Pyramid offers Multi-Factor Authentication (MFA) as an out-of-the-box feature where relevant and appropriate. MFA is one of the ways to greatly improve security on any application.
Its availability and applicability is influenced by both the chosen authentication provider and method:
- Pyramid's internal MFA capability can only work if FORMS are used as the authentication method
- The capability does NOT work when using Single-Sign-On (SSO) authentication providers and / or techniques (like SAML, OpenID or Windows Authentication)
As such, the built-in MFA option only works for Internal authentication (database), LDAP, or Active Directory when used with forms (not Basic or Windows Auth). Instead, the third party MFA options should be enabled when using external provider for SAML, OpenID (and other cloud-hosted Active Directory solutions).
Note: this feature is available with an Enterprise license only.
How MFA Works
Pyramid's multi-factor authentication uses Time-based One Time Passwords ("TOTP") - which prompts an enrolled user to put in a machine generated key to login to Pyramid. This unique key is generated by special applications (usually on the user's Smart Phone) and changes every 30 seconds. The user is then asked to login with their standard credentials (username and password), together with the 6-digit TOTP code.
Why is MFA more secure
MFA ensures that even if a user's username and password are stolen, access to Pyramid is blocked without the independent security code from the authenticator app. This code changes regularly, so it has a short lifespan before it is useless. Admins also have the ability to reset the MFA token associated with a given user, further ensuring that if the authenticator app is compromised, the access can be centrally blocked.
MFA vs Mobile Device ID Check
The MFA capability in Pyramid is independent of the device ID check performed on all mobile connections to Pyramid. Both deliver a two-factor authentication model ensuring that the user needs to know and have something to log into the application.
Enabling MFA
Admins enable MFA in the web services panel. Here, they can turn it on for the entire system if forms is being used on all web servers, or for each individual web server (as needed). Importantly, this item will have no effect if users authenticate and access the system via an SSO authentication framework (SAML, OpenID etc).
TOTP Authenticator Apps and Enrollment
Users need to first download an authenticator app - typically to their smart phone. Both Microsoft and Google have free 'authenticator' apps for both Android and iOS.
Once MFA is enabled, the first time a user logs into Pyramid, they will be asked to enroll into the MFA engine by scanning a QR code into their authenticator app. The app will immediately add a new key into the app and respond with a 6 digit code. Users will then be prompted to supply this 6-digit code every time they log into Pyramid. Key things to note:
- The code changes every 30 seconds.
- The TOTP system is based on time. So admins need to ensure that the time stamp on servers is perfectly sync'ed with world time
- If a user loses their authenticator access, their MFA token can be reset in the user admin tools. This will force the user to re-enroll the next time they login.
- The TOTP prompt will not appear unless the user's access token into Pyramid has expired or does not exist. Admins can ensure tokens expire regularly by setting a cookie timeout in Client Security settings.
Resetting MFA tokens for Admin Users
The System Maintenance Tools are available for admin users as a fail-safe in case their own MFA tokens are corrupt or lost.