Authentication

There are various ways of authenticating users and controlling who can access your site

Logging in

1. Manual login (Username and password)

To login manually, select the ‘Enable manual login’ option in ‘Authentication’ settings

Temporary passwords

Invotra can automatically generate and send temporary passwords via emails for new accounts logging in manually.

When creating a new user account, opt to notify the user of the new account
Users must then enter the temporary password and then immediately create their own password to authenticate

Note:

Webmasters can also create a temporary password from ‘User management’ in ‘Administration’, however, the webmaster must communicate this password directly to the user
If a temporary password is not sent to a user who cannot authenticate via SSO, the user will not be able to access the site

2. SSO (Single sign on)

Authenticating via SSO improves user experience (UX) as users can quickly access the site in a secure way

SSO can be seamless, provided the user has a federated identity
Users without a federated identity can still authenticate via SSO, as long as they can log into their identity provider and Invotra is connected with that identity provider

3. Enabling MFA (Multi factor authentication)

Invotra supports multi-factor authentication (MFA) via SMS to verify the user, which significantly reduces the risk of a malicious attacker attempting to access the account

Webmasters can enable or disable multi-factor authentication from the ‘Authentication’ page in ‘Administration’

Note:

This is a global setting and affects all users logging in with email and password
Users who authenticate via SSO will bypass the multi-factor authentication (however, the identity provider being used may have their own MFA (multi-factor authentication) solution)

Authenticating with multi-factor authentication

With multi-factor authentication enabled, a user enters a valid email and password combination and a code is sent via SMS
The user will then need to enter the code within 3 minutes to complete authentication and access the site

Logging out

The log out options are dependent on the ALB being accessed
For users accessing from an internal network, the log out option is hidden to avoid infinite loops
For external networks, the log out option is available from within the user profile menu
Webmasters can also configure the log out button to log the user out of their identity provider (to make access from public computers more secure)

Note: Users must have a mobile phone number added to their account before enabling MFA

To achieve this:

Edit the IdP from within the ‘Authentication’ page
Select the ‘Single sign out’ option
Select ‘Save’

When this is set up, provided the identity provider allows it, when a user signs out from Invotra they will also sign out from their identity provider.

Recovering an account

Users can recover their account if they have forgotten their password. In order to recover a password:

Go to the login screen
Select “Forgot your password?”
Enter the email to the account and submit form
A code will be sent to the email address. To recover the account, the user must enter the code into the field provided on the login screen
After a valid code is entered, the user is prompted to add a new password, after which the user will be able to access the site

Allowing blocked users to authenticate

Users can be blocked to prevent them from authenticating into the site

In some circumstances, you may want to block a user if they will not be authenticating for a long period of time but want to unblock them if they could authenticate via SSO. In order to achieve this the webmaster can:

Check ‘Unblock’ users on successful SSO from the ‘Authentication’ page in ‘Administration’.

When this is checked, any users successfully authenticating via SSO will be able to access the site regardless of their status and if the user was blocked their status will be changed to active.