Multi-Factor Authentication (MFA) is an essential component of modern cybersecurity, providing a strong defense against unauthorized access by requiring multiple forms of verification for logging into the Coaching.com platform.
MFA typically involves 2 or more of the following factors:
Something You Know:
This is a knowledge factor, such as a password.
Something You Have:
This is a possession factor, such as a physical device like a smartphone, hardware token.
Something You Are:
This is an inherence factor, which includes biometric verification like fingerprint scans.
MFA is available for all account types, except those using Single-Sign-On (SSO). Accounts with SSO enabled use their own authentication schemes, which typically include MFA managed outside of Coaching.com.
Enabling MFA
All individuals can enable Multi-Factor Authentication for their own login, adding an extra layer of security. Administrators of business accounts can also mandate MFA for their employees. Detailed scenarios for these options are described below.
Individual Preferences - Enrolling in MFA
An individual (coach, coachee, admin) can enable Multi-Factor Authentication at any time by navigating to Personal Settings. On the Personal Settings page, there is a new section titled 'Account Security', as shown below.
MFA Controls on Personal Settings
MFA can be enabled by checking the designated box. Once enabled, the user will be prompted to enroll in their chosen MFA method the next time they log in (as shown below). Additionally, after enabling MFA, the Account Security pane will update to reflect the new enrollment status.
Account Security Page in an Enrolled State
Once an account has MFA enabled, the user will be prompted to enroll in MFA upon their next login. A link will be provided to 'Logout to setup MFA'. The detailed workflow for enrolling in MFA is described later in this guide.
Independent Coaches and Administrators - Enforcing MFA
Multi-Factor Authentication is available to any user of the platform at any time. Additionally, account administrators (Independent Coach, Global Administrator, Client Administrator) have the ability to enforce MFA for users within their account. Account administrators will find new settings on the Company Settings page of their account.
Enforcing MFA Impact
Enforcing MFA at the company level increases security requirements for employees of the account, and also for clients or vendors companies who are part of internal record companies. To see a full list of user's to where enforcement would apply please review:
The Employees Page
The Clients Page, where clients have a Connection Status of 'Internal record'
The Vendors Page, where vendors have a Connection Status of 'Internal record'
Company Settings - Enforcing MFA for All Users
The image above shows the new Account Security section within the Company Settings. Here, administrators can enforce MFA for all users within their account. Once enforced, each user that is an employee of the account, or part of an Internal record company will be required to enroll in their chosen MFA method the next time they log in (as described below).
After MFA is enabled in the Company Settings, users within the account will no longer have the option to enable or disable MFA from within their Personal Settings (as shown below).
Personal Settings - Illustrating When MFA is Enforced at the Company Level
Enrolling in MFA
Once Multi-Factor Authentication (MFA) has been enabled either individually in Personal Settings or enforced at the account level within Company Settings, individuals logging back into the platform will be prompted to select an MFA method that suits their preference. The platform offers three new authentication factors:
Authenticator App: Users can use a mobile app like Google Authenticator or Authy to generate time-based one-time passwords (TOTPs).
Security Key: Users can use a physical hardware device (like YubiKey) that plugs into a USB port or communicates wirelessly via NFC or Bluetooth for authentication.
Biometric Authentication: Users can authenticate using biometric data such as fingerprint scans, facial recognition, or iris scans, depending on their device's capabilities.
Authenticator App
Authenticator apps are a widely used method for implementing Multi-Factor Authentication (MFA). By having such an app on your phone, this form of MFA serves as a "Something You Have" factor. There are various makers of Authenticator apps available on both the App Store and Google Play Store.
The enrollment process for an Authenticator App will follow the flow described below when users log in for the first time after MFA is enabled:
Selection: Users will be prompted to choose the option for Authenticator App as their preferred MFA method during login.
Scan QR Code: They will then scan a QR code displayed on the screen using their Authenticator app.
Verification: The app will generate a time-based one-time password (TOTP) based on the QR code.
Enter Code: Users will enter the generated TOTP into the platform to complete the enrollment process.
Recovery Code: As a last step, a Recovery Code is also provided as an alternative login option. This is provided in case the mobile device is lost or stolen, or if the authenticator information is removed. The Recovery Code would serve as a last option to get back into the account.
This method ensures added security by requiring both the user's password and a unique code generated by their Authenticator app for each login attempt.
Security Key
FIDO (Fast Identity Online) Security Keys are hardware authentication devices used to provide secure and convenient multi-factor authentication (MFA). These keys are based on the FIDO Alliance's standards, such as FIDO U2F (Universal 2nd Factor) and FIDO2/WebAuthn, designed to improve online security and reduce reliance on passwords. Security keys can easily be purchased online.
Security Key Enrollment
The workflow for enrolling with a Security Key is simple and is shown below.
The screens shown above are described below.
Instructional Screen
This screen simply provides instructions for the screens to follow
Device Selection
Users can choose from a Security Key, or use a mobile device or tablet to represent as the key.
Instructional Step
Security Keys may require touch, such as a fingerprint to activate
Naming the Key
The key can be given a name so that it can be identified later.
Success Screen
This screen shows if the enrollment with the security key was successful
Recovery Code
As a last step, a Recovery Code is also provided as an alternative login option. This is provided in case the mobile device is lost or stolen, or if the authenticator information is removed. The Recovery Code would serve as a last option to get back into the account.
Biometric Authentication
After enrolling with either an Authenticator App or a Security Key, users have the option to apply Biometric Authentication as an additional factor. Biometrics may include features such as fingerprint scanning, like Touch ID on MacBooks, enhancing security and convenience during login processes.
Biometric Authentication Enrollment
The workflow for enrolling with biometrics is shown below.
There are just 3 simple steps for biometric authentication enrollment:
Biometric Option Screen
If you wish to enroll with biometric authentication you can select the 'Continue' option. Enrollment can also happen at a later time.
Touch ID Enrollment (On Mac)
The next screen enables the biometric enrollment. The example above is from a Macbook, where the user would place their fingerprint on the Touch ID.
Success Screen
Lastly is a screen shows a successful registration.
MFA After Enrollment
Once enrolled individuals will see that enrollment is active on their Personal Settings page.
If users want to reset their MFA settings and re-enroll on the next login, they can select the 'Reset MFA' option.
MFA and Adaptive Response Flow
Multi-Factor Authentication is based on an adaptive response during the login flow. During a login, Adaptive MFA calculates an overall confidence score based on analysis of three risk assessments:
Assessor | Risk Signal |
| User attempts to sign in from a device that has not been used to access the account in the last 30 days. |
| User attempts to sign in from a geolocation that indicates an impossible travel situation when compared to the last login. |
| User attempts to sign in from an IP address known to be associated with suspicious behavior. |
Overall Risk Score | A combination of all 3 factors above. |
When Adaptive MFA determines the overall confidence score is low (that the login transaction is high-risk), it requires the user to verify their identity with MFA using one of the factors that they enrolled with.