 Views)
Labels:

 

In this article:

Overview

Multi-factor Authentication (MFA) is a privacy setting that allows you to verify user identity for controlling who can safely access your Tealium account. It works in conjunction with an authenticator app to verify login requests in two steps. When you attempt to sign into an MFA-enabled, you are asked to provide the following:

  1. Login credentials: The username and password of your account
  2. Security Code: A unique 6-digit token that is generated by the authenticator app on your smartphone.

If either authentication fails, you will NOT be allowed to sign into the account.

What you'll need

  • A smartphone: Currently, iOS, Android, and Windows are supported.
  • An authenticator App: MFA works in conjunction with third-party apps like Google Authenticator and Windows Authenticator to add a layer of protection over and above your password. These apps will generate single-use, 6-digit security tokens on your smartphone specifically for your account. Be sure to install one that is compatible with your smartphone platform.
  • A barcode reader app: If you have an Android device, make sure it has a built-in app for reading QR codes because you will need it when syncing the authenticator app with your account. This does not apply to iPhones.

How it works

MFA applies to you when it is enabled in your primary account and/or any other account that you are assigned to. Let's assume your primary account uses MFA and look at a few scenarios in which you will be prompted for a security token:

  1. You are signing in to Tealium iQ or the matching AudienceStream and Learning Community account.
  2. You are switching to an MFA-enabled account that you are assigned to but is not your primary account.
  3. You are trying to access an MFA-enabled account from Web Companion or Tealium Tools

How do I find my primary account?

Enabling or disabling MFA

This requires the Manage Accounts permissions; only an Account Admin has the permissions to toggle the setting.

How to enable

  1. In Tealium iQ, drop down the Account Admin menu by clicking on your name/email address in the top-right corner.
  2. Click on the Manage Password Policy.

    Account Admin menu

  3. Click on 'Enable MFA for this Account' then click Enable Multi-Factor Authentication .
  4. The status will change to 'Enabled'. Click on Update Password Settings to confirm.
  5. Next, you must re-log into your Tealium account and follow instructions to sync it up with the authenticator app.

    How to turn on MFA

    Enabled State.png

How to Disable

    1. Follow steps #1 and #2 above to access the MFA setting.
    2. Click on 'Disable MFA for this Account' then click Disable Multi-Factor Authentication .
    3. Confirm by clicking "Update Password Setting".

disable MFA.png

Disabled state.png

Installing the authenticator app

MFA accepts tokens from Google and Windows Authenticator apps only.

How to install Google Authenticator on Android/iOS.

How to install Windows Authenticator.

Setting up the app with your account

In order for the app to start generating tokens, it has to be hooked up with your MFA-enabled account. Ideally, you need to do this only once (except when your token is reset or you have a new device). Here's how to:

    1. Go to your MFA-enabled account and log in with the correct username and password.
    2. The Setup screen will appear. Select your smartphone platform, then click Next.

      NOTE: MFA does NOT support Blackberry. Please contact your primary account holder or Tealium Account Manager for assistance.

      MFA set up screen.png

    3. A barcode will appear. Scan it using a generic barcode reader app (see Troubleshooting tips) on your smartphone. This step will vary a touch depending on your smartphone platform.
      • Android: Tap on 'Set an Account', then select "Scan account barcode".
      • iPhone: Tap the plus icon and scan the barcode.

    4. Your app will generate the first token. Enter it in the text box next to Code, then click Verify and Save. A success message will pop up.

mfa-qr-code2.png

Signing into an MFA-enabled account

  1. Go to https://my.tealiumiq.com/.
  2. Enter your username and password.
  3. At this point, the autheticator app should already be installed and synced with your account. Open the app to receive the token.
  4. Enter the token in the MFA text field. If the token is incorrect or expired, the authentication will fail and you will be denied access.
  5. OPTIONAL: Check the 'This is not a public computer' box if you want Tealium to remember your token for 8 hrs. The token is preserved as long as you don't clear the browser history. This means you have to enter the token only once for that 8-hour period.

IMPORTANT: If your token is correct and you are still unable to sign in, please read the Troubleshooting tips or contact your Account Admin.

Logging in with MFA

 

 

Resetting MFA tokens for new devices

If you recently switched to a new smartphone, your existing token has to be reset. This will allow the authenticator app on your new device to generate fresh tokens. Resetting tokens will NOT disable the MFA setting itself.

 

You cannot reset your own MFA token. Only other primary users of your account who have the permssion to Manage Accounts are allowed to reset MFA.

Steps to reset

    1. Drop down the Account Admin and go to Manage Users (see User Administration).
    2. In the User Manager window, select the user for whom the token is being reset. Click on Edit/View User setting.

      user_manager_window.png

    3. In the user setting window, select MFA settings, then click Reset MFA Token.
    4. Close the window.
    5. The user, whose token you just reset, has to re-log into their account and re-sync the app.

reset_mfa_token.png

FAQs

Account and Users

1. How do I find my primary account?

This information can be found in your User Preferences settings.

  1. In Tealium iQ, click on your name/email in the top right corner to open the Account Admin menu.
  2. Under 'User Preferences', click on Edit/View user Settings. 

    user preferences menu.png

  3. The 'User Overview' screen will appear. Your primary account is displayed in the right panel.

primary account.png

2. Who can enable/disable MFA in my account?

Only an Account Admin is permitted to manage the setting. See the Manage Account Permissions article to learn more.

3. MFA was auto-enabled in my account on Feb 16, 2016? Can I disable it now?

Yes, but it is NOT recommended. Disabling it will remove the extra layer of protection that keeps your implementation safe from unauthorised users.

4. Besides Tealium iQ, which other Tealium products support MFA?

AudienceStream, Web Companion, and Tealium Tools.

5. My account has multiple profiles. Does MFA apply to all of them?

Yes

6. I am assigned to an account that is NOT my primary account. Will I need a token to access it?

Yes. Remember: you will be subject to MFA when signing into or switching to any MFA-enabled account—whether or not it is your primary account.

7. I am a member of Tealium Learning Community (TLC) only. Does MFA apply to me?

No. TLC-only users are NOT be subject to MFA.

Authenticator App and Security Tokens

NOTE: Tealium supports tokens only from Google and Windows app on iOS, Android and Windows phones.

 

1. How often do I have to enter my token?
Every time you sign in or switch to an MFA-enabled account OR you have cleared the cookies/cache from your browser's history.

2. How often should I set up the app to my account?
Ideally, only once after enabling MFA. However, if your token was reset or you signed in from a new device, you must set up the app again.

3. Does Tealium support MFA on Blackberry?

No. At this time, we only support iOS, Android, and Windows. You may however use the Autheticator Chrome extension to receive tokens from the browser. See How to use MFA without a smartphone

Troubleshooting Tips

Issue: Unable to scan the barcode when setting the authenticator app.

It is possible that your smartphone does not have a built-in barcode reader app, particularly if it is an Android device. If that's the case, then download and install a generic barcode reader app. Also make sure the app is designed to scan generic barcodes only, and NOT the mail barcodes you typically see on shipping labels.

Issue: Invalid 6-digit verification code when setting up the authenticator app.

If you encounter this error, the easiest thing to do is to start over. Go back to the login page and sign in with your username and password, then proceed to set up the app.

mfa-invalid2.png

Issue: Authenticator app has multiple entries of your synced accounts.

This happens when the same barcode is scanned multiple times. Simply, delete the unwanted entries and proceed to re-sync the app with your account.

duplicate entries.png

Issue: The token expired before you could enter it

Don’t worry. You can use the next one since most apps generate fresh tokens every few seconds. How long each token lasts will depend on the app you are using.

 

 You have tried everything but still unable to sync your authenticator app? In rare cases, there could be a timing issue on your smartphone, causing the sync to fail. Try this: go to your smartphone's time settings, turn off the automatic time settings, and exit the settings. Then, reopen the settings and set the time back to automatic. Finally, follow the steps to re-sync the app with your account.

Browser support for MFA

MFA is supported only on iPhone, Android, and Windows smartphones. If your smartphone is not one of them, you can use the Authenticator Chrome Extension to receive tokens from the Chrome browser. For more details, see How to use MFA without a smartphone

 

12 Comments (12 New)
Hide Comments
Comments
by john_mooney
on ‎02-10-2016 06:49 AM

Hi

Our MFA setting currently reads "Not Enabled".  Will this remain that way after Feb 16th rollout?

 

   tealium_mfa_not_enabled.JPG

 

by
on ‎02-10-2016 07:11 AM

Here is a helpful link if you encounter issues installing Google Authenticator: https://support.google.com/accounts/answer/1066447?hl=en

by
on ‎02-10-2016 07:13 AM

@john_mooney If you have not explicity opted out of MFA, that setting will be updated to Enabled on February 16th, 2016.

by john_mooney
on ‎02-10-2016 07:20 AM

That's what I was curious about.

 

How would we explicitly opt out prior to the 16th if we chosse to?

 

 

 

by Community Manager
on ‎02-10-2016 10:04 AM

@john_mooney You have to enable it, save, then immediately disable it and save again.

by john_mooney
on ‎02-10-2016 11:42 AM

Thanks for the info

by lukas_teply
on ‎02-11-2016 05:02 AM - last edited on ‎02-11-2016 11:29 AM by Community Manager

Hi @TealiumJustin, is it live yet. Can we get a QR code now or will it be rolled out on February 16th? 

by Community Manager
on ‎02-11-2016 11:59 AM

 @lukas_teply This feature has been available since last year. On Feb 16th it will be automatically enabled. More info:

https://community.tealiumiq.com/t5/Community-Orientation/IMPORTANT-Multi-factor-Authentication-for-T...

by lukas_teply
on ‎02-12-2016 12:53 AM - last edited on ‎02-12-2016 10:55 AM by Community Manager

Hi @TealiumJustin, thanks. I know but yesterday we enabled it but unfortuantely no QR code was shown to us. Even when I logged out and logged in again. Any thoughts? Thanks!

by CPTCOL
on ‎02-12-2016 12:21 PM

I got today first e-mail about this implementation and the enablement should by the customer and not in an automatic way...

by Community Manager
on ‎02-12-2016 12:37 PM

Hello @CPTCOL. Could you repeat your question for me, please? I did not understand it the first time. Thank you. 

by
‎02-12-2016 01:47 PM - edited ‎02-12-2016 03:28 PM

@CPTCOL

 

We will auto-enable MFA ONLY if it was never enabled in your account before Feb 16, 2016. Your Account Admin will still have the ability to deactivate it anytime before or after then. 

 

If you wish to opt out before Feb 16th, you may briefly enable then disable MFA. Here's how to:

 

1. Install Google Authenticator app in your smartphone. (instructions here)

2. Log into your Tealium iQ account and enable MFA. Only your Account Admin can access the setting.

3. Log out and re-log in, during which you will asked to sync the app on your smartphone with your account.

4.  Follow the steps to sync up. Enter the token and sign in.

6. Then disable MFA. We will not automatically re-enable it.

 

Hope that helps.

Thanks