Skip to content

Validated Instance - MFA Digital Signature

Introduction

This document is a guide on how users setup MFA within Flywheel – required to lock and unlock projects.

Note

This feature is available with Flywheel Validated Instance versions 19.1.0 and later.

Features

Multi Factor Authentication (MFA) is what the Flywheel service uses as an additional user identity verification, for regulatory compliant (21 CFR Part 11) digital signatures. MFA uses your phone or TOTP device as the "something you have" identity verification factor. Supported capabilities include:

  1. Users activating and deactivating MFA methods on their user account.

  2. Using an activated method to lock and unlock a project.

  3. Masking a user’s phone number to protect their privacy.

Permissions

All users have access to manage the MFA configuration for their user account.

Problems and Resolutions

Verification of MFA Method is required

MFA is a user identify verification and system security feature, and as such has limitations by design.

  1. A new MFA method must be successfully validated to be activated.

  2. To modify or remove an MFA method, the user must first successfully verify their existing MFA method. If the user is unable to do so (phone number changed, replaced TOTP device, etc.) they must request their MFA be reset by contacting Flywheel Support from their email account used for Flywheel login.

  3. No other users, including Site Admin, have access to view or modify a user’s configured MFA method.

Receiving the same MFA passcode

MFA verification passcodes received via Text Message and Phone call are valid for a single use, and expire after 15 minutes. Receiving the same unused passcode within 15 minutes with those MFA methods is normal.

Instruction Steps

MFA management is done in the user’s profile page.

navigate_to_user_profile.png

Add a New MFA Method

  1. Click the “Activate” button and select a Method (Text Message, Voice Call, TOTP)

    mfa_method_selection.png

  2. If Text Message or Voice Call:

    1. Enter your phone number and click next

      mfa_phone_number.png

    2. Enter the MFA passcode you receive on that phone number, and click verify

      mfa_phone_verification.png

  3. If TOTP:

    1. Click next, scan the QR code with your TOTP application, and click next

      mfa_totp_qr_code.png

    2. Enter the MFA passcode from your TOTP application, and click verify

      mfa_totp_verification.png

  4. Confirm that your MFA status on the Profile page is updated to reflect MFA is Activated, and that the MFA method is the one you added.

    user_profile_mfa_activated_text_method.png

Modify an MFA Method

  1. Click the Edit button and enter the MFA passcode you receive from your currently configured MFA method, and click verify

    mfa_phone_verification.png

  2. Follow the steps above to select and verify the new MFA method.

Delete (Deactivate) an MFA Method

  1. Click the Deactivate button & confirm you wish to deactivate

    mfa_deactivate_confirmation.png

  2. Enter the MFA passcode you receive from your currently configured MFA method, and click verify

    mfa_phone_verification.png

  3. Confirm that your MFA status on the Profile page is updated to reflect MFA is Deactivated, and that no MFA method is listed.

FAQ

What are all the MFA Methods and how should I choose one?

First and foremost, follow the guidance of your institution’s policies governing identify management and security.

Here are the available MFA methods:

  • Text Message: You will receive a text message to the number of the device provided with a 6-digit passcode. Using this method requires you are able to receive a text message, and that you are not using a virtual phone number.

  • Phone Call: You will receive an automated voice call to the number of the device provided with a 6-digit passcode. Using this method requires you are able to receive a voice call, and that you are not using a virtual phone number.

  • Time-Based One Time Passcode (TOTP): You will receive a valid one time passcode which is time-based and updates every 30 seconds.


Resources

  1. Project Locking
  2. Validated Instance Overview