Two-factor authentication can be enabled for Account Owners/Administrators or All Users. Two-factor authentication (2FA), sometimes referred to as two-step verification, is a security process in which the user provides two different authentication factors to verify themselves. This is important to:

1. Protect the user’s credentials
2. Protect the resources the user can access

Two-factor authentication, in Litmos, is enabled with the user password plus Email verification or one of the following Mobile based verification methods.
• SMS Verification method
• Google Authentication method 

Two factor verification can be limited to Account owners and Admins or can be extended to all users as needed.

How to turn on Two-Factor Authentication:

This feature can be turned on from the Account Settings →  Profile → Login section: Once enabled, Account owners can choose the method of Authentication and who to be authenticated. Default values will be set to Admins only via email authentication

How does it work?

Account Owners and Administrators  or All users in the org will  be asked for a code once every defined period ( max90 days) and/or upon password reset, on each trusted computer or device. Please note that the two factor authentication is browser specific and is based on cookies stores in the browser. The verification code will be sent to the email address maintained in the user profile. If the email is not maintained, the Account Owner/Administrator can generate a verification code via the user password reset page or the Administrator can reach out to support@litmos.com on behalf of the user attempting to sign-in.

Email verification and User Password Reset Page: When the user is prompted for the verification code (as shown below) after 90 days on each trusted device, an email will be sent to the user including the verification code.

In order for an Account Owner or Administrator to enter a temporary verification code on behalf of a user, that end-user would need to be on the page that prompts the verification code:

SMS verification and User Password Reset Page:- A valid phone number is required for the SMS based authentication.
When the user is prompted for the verification code (as shown below) based on the settings, an SMS
will be sent to the user with the verification code.

If the user does not have a valid phone number on record, the user will have to reach out to their
Account Owner/Administrator to help generate a verification code via the user password reset page.

Google Authentication method - A valid phone number and the Google authenticator app is
required for the Google authentication method. As a first step, the user will be prompted to scan a QR
code to be authenticated. Once the user is authenticated, the user can generate a verification code
from google authenticator app to enter in the below screen to login to the system.

If the user does not have a valid phone number on record for initial authentication, the user will have
to reach out to their Account Owner/Administrator to help generate a one-time verification code via
the user password reset page. Google authenticator app is required to generate a valid verification
code thereafter.

In case of a loss of the authorized mobile device, the user will have to be reauthorized by the Admin
to be able to access the system. To reauthorize, the Admin will have to navigate to the user's profile
and password reset page and click on ‘Re-Authorize’ user. This will trigger the reauthorization and
verification flow

FAQ

• How long is the verification code valid for? 
  The verification code is valid for 2 hours. 
  
  
• Does an Account get disabled if it has not been verified? 
  No the account does not get disabled. However, to access the SAP Litmos account, you will need to provide a valid verification code. 
• Can Two-Factor Authentication be turned on and off for specific users in the  account? 
  No, it is not possible to turn this feature on for specific users in the account. This feature is turned on for all account owners/admins. 
   
  
• Does Two Factor authentication affect API keys? 
  No this does not affect the API keys.
  
  
• Will I be prompted for the Two Factor Authentication code on the Mobile App? 
  No. Two Factor Authentication will not be triggered on the mobile app. However, if you access the app via the browser, you will be prompted for the verification code.
  
  
• Will I be prompted for Two Factor Authentication with SSO? 
  No. Two factor authentication should not get triggered with SSO. 
  
  
• Will I be prompted for Two Factor Authentication if I change my password via the forgot password link?
  No. Since you will be accessing the link from the email, you will not be prompted for the verification code when you reset your password via the reset password link sent via email.