Multi-Factor Authentication (MFA) Paige Freeman March 27, 2025 15:47 Updated Multi-Factor Authentication (MFA) is a security mechanism that enhances the protection of user accounts by requiring two or more forms of verification before granting access. PCI 4.0.1 now requires MFA for staff users to meet security compliance standards. Personify will be supporting MFA with email-based authentication for the Web Client, Web Admin, and Desktop applications. Personify’s MFA solution includes: MFA verification screen – Users must enter the correct User ID and Password to access this step MFA verification email with verification code – Users must have email address to receive verification code Ability to resend a new code if the user does not receive the code or if the code has expired Informational error messages for invalid and expired verification codes Staff users must have an email configured on the PSM User Setup screen to log in using MFA. Shared/group email accounts won't work; each staff user must have a dedicated email account. If the user does not have an email address configured, they will receive a message they must contact their administrator to resolve the issue before they can log in. Clients should make sure all users have an email address configured before MFA is implemented. Users that enter the correct User ID and Password will be routed to the MFA screen. Users must enter the correct User ID and Password to access the MFA step. Upon successfully entering the correct User ID and Password, the MFA verification screen displays and a verification email is sent to the email address for the user containing a one-time use verification code. The verification code will be six (6) digits and will expire in ten (10) minutes. The user must enter the code in the Verification Code field and then select Verify to log in. If the user does not receive the code or if the code has expired, they can select Resend Code to resend a new verification code to their email address. If the user enters the wrong code into the Verification Code field and then selects Verify, an “Invalid Verification Code” message will display. If the user enters the correct code but it has expired, an error message will display. The Desktop application functions the same way as the web client. MFA Remember Device After successfully logging in, the MFA verification will be remembered for 30 days by default. With this setting, if a user logs into the system using multiple computers or a different web browser, they will receive MFA once every 30 days, per computer per web browser. This value is set on the MFA Configuration settings page within Web Admin. Clients can submit a ticket to request changes to this value, up to a maximum of 30 days. Multi-Factor Authentication Application Parameters LOCK_USER_ACCOUNT_AFTER_ATTEMPTSThe number of unsuccessful login attempts allowed before an account is locked. These attempts include password verification as well as pass code verification. The default value is 6. USER_ACCOUNT_LOCKOUT_DURATIONThe amount of time (in minutes) that the user is locked out of their account after exceeding the number of allowed login attempts. The default value is 30 (minutes). Lockout is per user per database per environment. The counter indicates continuous failures (if there is any success, the counter will be reset). After lockout duration, the lockout counter resets.