Two-factor authentication can be enabled for Account Owners and Administrators. Two-factor authentication (2FA), sometimes referred to as two-step verification, is a security process in which the user provides two different authentication factors to verify themselves. This is important to:
- Protect the user’s credentials
- Protect the resources the user can access
Two-factor authentication, in Litmos, is enabled with the user password and email verification codes.
How to turn on Two-Factor Authentication:
This feature can be turned on from the Account Settings → Profile → Login section:
How does it work?
Account Owners and Administrators will only be asked for a code once every 90 days and/or upon password reset, on each trusted computer or device. Please note that the two factor authentication is browser specific and is based on cookies stores in the browser. The verification code will be sent to the email address maintained in the user profile. If the email is not maintained, the Account Owner/Administrator can generate a verification code via the user password reset page or the Administrator can reach out to firstname.lastname@example.org on behalf of the user attempting to sign-in.
User Password Reset Page:
In order for an Account Owner or Administrator to enter a temporary verification code on behalf of a user, that end-user would need to be on the page that prompts the verification code:
Two-step verification Page:
When the user is prompted for the verification code (as shown below) after 90 days on each trusted device, an email will be sent to the user including the verification code.
- How long is the verification code valid for?
The verification code is valid for 2 hours.
- Does an Account get disabled if it has not been verified?
No the account does not get disabled. However, to access the SAP Litmos account, you will need to provide a valid verification code.
- Can Two-Factor Authentication be turned on and off for specific users in the account?
No, it is not possible to turn this feature on for specific users in the account. This feature is turned on for all account owners/admins.
- Does Two Factor authentication affect API keys?
No this does not affect the API keys.
- Will I be prompted for the Two Factor Authentication code on the Mobile App?
No. Two Factor Authentication will not be triggered on the mobile app. However, if you access the app via the browser, you will be prompted for the verification code.
- Will I be prompted for Two Factor Authentication with SSO?
No. Two factor authentication should not get triggered with SSO.
- Will I be prompted for Two Factor Authentication if I change my password via the forgot password link?
No. Since you will be accessing the link from the email, you will not be prompted for the verification code when you reset your password via the reset password link sent via email.