Guide to Multi-Factor Authentication (MFA) in Compassly
About Multi-Factor Authentication (MFA)
This guidance on MFA has been adapted from the UK Government National Cyber Security Centre (NCSC), which contains further background information:
https://www.ncsc.gov.uk/guidance/setting-2-step-verification-2sv
What is MFA?
Single-factor authentication is the security you will be most familiar with – a single security code to remember, typically a password or PIN.
Multi-factor authentication (often shortened to MFA) provides a way of 'double checking' that you really are the person you are claiming to be when you're using online services, such as banking, email or social media. It is available on most of the major online services.
Mult-factor Authentication (MFA) is also known as two-factor authentication (2FA) and 2-step verification (to 2SV)
When setting up MFA, the service will ask you to provide a 'second step', which is something that you (and only you) can access. This could be a code that's sent to you by text message, or that's created by an app.
Why should I use MFA?
Passwords can be stolen by cyber criminals, potentially giving them access to your online accounts. However, accounts that have been set up to use MFA will require an extra check, so even if a criminal knows your password, they won't be able to access your accounts.
The NCSC recommends that you set up MFA on your 'important' accounts; these will typically be the 'high value' accounts that protect things that you really care about, and would cause the most harm to you if the passwords to access these accounts were stolen. You should also use it for your email, as criminals with access to your inbox can use it to reset passwords on your other accounts.
Important: MFA is an organisational, not Compassly, requirement
Compassly does not enforce the use of MFA by default. It is an option that any organisation can configure within Compassly – people in other organisations may not have the same requirement to use MFA.
If you are being asked to setup MFA in Compassly, it is because your organisation requires it.
Setting up MFA on Compassly
The two steps to setup MFA
An important concept to understand with MFA is that there are two parts to the process:
- Step 1: Setting up an authenticator app. Before you are able to authenticate any devices, you need to have an authentication method setup. In the case of Compassly, this will be an authenticator app on your mobile device / smartphone.
- Step 2: Authenticating your device. Once you have an authentication method setup, you then need to authenticate each device you want to use Compassly on by using your authenticator app that you setup in Step 1.
This guide will take you through these two steps in turn.
MFA symbols in Compassly
Compassly shows MFA status as in the diagram above:
- A red padlock means you do not have MFA setup
- An orange padlock means you do have MFA setup, but this device is not authenticated
- A green padlock means this device is authenticated
If you are unable to distinguish these colours, clicking or tapping on the symbol will always take you to a screen that explains the full status.
Step 1: Setup an authenticator app
Important:
We highly recommend carrying out this step with the following setup:
1) Logged in to Compassly on your web browser, most likely on a computer
2) Using the authenticator app on your mobile device (e.g. smartphone)
If you only have a mobile device available, see the Troubleshooting section below.
Ensure you have an authenticator app setup and ready
Your organisation may have already set you up with an authenticator app – we would recommend using this for Compassly as well. If not, there are plenty of apps freely available; examples are included at the end of this guide.
Here we will show the process with Microsoft Authenticator, as it is one of the most commonly used authentication apps.
Login to Compassly
Once you login, you will see your organisation listed on the organisation screen.
A red padlock symbol against your organisation means that your organisation requires MFA to be setup and you do not yet have authentication setup:
If your profile is used in multiple organisations, not all may require you to use MFA – if you do not see a padlock symbol, then your organisation does not require MFA.
When you see the red padlock symbol, click on your organisation to proceed to setup MFA:
Click on “Setup MFA”. You will then be presented with an MFA QR code:
Now go to your authenticator app, and in Microsoft Authenticator you tap on the “+” symbol in the top right corner.
If you already have other accounts setup on MFA, you will see them on this screen too.
In Microsoft Authenticator, it asks you for the account type:
Select “Other (Google, Facebook, etc.)”
Make sure you have allowed access to the camera.
You should then see the QR code scanner on your screen
Scan the code in Compassly here, and it should automatically appear in your list in the authenticator app:
Return to Compassly.
If you want, you can give this authenticator app a name so that you can easily remember which device it is on.
Enter the six numbers from your authenticator app to link your Compassly account to the authenticator app. It’s often a good idea to wait until the numbers refresh (every 30 seconds) to give yourself the most time possible to enter them into Compassly.
Press “Submit” when you’re ready:
You will now see that MFA has been successfully setup on your account:
You are now ready to authenticate your device, to add it as a trusted device.
Step 2: Authenticate your device
Once you have an authenticator app setup, each time you setup a new device or web browser (including the first device you use) you will need to authenticate – but you do not need to setup a new authenticator app each time, this only needs to be done once.
Click on “Add trusted device”
You can replace the automated name with something friendlier.
Return to your authenticator app and enter the current six numbers here:
You will then see that your device has been successfully authenticated, and you can proceed to your organisation to begin using Compassly:
When you login to Compassly on this device, you will now see a green padlock, indicating that you have already authenticated:
You will then not normally need to re-authenticate on this device.
Other times when you may need to re-authenticate
If you start using Compassly on another device (such as a mobile phone), you will see this orange padlock and will need to authenticate on that device, but only following this second step.
You may also need to re-authenticate if:
- Your original authentication expires
- Your authenticated devices are reset by an administrator
The steps to authenticate your device are exactly the same as above.
Troubleshooting
I only use Compassly on my mobile device
While setting up an authenticator app on the same device as you are running Compassly on is harder to setup than scanning the QR code from a web browser, it is perfectly possible.
When you need to setup a New Authentication Method in Compassly, tap on “Show secret key”. This will then display the secret key, which you can Copy and then close with Ok.
In Microsoft Authenticator, follow the steps above, but when you get to the stage where you need to scan the QR code, tap on the “Or enter code manually” button:
Under “Account name” enter something to identify this account, such as “Compassly”, then paste (recommended) or type (not recommended) the secret key from Compassly. This will then setup the authenticator app in exactly the same way as scanning the QR code.
I’ve lost access to my authenticator app
If you can no longer access your authenticator app, ask your local Compassly lead or super user to email help@compassly.com with your email address and the request to reset your MFA.
I want to add a second authenticator app
If you have the option to do so, setting up an additional authenticator app on a different device can give you an additional route to authenticate and access Compassly if you lose access to your main authenticator app.
To set this up, go into your Settings, and tap on “Account” and then “Multi Factor Authentication (MFA)”
Then tap on “Authentication Methods“ and “Add new authentication method”
The steps to setup are exactly the same as above.
The QR code is not recognised
There are multiple different QR codes in use in Compassly and there are different ways you can scan QR codes, and you need to make sure here that you are:
- Scanning right code – make sure you scan this MFA QR code, and not the organisation joining QR code
- Use the right scanner – make sure you are scanning using your authenticator app, and not the phone camera or scanning within Compassly
Be sure to exactly follow the steps in these instructions to make sure you scan the right code with the right app.
It’s taking me to the password Manager, and not my authenticator app
This is generally because you have scanned the QR code with your phone camera and not the authenticator app:
You can add the authenticator using this method, but we would not recommend this unless you are already familiar with this approach.
Frequently Asked Questions (FAQ)
Which authenticator app do I need to use?
There are plenty of authenticator apps available that are compatible with Compassly. Below are some of the most commonly used on iOS (iPhone and iPad) and Android.
This is not a definitive list – many others are available.
Can I use Text Message (SMS) instead of an authenticator app?
No – SMS is not considered as secure as using an authenticator app, and is therefore is not supported on Compassly. There are no plans to introduce SMS authentication.
Can I use a shared authenticator app / a shared device
While this is possible, we would not recommend it – this reduces the security as other people will have access to your MFA authentication codes.
It may also be against your organisation’s IT policies.
Can I use FIDO2 or similar security keys
While FIDO2 keys are not currently supported, we will look at adding this to the development roadmap if there is sufficient demand.
Can I use a Passkey
We do not yet support Passkeys on Compassly, as this is a relatively new technology and not widely adopted by our users. We may consider adding this in the future.
