eSuite Multi-Factor Authentication

Our multi-factor authentication (MFA) implementation allows users to opt in or out of using multi-factor authentication in eSuite modules.

Multi-factor authentication has been built into the eSuite Admin, eHR Portal, eUtilities, ePermits, eMiscellaneous Billing and eSupplier sites.

Using the standard TOTP protocol, users can use apps such as Okta and Google Authenticator on their devices to authenticate with a stored secret. The devices generate one-time codes for the login to add a second layer of security. Users who do not have a mobile device or choose not to use one can use TOTP managers that install directly to a PC.

Yes. When you opt in at the site level, all users of that module must use MFA; for example, you cannot have 90% of the employees use MFA and 10% not use MFA for the eSuite HR Portal.

On the Management Console, go to the Configuration Settings page and scroll down to the Multi-Factor Authentication bar:

In the example above, MFA is disabled for any module with a value of No and enabled for every module with a value of Yes. That means logins for a module set to No require only the correct user name and password, while logins for a module set to Yes are challenged with another layer of security.

To change MFA settings, click the gear icon. The Multi-Factor Authentication Configuration Settings window displays:

Saving changes turns on or off MFA for all users at one time. Make changes here with care.

When using MFA for an application, on the first login, users see a screen like the following:

Using a TOTP-enabled app such as Google Authenticator or Okta, the user scans this barcode to create the trust with their device. After scanning, the user enters the one-time password the device generates into the One-time code field.

Subsequent logins do not display the barcode; instead, they display the One-time code field as shown below to ensure two levels of authentication are used for a login:

At times a user replaces their device or has need to reset the MFA secret stored in the device. eSuite Admin has reset functions for the eSuite Admin Administrator Accounts (System-wide Settings > Administrator Accounts), HR Portal Users (eHR > eEmployee > Employee Account Maintenance) and ePermits Contractor Accounts (ePermits > Contractor Account Management); and eUtilities profiles can be reset under the eSuite User Profiles page in Customer Service in New World ERP. Clicking these buttons for any account resets it so the barcode displays and must be scanned on the next login attempt.

If the profile has paired a device and Multi-Factor Authentication is enabled for eUtilities, the Reset TOTP Secret button is available. If either of those is false, the user will not see the button:

The path to reset a login for an eMB customer is eMiscBilling > Account Management > Edit:

The path to reset a login for an eSupplier vendor is eSupplier > Account Management > Edit: