Enforcing Multi-Factor Authentication
This topic describes how a Company Admin can make it mandatory or optional for users to log in to the Megaport ONE Portal with Multi-Factor Authentication (MFA). It also describes how to reset MFA for your users and how to review the MFA status of all users in your company.
About Multi-Factor Authentication
There are various security risks associated with identity facing businesses. Employees using weak passwords, or the same passwords for multiple accounts, can leave organizations vulnerable to breaches and cyber criminal activity. Multi-Factor Authentication (MFA) can help organizations deal with these issues. It makes life easier for employees, allowing them to more easily manage their different accounts securely. It also gives administrators greater visibility and control over identity management, and helps organizations achieve legal compliance with data regulations.
MFA is an authentication method and security system that ensures all of your business accounts require more than one verification factor before they can be accessed. For example, a username and password, and a code from an authentication app. MFA is a core component of a strong identity and access management (IAM) policy, and provides an extra level of security for your Megaport ONE Portal account. We recommend that you use the Google Authenticator app when securing your accounts with MFA.
Each user enables MFA for their Megaport ONE Portal login, where required. They should install a login verification app (such as Google Authenticator) on their digital device (phone, tablet, computer, and so on). When users log in, they check the login verification app for the token or code that they need to enter as the additional factor.
When you enforce MFA as a Company Admin, your users must enable MFA on their login, if not already set up. They will not be able to log in to the Megaport ONE Portal until they do so. MFA can also be set to optional globally for your company. In this situation, users have the option of using MFA or not when they log in to the Megaport ONE Portal.
For details on enabling MFA for your user account, see Securing your account with MFA.
Note
It is not recommended to access Megaport APIs using MFA with a username, password, and token. Although this is technically possible, we recommend to instead use API keys as the preferred authentication method when utilizing Megaport APIs. If you currently have any user accounts being used for API, we recommend changing these to API keys before enforcing MFA. For details, see Creating an API Key.
MFA benefits
The main benefit of MFA is that it enhances your organization’s security by requiring your users to identify themselves by more than a username and password. By themselves, usernames and passwords are vulnerable to cyber attacks and can be stolen by third parties. Enforcing the use of an additional verification factor such as a code from an authentication app increases the ability of your organization to remain safe from attacks from cyber criminals.
Full benefits of MFA include:
- Improved security
- Protection against unauthorized account access if credentials or devices are stolen
- Regulatory compliance
Who can enforce MFA globally for an account?
To enforce MFA globally for an account, you must be a user with the Company Admin role within the account.
Important
- Before implementing MFA, make sure to prepare all users associated with your Megaport ONE account by communicating what MFA is, why they need to select a verification method, and whether MFA is optional or required.
- Because enabling MFA can introduce new administrative responsibilities to support users, we highly recommend that you assign a minimum of two Company Administrators to help users troubleshoot and resolve authentication issues quickly.
- Megaport Support cannot reset MFA tokens on the customer’s behalf. Company Administrators will need to manage tokens.
These rules apply for the different types of Megaport ONE Portal accounts:
| Account Type | Who Can Enforce MFA? |
|---|---|
| Enterprise | A Company Admin user can enforce MFA globally or make it optional. |
| Root Tenant | A Company Admin user can enforce MFA globally or make it optional for their own root tenant account. A Company Admin user can enforce MFA globally or make it optional for any of their child tenant accounts. Note: Changing the MFA setting for one child tenant account does not impact any other child tenant accounts. |
| Child Tenant | A Company Admin user can enforce MFA globally or make it optional for their own account. Note: Root tenants can change this setting if they are a Company Admin. |
Making MFA mandatory for users
As a Company Admin, changing your company’s global MFA preference from optional to enforced ensures that all users accessing your company in the Megaport ONE Portal have MFA enabled and are securely logging in.
When you enforce MFA and make it mandatory, all of your users must enable MFA on their account login. They will not be able to log in to the Megaport ONE Portal until they do so. Users who have not enabled MFA will be taken to a screen to set up MFA on their next login attempt. For details on enabling MFA on your user account, see Securing your account with MFA.
To make MFA mandatory for users
-
Log in to the Megaport ONE Portal.
-
Choose Tenant > Settings.
-
Select Security Settings.
The Security Settings page appears.
-
Click Edit.
-
Click the slide button to On.
A message is displayed stating that all users of your company will be required to set up MFA during login.
-
Click Save.
-
Click Confirm in the Update Security Settings prompt.
You will be logged out after enforcing MFA globally if you do not enforced MFA for your account. MFA is now set to On and enforced globally. After MFA has been enforced, you need to supply a valid token from the authenticator app every time you log in to the Megaport ONE Portal, in addition to your email and password.
Making MFA optional for users
When you make MFA optional for your users, they can continue to log in to the Megaport ONE Portal with MFA if they were already doing so, or can choose not to log in using MFA.
Note
Optional (Off) is the default MFA setting, however MFA might have been enforced for your company at some stage. This task assumes that MFA is currently enforced (On) and you want to change the setting back to Optional (Off).
To make MFA optional for users
- Log in to the Megaport ONE Portal.
- Choose Tenant > Settings.
-
Select Security Settings.
The Security Settings page appears.
-
Click Edit.
-
Click the slide button to Off.
A message is displayed stating that MFA can still be enabled on a per user basis.
This does not change the MFA status for individual users. If a user already has MFA enabled, then it will continue to be enabled after this change.
-
Click Save.
-
Click Confirm.
MFA is now set to Off.
Resetting MFA for your users
The MFA setting of individual users can be reset. As a Company Admin, you might need to do this so that a user can enroll a new device. This disables the previous MFA code and the user will be asked to enable MFA again the next time that they log in to the Megaport ONE Portal.
You can reset MFA regardless of the global MFA setting for your company. That is, whether MFA has been set to enforced or optional by a Company Admin for your company.
You can reset MFA for your users if:
- Global MFA is enforced
- Global MFA is optional, but the user has MFA enabled
- The user has previously set up MFA
Note
- The user will remain logged in to the Megaport ONE Portal when resetting MFA.
- Resetting MFA does not disable MFA for the user’s account.
- The user account for which you are resetting MFA must be a real user and not set up for any automated process, because the user will need to log in again and enable MFA for the account.
- Megaport Support is unable to reset or regenerate QR codes for customers. A Company Admin must perform this task in the Megaport ONE Portal.
To reset MFA for a user
- Log in to the Megaport ONE Portal.
- Choose Tenant > Settings.
- Select Users.
- In the Users page, find the user for which to reset MFA.
You can use the filters at the top of the page to focus the list. - Click the gear icon
for the user entry and select Reset MFA.
- Type RESET in all caps and click Reset to confirm.
MFA is reset for the user.
Reviewing the MFA status of your users
As a Company Admin, you can view the roles and MFA settings of all users in your company. This allows you to quickly review the MFA status of all users in your company, to see who has enabled MFA for their user account, and who hasn’t.
To review the MFA status of your users
- Log in to the Megaport ONE Portal.
- Choose Tenant > Settings.
- Select Users.
-
Click the up and down arrows next to the column name to sort by user role or MFA status.
The Role column shows the role that the user has within the company, and the MFA column shows the MFA status of the user’s account. In the MFA column heading, (OPTIONAL) is displayed where MFA is not enforced globally, and (REQUIRED) is displayed where MFA is enforced globally.-
Optional/Set – The global company MFA setting is Optional and the user has MFA enabled.
-
Optional/Not Set – The global company MFA setting is Optional and the user does not have MFA enabled.
-
Required/Set – The global company MFA setting is Enforced and the user has logged in and successfully enabled MFA for their account.
-
Required/Not Set – The global company MFA setting is Enforced and the user has not logged in and completed their MFA setup, or has initiated login but did not successfully complete the MFA setup, in which case they will be shown the MFA setup screen until successfully enabling MFA for their account.
-
Where MFA is optional globally:
Where MFA is enforced globally:
