Multi-factor Authentication

Using Multi-factor Authentication adds an extra layer of security to your account, in case someone is able to obtain your username and password. Ardexa supports multi-factor authentication via one-time-passwords provided by Google Authenticator, Microsoft Authenticator or other compatible mobile apps. Once it is enabled on your account, you will need to enter your email and password, plus a six-digit one-time password generated by your authenticator app to log on to the Ardexa Cloud.
Enabling multi-factor authentication is highly recommended for users with a high level of privileges in a workgroup (Workgroup Owners, users with Control Devices or Tunnel permissions) as it vastly improves security on your account.
If not enabled, malicious actors only need to acquire your email address and password to gain access to the Ardexa Cloud, which will grant them access to any Ardexa agents that you can access.
Workgroup owners can opt to mandate that users in their workgroup enable Multi-factor Authentication on their accounts. Once mandated, all users with access to the workgroup must enable Multi-factor Authentication on their next login to access the Ardexa Cloud.

Mandating Multi-factor Authentication

Workgroup owners can go to the Users tab (Admin -> Access -> Users) to mandate Multi-factor Authentication for all users with access to their workgroup. Once a user is subject to a mandate, they must enable Multi-factor Authentication on their account the next time they log on to the Ardexa Cloud.

Enabling Multi-factor Authentication

To enable Multi-factor Authentication voluntarily, you can go to User -> My Profile page -> Profile tab and press the "Enable Multi-factor Authentication" button:
Enabling Multi-factor Authentication via the User Profile page
If a workgroup owner in one or more of your workgroups has mandated Multi-factor Authentication, you will be prompted to enable it on your account after logging in with your username and password:
After logging in, this message will be displayed if you need to enable Multi-factor Authentication due to a workgroup mandate
After opting to enable Multi-factor Authentication, a wizard will guide you through the process. The main steps are:
  1. 1.
    Generating a QR code containing a Multi-factor Authentication secret, which can be scanned by your authenticator app.
  2. 2.
    Entering a code generated by the new authenticator entry. Note:
    1. 1.
      If you get stuck at this step, you can re-start the process and generate a new QR code
    2. 2.
      Once this step is completed, Multi-factor Authentication will be required for all future login attempts
  3. 3.
    Once your authenticator has been confirmed successfully, you will be presented with a 32-character Multi-factor Authentication recovery code. Please store this securely as it can be used to circumvent Multi-factor Authentication on your account. We recommend printing it out and storing in a physically secure place, or saving in a password manager.

Recovering Multi-factor Authentication

If you lose access to your authenticator app/device, you can enter a Multi-factor Authentication recovery code after logging in with your username and password. When prompted for a Multi-factor Authentication code, click the Use Recovery Code button:
Then enter your recovery code when prompted and click Submit.
If successful, you will need to re-enable Multi-factor Authentication immediately to access your account.
If you get stuck, or don't have access to the new device you would like to use for Multi-factor Authentication, don't panic. Your recovery code can be used multiple times, until you successfully re-enable Multi-factor Authentication on your account and generate a new recovery code.
Note: Earlier versions of our Multi-factor Authentication implementation issued six single-use recovery codes. These codes can still be used if you have not generated a new, single recovery code on your account.
If you have issues enabling a new MFA device after using a recovery code and need to retry, you will need to use a different recovery code
If you have an original set of recovery codes, Ardexa recommends generating a new, single recovery code as described below.

Generating a Recovery Code

If you lose your recovery code or were not issued one when enabling Multi-factor Authentication on your account, but still have access to your MFA device, you can generate a new recovery code on the User Profile page:
Generating a new recovery code via the User profile page
After clicking this button, you will need to enter a valid one-time-password from your authenticator in the dialog and click Generate. If the code was valid, a new recovery code will be displayed. This new recovery code replaces any previous recovery code(s) that were active on your account. Please remember to store it securely.

Disabling Multi-factor Authentication

If you need to disable Multi-factor Authentication on your account, you can do so via the User profile page:
  1. 1.
    Click the "Disable" button in the Multi-factor Authentication section, as shown above
  2. 2.
    Enter a valid one-time-password from your authenticator
  3. 3.
    If the code was correct, multi-factor authentication will be disabled on your account.
Note: if you are subject to a Workgroup-level Multi-factor Authentication mandate, you will still need to re-enable Multi-factor Authentication the next time you log on to the Ardexa Cloud.

Problems? Contact Ardexa Support

If you have issues recovering access to your account due to a lost recovery code, please contact [email protected] To minimise the risk of scamming, we also advise contacting your Workgroup Owner and/or Ardexa Account Manager so we can confirm your identity and situation with them before disabling Multi-factor Authentication on your account.
Due to these extra precautions we cannot guarantee timely access to your account if it needs to be manually recovered. Correctly storing and using a recovery code is strongly recommended by Ardexa.