.png)
18
Here is a list of FAQs that will provide helpful information about Multi-Factor Authentication (MFA).
General Questions about MFA
Q: What is multi-factor authentication (MFA)?
A: Multi-factor authentication (MFA) is a security measure that requires users to provide multiple forms of verification, rather than just a password, to gain access to a system or account. Instead of just one credential, MFA asks for a combination of what the user knows (like a password), what the user has (like a phone or security token), and/or what the user is.
Q: What is the difference between Multi-factor authentication (MFA) and two-factor authentication (2FA)?
A: 2FA is considered a specific type of MFA where only two factors are used for verification; however, MFA can involve more than just two factors, making 2FA a subset of MFA. GrowthZone will refer to our implementation as MFA. Technically, we are only offering two factors, but MFA is a well-known term often used as an umbrella term to represent both 2FA and MFA.
Q: What types of authentication factors are there?
A: There are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). GrowthZone has a password (something you know) and now will require an authenticator app (something you have).
Q: What is an authenticator app?
A: Authenticator apps are a multi-factor authentication method (MFA) you can use to encrypt your online login credentials. MFA verifies that you're the one logging into your online accounts. It secures your accounts with something physical that's with you, like your mobile device. It's harder for a hacker to access those things than it is for them to get your username and password combination from the dark web.
Q: What is the basic concept behind how an authenticator app works?
A: An authenticator app is a program (app) that you install on your phone, tablet, other mobile device, or computer. Authenticator apps will generate time-based, one-time passcodes (TOTP or OTP), which are usually six digits that refresh every 30 seconds. Once you set up MFA, just type the code you see in your authenticator app into the secured login page. "Time-based" means the code is only valid for a short time (usually under one minute), making it hard for anyone to steal your code and log into your accounts.
*Some above answers were supplemented with information from PCMag.com and PCMag.Com
GrowthZone MFA Setup
Q: What authenticator apps do you support?
A: GrowthZone supports common authenticator apps available, such as the Google Authenticator app and Microsoft Authenticator app, as well as almost any other authenticator apps of your choosing. No special app is required.
Q: I’m new to this. Can you point me to an exact location in the app store where I can download these apps?
A: Yes, here are the current links to two of the most common authenticator apps. Google Authenticator (Android, iOS), Microsoft Authenticator (Android, iOS), or pick one of your choice.
Q: How do I know if my device will work with an authenticator app?
A: Most devices are compatible and will work. To know if your device will work, the best thing to do is download the app and then walk through the setup steps (See KB article). When you get to the step where you are supposed to scan the QR code with your device, you’ll learn that your device is compatible if the QR code scans. If the code will not scan, that means your device is not compatible. You’ll need a different device.
Q: What if I don’t have a device (phone or tablet) that I can use for this?
A: The best practice is to have a separate device, like a phone or tablet, where you install the authenticator app. But if you do not have access to a phone or tablet, there are browser-based authenticator apps. Having your authenticator in the browser diminishes the security compared with having it on a separate device. For instance, if someone gets access to your computer, they have access to your MFA code as well. If it is on a separate physical device, the attacker not only needs your login and password, but they need your device as well.
Q: Can I install an authenticator app on more than one device?
A: Yes. You can install the same or different authenticator apps onto different devices. For example, one for your phone and a different one on a tablet at home. Just keep in mind that the more devices you have the app installed on, the more opportunity for a bad actor to get hold of that device and use it to get into GrowthZone.
Q: Will an MFA be required by my members?
A: No. MFA is only required for GrowthZone association staff users.
Q: Is there an option to have an email or text message sent with my access codes?
A: No. Using an authenticator app is the only option available. Common feedback in the security world is that using an authenticator app provides a higher level of authentication security over SMS or email.
Q: The option says “Trust this computer for 30 days”. Can I change the number of days to a different value?
A: No, this value is configured at 30 days for all customers.
Q: Why does it not let me type any numbers when I click into the field where I’m supposed to enter my authentication challenge
A: Check your Num Lock key. If the Num Lock key is turned off, then you will not be able to type any numbers into the field. In any case, make sure you are typing numbers into that field. Then it should work for you.
Q: The 6-digit code that appears in my authenticator app shows a space after the first 3 numbers. Do I enter that space into the verification code field?
A: No. The 6 digits should be entered without any spaces.
Q: We have multiple staff people who use the same login name/password. How will MFA work for us?
A: Best practice would be that you do not share login/password; each user should have their own login/password. If that is not possible, or if necessary for an interim time period, you will need to each download an authenticator app. Then, when you log in, you’ll each be able to use your app to authenticate.
Q: Our association staff each has a unique login name, but we share the same email address. You can see the email address for each of us under Staff Setup. Will MFA work for us?
A: No. A unique email address must be assigned to each login account. If your database contains one or more logins where a single email address is shared among multiple login accounts, MFA will not be available to accounts in your database yet. Stay tuned. You’ll be notified when it becomes an option for you.
Q: We’ve understood that each staff person must have a unique email address assigned to them under Staff setup in order to have an option to set up MFA. If we get a unique email address set up on each staff account. can you make MFA available for us?
A: Yes. That is great. If you want to get each staff person to have a unique email address under Staff Setup, and then let us know, we can then get your database enabled to allow MFA setup. Thank you for your proactive effort.
Q: Our association works with multiple GrowthZone databases, and we use the “Switch Accounts” option in the Account menu. Will I need to set up MFA in each database (tenant)?
A: No. You’ll only need to set up MFA once in one of your databases, and it will apply to each of your databases.
Recovery Codes
Q: What are Recovery codes? Why do I need them?
A: Recovery codes are a backup for you to enter into the Authentication Challenge field if you lose your device or don’t have it handy. GrowthZone provides 10 recovery codes the first time that you set up MFA. Once you use a recovery code, it is no longer valid. Once all 10 recovery codes are used up, you’d want to reset or delete your MFA and set it up again to get 10 new codes.
Q: Where do I enter a Recovery code?
A: A Recovery code can be entered at any place where you are asked to enter a verification code.
Q: What if I didn’t get my Recovery codes copied or downloaded? What can I do?
A: Recovery codes are only accessible when you initially set up your MFA. So you’ll need to reset your MFA and start over again and get a new set of recovery codes.
Q: How do I reset my MFA?
A: Log in to GrowthZone and go to the Multi-factor Authentication option in the upper right-hand Account Menu. Select the … (ellipsis menu) next to the first authenticator instance. Select Delete. Enter a verification code from your authenticator app. Delete your Authenticator app. Then go back to the menu Multi-factor Authentication and set up MFA again. This time, make sure to copy or download the codes.
After MFA is Set Up
Q: I lost my device that had my authenticator app on it. What do I do now?
A: If you saved off your recovery codes to a file or printed them out, you can enter one of those codes instead of the verification code on the Authentication Challenge screen. If you don’t have those, the other option is to contact another staff person at your association who has an MFA setup. Reach out to them with your predicament. Ask them to reset your MFA.
Q: Can I reset my MFA and start over?
A: Yes. If you are logged into GrowthZone, access Multi-factor Authentication under the upper right-hand Account menu. Select the … (ellipsis menu) next to the first authenticator instance. Select Delete. Enter a verification code from your authenticator app. Do the same for any additional authenticator instances in the list until all instances are deleted. Then your MFA will be reset, and you can set up your MFA again.
Q: Is there someone who can reset my MFA so I can start over?
A: First, check to see if you have your recovery codes available. Use one of those instead of a verification code to get into GrowthZone is possible. As an alternative, another staff person at your association who has an MFA setup is able to reset your MFA. Reach out to them with your predicament. Ask them to reset your MFA.
Q: A co-worker left our association but had MFA Setup. How do I get access to that account?
A: If you are a staff person who has admin permissions to the Staff Setup area and you have MFA set up for yourself, then you will have the ability to reset the MFA of that co-worker and can end up back in control of that login.
Q: The administrator of the database left, and no one else has access to the Staff Setup area. What do I do now?
A: For cases just like this, it is always best if there are at least two people who have admin permissions to the Staff Setup area. If no one else has access at all, the only option is to contact GrowthZone support. They will follow a list of requirements to validate that you should be granted access. After that is completed, they will work with you to grant access to another user. Then, the cleanup of the other account can occur.
Q: I let my GrowthZone login screen sit on-screen overnight. Why do I have to refresh the screen in the morning before I can get logged in?
A: There is an activity timer on the login screen of 60 minutes. Tokens/cookies are created immediately with the OIDC login that is used. Tokens/cookies could be captured across the line and used against you. More identifying info would be needed, but it is best to keep that information available only for a reduced time period to minimize the chances that someone would use that information to hack in. The tokens reset, so they would have to start their hack all over again - that is why we put an activity timer on it. Give the hacker a shortened window to hack in.
SSO, SAML, OIDC, 3rd party identity providers
Q: I am a customer who logs in on my own custom URL using an SSO link. I use that third party as my identity provider. What do I need to do?
A: Continue logging into your identity provider as you always have done. We will be reaching out to your association individually if there are any changes that need to be made.
Q: Our members are set up to log in using SSO to a third-party provider, however, our association staff logs in at growthzoneapp.com and do not log in to any other provider - just GrowthZone. Can I set up MFA?
A: No, not at this time. We will be reaching out to your association individually to get your association staff set up. Enabling MFA will not be possible for you during this initial rollout. Stay tuned.
Interaction with other products/processes
Q: I use QuickBooks Online and other integrations like Constant Contact or Zoom connection. Will those continue to work?
A: Yes, those integrations are connected through a secure API that authenticates in a different manner. MFA will not change how that works.
Q: How will this affect my use of the GZ Staff app?
A: The original login will continue to work as-is. If you change your password in GZ, then you'll have to use the “Magic Link” in order to get logged in on the staff app going forward. But improvements are in progress for an updated staff app, and MFA is part of the plan.
Q: What if I use GZ as my identity provider for another application? Will that still work?
A: Yes. Using GrowthZone as your identity provider to access other applications will still work. No change there.
Q: Once MFA is set up, is it a problem if I change the access levels of my staff person to a different access level?
A: No. Access levels are not directly tied to MFA.
Q: I open lots of tabs when I work in GrowthZone. Will I have to re-authenticate for each tab I open?
A: No. Opening new tabs will not require you to authenticate again.
Q: I often open an incognito browser window. How will that work?
A: The way you go about opening an incognito window will not change, but you will need to authenticate again in that new window. Unfortunately, inconvenience is sometimes the price of tighter security.
Q: Will I still be able to use the GrowthZone Clone environment that I’ve been directed to by GrowthZone staff?
A: Yes, but with one change. When you get to the Clone login screen, you’ll need to click the “Login via Production” button on the login screen. That will ensure that Clone knows to log you in using your MFA setup from the production environment.
Q: I’m a beta tester for the Community platform. Will this work for us?
A: Yes. The Community connection is handled via GrowthZone, so your connection will remain as it is now.
Authenticator App Questions
Q: If I set up MFA in my authenticator app, is there a way to remove that instance if I need to start fresh in my app or for some reason have an unneeded instance in my authenticator app?
A: Yes, each authenticator app will have a way to remove an instance that you no longer need. For example, with the Google Authenticator app on iOS, you can swipe right on the instance that you do not need. Then you will see a red "Delete" button. Tap it to remove the instance. For the Android version, swipe left.
Q: Can I edit the entries in my authenticator app?
A: Typically, you can. It will depend on which app you are using as to how to go about it. On the Google Authenticator app for Android, swipe right on the app in order to see an edit pencil icon.
