Configure multiple-factor authentication

Traditional authentication based on a user name and password combination is no longer safe enough, as hackers have become much more sophisticated, users often use the same user names and password across several accounts, and create passwords that are not strong enough. These issues can leave an organization open to security breaches. MFA multi-factor authentication ensures that an organization remains secure, as it digitizes data and assumes greater liability for storing customer data.

When accessing the ESO Suite, users must enter their user name, password, and agency code. Periodically, MFA runs as a secondary user verification method. With MFA, ESO Suite requires OTP one-time passwords codes received through email, and/or text (SMS short message service) message, and/or mobile authenticator applications.

You can also choose to exclude specific user roles and individual users from the MFA requirement.

Warning: Only use MFA exemption when MFA is not possible.

1. Do one of the following.

   • (If you are already working in the ESO Suite) Click the Home icon in the upper left corner of the screen.

     

   • (If you have not yet logged in) Log in to the ESO Suite.

     1. In a web browser, go to https://www.esosuite.net/EsoSuite.

        The ESO Suite login screen appears.

     2. Enter your user name, password, and agency name, then click Let's Go.

        If MFA multi-factor authentication is enabled, the Multi-factor authentication dialog box appears, displaying one or more methods you can use to verify your login credentials. The number of methods that appear in the dialog box depends on what MFA methods your ESO Suite administrators enabled in the Admin module.

        Click graphics to open them.

        Information on enabling MFA and specific MFA methods is available in the Admin module online help, in Configure multiple-factor authentication.

        Note: If your ESO Suite administrators have disabled MFA ("opted-out"), this dialog does not appear.

     3. (If the Multi-factor authentication dialog box appears) Depending on which buttons appear in the dialog box, verify your login in one of the following ways.

        With an authenticator application.

        1. Click MFA verification via authenticator app.

           The dialog box updates with boxes for entering the numbers of the authentication code, and the ESO Suite sends an authentication code to the authenticator application installed on your device.

           

        2. Open your authenticator application and note the authentication code currently displayed.

        3. Enter the authentication code displayed in the authenticator application.

        4. Click Log In.

        With a text message (SMS short message service).

        1. Click MFA verification via SMS.

           The dialog box updates with boxes for entering the numbers of the authentication code, and the ESO Suite sends an authentication code to the phone number recorded in your PM records and identified with MFA codes.

           

        2. Enter the authentication code sent to your MFA-registered phone number.

        3. Click Log In.

        With an email message.

        1. Click MFA verification via email.

           The dialog box updates with boxes for entering the numbers of the authentication code, and the ESO Suite sends an authentication code to your agency or department email address, recorded in your PM records.

           

        2. Enter the authentication code sent to your agency or department email address.

        3. Click Log In.

   The ESO Suite landing screen appears.

   Click graphics to open them.

   Note: You can access and manage your MFA options through the PM module, on the Settings > Account page, as described in Manage a user account. If your agency or department has enabled MFA but has not purchased the full-featured version of the PM module, you can access your own MFA settings by clicking Change my Multi-Factor Authentication settings on the landing screen, then using the Settings > Account page that appears. If your agency has not enabled MFA, the Change my Multi-Factor Authentication settings link does not appear on the landing screen.

2. On the top side of the home screen, click Admin.

   Tip: If your screen or browser window is too narrow to display all your agency's ESO Suite module icons, an options icon appears on the right side of the icon bar. If you click the options icon, a menu appears containing additional module icons.

   The Admin screen appears, displaying the Welcome screen.

   

3. In the left pane, expand Security, then click MFA Configuration.

   The MFA Configuration screen appears.

   

4. (If MFA is not yet enabled) Enable MFA for your agency or department.

   1. For Multi-Factor Authentication, drag the slider button to the right until On appears, to require MFA multi-factor authentication logins for accessing the ESO Suite.

      A confirmation dialog box appears.

      

   2. Click Activate MFA.

      MFA is now enabled for your agency or department.

   Note: To disable MFA, you must contact ESO Suite support and request assistance.

5. Under Approved MFA Methods, for Authenticator App, SMS, and Email, drag the slider button to the left or right (until On or Off appears) to indicate whether or not your agency requires one or more of these methods as a way to send MFA codes.

   Note: Verify that your ESO Suite users have access to any MFA-code delivery system (email and/or SMS) you enable. You must enable at least one method of MFA. If you enable more than one MFA delivery method, users can choose which method they prefer to receive codes. The authenticator application method uses a TOTP Time-based One-Time Password , not a push notification like email or SMS. Personnel using this method must access their device running their authenticator application and look up the pass code. By default, the ESO Suite requires MFA-protected logins to re-authenticate every seven days, on the same device. If the user logs in on a different device within seven days, they must re-authenticate because of the change of device.

6. For the following fields, click the list icon to the right of the field, select all the appropriate options from the menu that appears, then click OK or click outside the menu, to exempt the following from using MFA when accessing the ESO Suite.

   Warning: Only use MFA exemption when MFA is not possible.

   Field	Exempts MFA for
   Exempt User Roles	Any user logins that include the selected roles. Note: If a login has multiple security roles assigned to it, being a member of even one exempt security role exempts the user from using MFA.
   Exempt Individual Users	The specific individuals selected, regardless of the roles assigned to their user login.