Enable MFA

Traditionally, the ColorTokens Spectrum portal user accounts are authenticated with passwords unless you enable Azure AD SSO and its associated authentication features. For secure authentication for Spectrum organizations that do not use Azure AD SSO, as the Org Admin for a Spectrum organization, you can enable Multi-Factor Authentication (MFA). 

Multi-factor Authentication (MFA) is authentication that requires users to provide two or more verification factors to gain the expected access (in this case, the Spectrum portal and app instances available to the users). Some factors include passwords, hardware OTP (One-Time Password) tokens, mobile OTP applications, and SMS-based OTPs.

MFA options

You can set up MFA in one of two ways:

  • Natively from Azure AD - if you are using Azure AD for SAML SSO, you must consider using the MFA features in Azure AD. This can simplify user management when they fail MFA challenges.

  • Spectrum-managed MFA - in this case, ColorTokens manages the MFA setup for the organization. MFA challenges can be completed using auth-codes from Authenticator apps such as Microsoft Authenticator, Authy, Google Authenticator, or the Spectrum user Recovery keys. Other factors such as SMS-based OTPs and hardware tokens are currently not supported. 

    Recovery keys are unique for users and are generated soon after they complete the first MFA challenge. Five Recovery keys are available for use. A key is for one-time use only. If you use a key for a challenge, a new key is generated. Recovery keys for a user are listed on the My Account page in the portal.

Prerequisites

  • You must be the Org Admin for the organization in the Spectrum portal to enable MFA.

  • You have an Authenticator app to enable MFA for the organization.

  •  The users in your organization must have an Authenticator app to complete the first MFA challenge

Enable MFA

After MFA is enabled, users are asked to complete their first MFA challenge on their next login. 

You must instruct the users to note the Recovery keys, to use them when the Authenticator app is unavailable.

  1. Click the profile icon (on the top-right corner of the banner).

  2. Click My Account.

  3. Turn On MFA (turns Green).

  4. Scan the code or enter the Secret key displayed on the page, select I acknowledge and click Next.

  5. Enter the auth-code for the ColorTokens Spectrum account and click Next.

  6. Click Next.

MFA prompts to users

  • For Azure AD-native MFA, challenges are initiated when the Azure AD Identity Protection service detects a risk.

  • For Spectrum-managed MFA, challenges can be completed by using the auth-codes from the Authenticator app or the Recovery keys. Users can choose the response mode at the time of completing the challenge. Also, challenges can be bypassed for seven days (select Don’t ask again for 7 days). 

Disable MFA

We highly recommend that you do not disable MFA for Spectrum user accounts unless you originally used it for testing purposes. 

  • Turn Off MFA (turns Grey).

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.