Multi-Factor Authentication

Multi-Factor Authentication (MFA) is a method of verifying a user's claimed identity before being granted access to a system. A user is granted access upon successfully presenting two or more pieces of evidence (factors) to an authentication mechanism:

  • Knowledge (something the user and only the user knows)
  • Possession (something the user and only the user has)
  • Inherence (something the user and only the user is)

 

Two-Factor Authentication

Preceda uses Two-Factor Authentication (also known as 2FA), which is a subset of MFA.

Two-Factor Authentication is a method of confirming a user's claimed identity using a combination of any of the two factors mentioned above. A good example of 2FA is the withdrawal of money from an ATM where only the correct combination of a bank card (something that the user possesses) and a PIN (something that the user knows) allows the transaction to be carried out.

Preceda's additional security feature via 2FA enhances log in experience, safeguards access to data application, and brings a stronger data security in an easy-to-use authentication system.

 

When enrolling for 2FA in Preceda, you need to have a set of the following:

  • Preceda credentials: Username, Password, Client

    For Single Sign On Users, your regular login credentials.

  • Something that is yours: Smartphone, Installed 2FA Application

 

1. On Preceda Log In page, enter your login credentials (i.e. Username, Password, Client).

 

2. When your Preceda database has been enabled for Two-Factor Authentication, and:

  1. If you are in the Transition period, you will see something like this (see below image) after your credentials are validated. Click Next to proceed to the Authentication process if you wish to continue with the enrollment process.

    OR

  2. If you are enforced to enroll in 2FA, you will be instantly directed to the screen shown in Step 3 upon entering your Preceda Log In credentials.

     

3. Register your secret key using your installed Two-Factor Authentication Application.

 

To do this, you can either:

  1. Scan the QR Code with your selected 2FA Application by aiming your smartphone camera at the QR Code. Your app will automatically save it so you will not need to tap anywhere else.

    OR

  2. Click the option "Can't scan? Click here" in case your camera does not work or you're attempting to log in via Preceda Mobile. A secret key will then be displayed in plain text. Copy this key to your 2FA Application, and click Next.

 

4. Once you have successfully scanned the QR Code or entered the secret key, an OTP verification screen will be displayed. Enter the 6-digit code generated from your 2FA Application and click Sign In.

When on Mobile, just tap over the code and it will be copied automatically. Go to your mobile browser and tap over the code input field, paste the code, and click Sign In.

NOTE: The 6-digit code is a One-Time Password (OTP) that refreshes every 30 seconds so make sure that you enter the code and click Sign In before the 30-second time limit passes.

Most apps will show you a progress indicator of the life span of a code coming to an end. If you think that you do not have enough time to type what you currently see on the screen, just hold on for a bit and wait for the next code to pop up and use that one instead.

 

5. Upon correctly entering the 6-digit code, you will then be enrolled to 2FA with Preceda. Click Finish to complete the process.

 

6. You are now enrolled for 2FA. You will then be directed to Preceda Welcome Page.

 

You can only skip the 2FA Enrolment if you are in the Transition Period. If you have already been notified that 2FA has been enabled in Preceda and the Transition Period has not yet been completed, you will see something like this after your credentials are validated:

 

To skip 2FA configuration, click the "here" link.

 

The Log In process into Preceda will be completed as usual.

 

 

If you do not have your enrolled smartphone with you or you are having an issue with it, you can enrol another device. The re-enrolment can be completed as many times as you need.

To enrol another device:

1. Click or tap on the "Can't access your phone? Click here to enrol another device" option on the OTP verification screen.

 

2. You will be presented with the similar process used when establishing another password if you have forgotten it. The initial step is to provide your surname and date of birth.

 

3. Then your Secret Questions will be asked.

If in case you cannot recall the answers to your secret questions, had a typographical error, or encountered any issue with the validation of your identity, contact your System Administrator. A System Administrator has access to the Preceda Reset User screen and can disable your enrolment, so you can enrol again as if you have never done this before.

 

4. Upon correctly filling out everything, you will be provided with the QR Code corresponding to your secret key to register it again in your 2FA App or device.

 

5. Once you have successfully scanned the QR Code or entered the secret key, an OTP verification screen will be displayed. Enter the 6-digit code from your 2FA Application and click Sign In.

 

6. When you have correctly entered the 6-digit code, your new device will be successfully enrolled.

 

Whenever a smartphone is not accessible, it also is possible to generate the One-Time Password (OTP), making use of computer-based tools like stand-alone applications and browser extensions. There are also physical tokens that can be used to store the secret key Preceda will generate as part of your 2FA enrolment.

 

The availability of the security feature Two Factor Authentication depends on the configurations in Preceda Variable *PP_MULTI_FACTOR and Group Profile.

Customers can opt to have All Users (i.e. both Standard and Employee) or only Standard Users be enrolled for 2FA. This can be set up via the Group Profile screen.

  • If you want only your Standard users to be required for 2FA, set this field to Standard. All Employee user types will go through the normal Preceda login process.

  • This field can be set to All Users which will prompt both Standard and Employee users types to enrol for 2FA.

 

There may be instances when a user cannot proceed with the login process because of the absence of smartphone, forgotten secret questions, had a typographical error, issue with validation of identity, among others. In which case, the 2FA enrolment can be reset so the user can enrol again.

Note that only a System Administrator can perform this action. A System Administrator has access to the Preceda Reset User screen and can cancel an enrolment so a user can enrol again as if it is the first time.

  • If you are not a System Administrator and you need to disable your enrolment, please contact your System Administrator.
  • If you are a System Administrator, you can:
    1. Navigate to the Reset User screen.
    2. Untick the 2FA Enroled box, and click Save.

    3. Once saved successfully, the checkbox will be greyed out. The user is then disabled from 2FA and can enrol again.

     

    Note that unticking this checkbox does not mean that the user will no longer be required to use 2FA. Rather, this is a way to help a user overcome an instance when being locked out of Preceda.

 

The Australian Taxation Office (ATO) requested all service providers to enable Multi-Factor Authentication (in Preceda, this applies to all Standard users), which is also why we are providing you with enough information in anticipation to the inevitable - enrolling and logging in with 2FA.