Multi-factor authentication (MFA) is available directly in Slate. While we continue to recommend that multi-factor authentication (often referred to as two-factor authentication, or 2FA) be implemented at your campus single sign-on system, this security tool will assist institutions that have not yet implemented MFA for their campus single sign-on systems and can also be a benefit for those that desire an additional layer of security on top of their existing institutional security stack.
MFA can be enabled for individual users from the Security Dashboard, or updated in batch via a Users-based query.
A mobile phone number capable of receiving text messages is required to enable multi-factor authentication. Once MFA is enabled, a user who attempts to log in from an unrecognized device will receive a text message containing a one-time use security code. This code will expire within 5 minutes and must be entered into Slate for the login to proceed. Once a user has logged in successfully using MFA, Slate will remember that device going forward.
Slate features MFA as an option to be enabled and used when users log in. However, something like Duo Mobile is not specifically an option you can use natively in Slate. However, Slate uses your SSO for authentication and will adopt whatever additional security measures you put in place for logins. So, you would handle integration with Duo on your institution's end, and users accessing Slate would then be able to avail of it with no additional steps required on the Slate side.
If institutional multi-factor authentication is not available on your campus, use Slate MFA as an additional layer of security.
From the Security Dashboard in Slate, you can modify any user to:
- provide a mobile phone number and
- enable MFA for that user.
Any user with MFA enabled who attempts to log in from an unrecognized device will receive a text message containing a one-time-use security code. This code will expire within 5 minutes and must be entered into Slate for the login to proceed.
Why might MFA be triggered again despite using a recognized device?
After a user triggers Slate's MFA while trying to login, Slate sets a cookie so it remembers the browser, not the device. If users switch to a different browser, an incognito window, a different device, or their browser is set to not store any cookies, they will be prompted by MFA again. Typically, subsequent logins using the same browser would not require MFA unless a user cleared their browser's cache.
MFA can be enabled for multiple users in batch via a Users-based query.
1. Click Queries / Reports in the top navigation bar.
2. Click Quick Query.
3. Select the Slate Template Library - Users base. Then click 'Build Query'.
4. Select at least one export and add any filters if enabling MFA for a subset of users.
5. Click Run Query.
6. Change the output type to Batch Management - Security.
7. Select the security update type as Set User Multi-Factor Authentication. Select the MFA status as Enable MFA (requires mobile phone number).
8. Click Submit.
Users are able to click on the "Your Profile" link at the top-right of the Slate homepage. From here, users can individually supply their mobile phone numbers, opt-in to MFA, or provide an alternate mobile number for MFA.
To test MFA, open up an incognito window so that your browser appears as an unrecognized device and attempt to log in. This should trigger the MFA and send the text. You can then try logging out, keeping your incognito window open, and then logging back in again, and you shouldn't be prompted for the MFA since it is now a recognized device.