Authentication
There are various ways of authenticating users and controlling who can access your site
Logging in
1. Manual login (Username and password)
To login manually, select the ‘Enable manual login’ option in ‘Authentication’ settings
Temporary passwords
Invotra can automatically generate and send temporary passwords via emails for new accounts logging in manually.
- When creating a new user account, opt to notify the user of the new account
- Users must then enter the temporary password and then immediately create their own password to authenticate
Note:
- Webmasters can also create a temporary password from ‘User management’ in ‘Administration’, however, the webmaster must communicate this password directly to the user
- If a temporary password is not sent to a user who cannot authenticate via SSO, the user will not be able to access the site
2. SSO (Single sign on)
Authenticating via SSO improves user experience (UX) as users can quickly access the site in a secure way
- SSO can be seamless, provided the user has a federated identity
- Users without a federated identity can still authenticate via SSO, as long as they can log into their identity provider and Invotra is connected with that identity provider
3. Enabling MFA (Multi factor authentication)
Invotra supports multi-factor authentication (MFA) via SMS to verify the user, which significantly reduces the risk of a malicious attacker attempting to access the account
- Webmasters can enable or disable multi-factor authentication from the ‘Authentication’ page in ‘Administration’
Note:
- This is a global setting and affects all users logging in with email and password
- Users who authenticate via SSO will bypass the multi-factor authentication (however, the identity provider being used may have their own MFA (multi-factor authentication) solution)
Authenticating with multi-factor authentication
- With multi-factor authentication enabled, a user enters a valid email and password combination and a code is sent via SMS
- The user will then need to enter the code within 3 minutes to complete authentication and access the site
Logging out
- The log out options are dependent on the ALB being accessed
- For users accessing from an internal network, the log out option is hidden to avoid infinite loops
- For external networks, the log out option is available from within the user profile menu
- Webmasters can also configure the log out button to log the user out of their identity provider (to make access from public computers more secure)
Note: Users must have a mobile phone number added to their account before enabling MFA
To achieve this:
- Edit the IdP from within the ‘Authentication’ page
- Select the ‘Single sign out’ option
- Select ‘Save’
When this is set up, provided the identity provider allows it, when a user signs out from Invotra they will also sign out from their identity provider.
Recovering an account
Users can recover their account if they have forgotten their password. In order to recover a password:
- Go to the login screen
- Select “Forgot your password?”
- Enter the email to the account and submit form
- A code will be sent to the email address. To recover the account, the user must enter the code into the field provided on the login screen
- After a valid code is entered, the user is prompted to add a new password, after which the user will be able to access the site
Allowing blocked users to authenticate
Users can be blocked to prevent them from authenticating into the site
In some circumstances, you may want to block a user if they will not be authenticating for a long period of time but want to unblock them if they could authenticate via SSO. In order to achieve this the webmaster can:
- Check ‘Unblock’ users on successful SSO from the ‘Authentication’ page in ‘Administration’.
When this is checked, any users successfully authenticating via SSO will be able to access the site regardless of their status and if the user was blocked their status will be changed to active.