Two-Factor Authentication (2FA)
Two-factor authentication (2FA) adds an extra layer of security to an individual account by requiring a one-time code after each login.
Two-factor authentication gets its name from requiring two things from a user to be authenticated. The first is something they know and the second is something they have. The account password is something to know, and a phone (or other device) is something to have.
Typically, a mobile phone app is installed and configured to generate a new 6-digit code every 60 seconds. The code-generating process is automatically in sync with the server and it's unique to each individual. This means that if the user can provide the right code at the right time, the login process can be assured that the person filling out the form is indeed the account owner and not just someone that happens to know the account password.
There are a variety of free mobile apps and commercial password managers that can produce the required 6-digit codes. We call them authenticator apps and we recommend you try Authy, Google Authenticator or 1Password.
Only an account holder can enable two-factor authentication for themselves as it requires possession of a second device - one they will have in their possession at all times. The device is typically a smartphone but it can also be a tablet or computer.
To enable 2FA on your own account, follow these steps:
- Log into the site.
- Go to your personal Account Settings (select your profile image to locate the option).
- Scroll down to the Security section.
- Enable the Two-Factor Authentication switch.
- If you haven't done so already, install an authenticator application. We recommend using Authy, Google Authenticator or 1Password.
- Open the authenticator application and add a new account (e.g. press +).
- When prompted, choose to scan the QR code which appears on screen. You can alternatively enter the setup code manually.
- Once added, the authenticator application will start generating a new 6-digit code every 60 seconds.
- Enter the current code to prove you have completed the setup properly.
The Account Settings page will now show the Two-Factor Authentication switch in the Enabled position. The next time you login, you will be asked for the current 6-digit code.
Enforce 2FA by User Role
Analysts can enforce the setup and use of two-factor authentication for entire user roles (i.e. Analysts, Moderators, Clients and participants).
We do not recommend enforcement of 2FA for the participants role unless they are all familiar with the concept of two-factor authentication.
To enforce 2FA for an entire role:
- Enter the Site Administration
- Select Site Setup and then Account Settings
- Scroll down to the Two-Factor Authentication section
- Flip the switch next to each role that should be forced to setup and use two-factor authentication.
Once 2FA is enforced, the impacted users will be guided to setup two-factor authentication upon their next visit. These users will not be permitted to enter the site until 2FA is fully setup and verified. In case assistance is required, the setup page includes a link to the Support Contact Email defined in Basic Settings.
Enforce 2FA for an Individual User
To enforce the setup and use of two-factor authentication for an individual user:
- Enter the Site Administration area
- Go to either the Panelists or Admins section
- Locate the desired account and select it
- Scroll down to Two Factor Authentication.
- Flip the Enforced for user switch
Once 2FA is enforced, the impacted user will be guided to setup two-factor authentication upon their next visit. The user will not be permitted to enter the site until 2FA is fully setup and verified. In case assistance is required, the setup page includes a link to the Support Contact Email defined in Basic Settings.
Two-factor authentication can be disabled by a user on their own as long as the security feature is not being enforced for that individual or their role. Alternatively, an Analyst can disable 2FA for any user via the Site Administration area.
To disable 2FA for your own account, access your personal Account Settings (as described above for enabling 2FA) and disable the Two-Factor Authentication switch. You will be required to input the current 6-digit code from the authenticator app as a safety precaution.
To disable 2FA for someone else, you must enter the Site Administration area as an Analyst. Go to either the Panelists or Admins area and locate the desired account. Once selected, scroll down to Two-Factor Authentication and flip the Enabled switch to its disabled state. Note that you will not be able to turn it back on for them.
If 2FA is being enforced for the entire user role, the user will be prompted to re-enable 2FA upon their next visit. To truly disable 2FA for such users, you must also select Override: Do not enforce as shown below: