To provide an extra layer of security, we recommend that organizations enable multi-factor authentication (MFA) for Smartabase. If MFA is enabled, you will be required to verify your identify by providing a randomly generated code. This helps to keep your account secure in case your password is stolen.
If MFA is enabled for your Smartabase site or for your role, you’re required to authenticate certain actions (such as logging in or updating your account) by providing a code. You can choose which method you want to use to complete this step:
- You can receive an SMS with a six-digit code.
- You can receive an email with a six-digit code.
- You can set up an authentication app (like Google Authenticator, Microsoft Authenticator or Authy) to automatically generate six-digit codes.
If you have not previously selected your preferred multi-factor authentication method, you will be prompted to do so the first time you log into Smartabase. Depending on the settings applied to your role and your Smartabase site, you may be limited to specific methods. During the set-up process, you can change your account email address and add or edit a mobile phone number to ensure your contact details are correct.
Once logged into Smartabase, you can change your preferences in your user account page. If you change your preference to a method that you haven’t used previously, you will be guided through the set-up process the next time you are required to authenticate your account.
If your MFA preference is changed, either by you or an administrator, you need to log in using your previous preference one last time before using the new method. For example, if you previously used SMS but your preference has changed to Authenticator app, you will need to verify your account once more using SMS, which will then prompt you to set up an authenticator app to be used when next logging in.
Authentication via SMS or email
If you want to authenticate via SMS (text message) or email, it’s important that you take care with several things:
- Ensure that your phone number is up to date in Smartabase, including checking that it is set to Mobile.
- Ensure that you have access to your phone and it has the ability to receive text messages and emails, especially when you’re travelling or in an area with poor mobile reception.
- Ensure that your email address is correctly recorded in your Smartabase account and that you have access to your email.
When you get a code from Smartabase via email, the email will be sent from firstname.lastname@example.org.
Authentication via authentication app
If you want to authenticate using an authentication application, you’ll need to follow specific steps to get it set up. However, once set up, this is a very reliable way of making sure that you’re able to complete Smartabase authentication. Anyone who uses more than one Smartabase site (for example, when your organization uses an enterprise Smartabase system with multiple sites on one server) needs to set up authentication for each Smartabase site. In this case, you would follow the second set of steps below once for each Smartabase site you use which requires multi-factor authentication. Once you’ve set up your authentication app, you can change your MFA method to email or text message and this will allow you to receive the MFA code via email or text message and the authenticator app.
Get an authentication application
- Using your mobile device, go to the App Store (for iOS devices) or the Play Store (for Android devices).
- Search for and locate a reputable authentication application, like Google Authenticator, Microsoft Authentication or Authy.
- Install the authentication application on your mobile device.
Choose the authentication app option during the MFA set-up process
- Select that you want to use an authentication app to generate codes.
- Use your authentication app to scan the QR code.
If you cannot scan the QR code, you can manually set up your authentication app using the MFA key shown below the QR code. To manually set up Google Authenticator:
- Select the plus icon to add a new account.
- Choose the manual entry option.
- Provide a name for the account. This does not need to be your Smartabase username, but we recommend naming the account something that tells you where you’ll be using the code generated for this account.
- Enter the multi-factor authentication key from your Smartabase account. This isn’t case sensitive so you can put it in using upper or lowercase letters.
- Ensure that the time-based setting is activated.
- Select the tick icon to save your account.
- When you return to the Google Authenticator home screen, you should see a six-digit code that is periodically refreshed.
Use a multi-factor authentication code in Smartabase
Depending on how your Smartabase site is administered, you may need to authenticate each time you use Smartabase for certain actions or periodically (for example, once a month). Authentication is done on a device-by-device basis, so if you’re using two devices, such as a computer and a phone, you’ll need to authenticate them separately. Any time you need to authenticate your Smartabase account, you’ll need to enter a code.
- If you are using the email or text message method, enter the code you receive into Smartabase.
- If you are using the authentication app method, open the app on your mobile device and enter the code it displays into Smartabase.
Note that the codes used by both methods expire within a short time period and each code can only be used once. Once you’ve authenticated a Smartabase account using a particular device, it’ll appear on the list of registered devices shown in the administration site.
When you first set up MFA, you’re provided with four backup codes. You should use a backup code if you can’t receive an MFA code because you don’t have access to your usual authentication method (for example, your phone battery is flat). Each code can only be used once.
If you need to use a backup code, there’s a button on the MFA screen.
Once a backup code is used, you should remove it from your saved list. Note that because the backup code is for single use only, logging in with one does not register your device. On your next login, you will either need to use your usual authentication method to enter an MFA code or use another backup code. If you have used most of your backup codes or if you have not saved a copy of your backup codes, you should generate new backup codes by navigating to the account page and selecting the Generate new MFA backup codes button. Keep a copy of your new backup codes in a safe place.
If you are unable to receive an MFA code and you can’t use your backup codes, an administrator can access a backup code for you. Administrators only have access to one single-use code per person and cannot regenerate codes. We recommend that you refresh your backup codes via your account page immediately after an administrator provides you with a code, then store them somewhere safe. This process will also regenerate the backup code for administrators.