Validated Instance - MFA Digital Signature
Introduction
This document is a guide on how users setup MFA within Flywheel – required to lock and unlock projects.
Note
This feature is available with Flywheel Validated Instance versions 19.1.0 and later.
Features
Multi Factor Authentication (MFA) is what the Flywheel service uses as an additional user identity verification, for regulatory compliant (21 CFR Part 11) digital signatures. MFA uses your phone or TOTP device as the "something you have" identity verification factor. Supported capabilities include:
-
Users activating and deactivating MFA methods on their user account.
-
Using an activated method to lock and unlock a project.
-
Masking a user’s phone number to protect their privacy.
Permissions
All users have access to manage the MFA configuration for their user account.
Problems and Resolutions
Verification of MFA Method is required
MFA is a user identify verification and system security feature, and as such has limitations by design.
-
A new MFA method must be successfully validated to be activated.
-
To modify or remove an MFA method, the user must first successfully verify their existing MFA method. If the user is unable to do so (phone number changed, replaced TOTP device, etc.) they must request their MFA be reset by contacting Flywheel Support from their email account used for Flywheel login.
-
No other users, including Site Admin, have access to view or modify a user’s configured MFA method.
Receiving the same MFA passcode
MFA verification passcodes received via Text Message and Phone call are valid for a single use, and expire after 15 minutes. Receiving the same unused passcode within 15 minutes with those MFA methods is normal.
Instruction Steps
MFA management is done in the user’s profile page.
Add a New MFA Method
-
Click the “Activate” button and select a Method (Text Message, Voice Call, TOTP)
-
If Text Message or Voice Call:
-
Enter your phone number and click next
-
Enter the MFA passcode you receive on that phone number, and click verify
-
-
If TOTP:
-
Click next, scan the QR code with your TOTP application, and click next
-
Enter the MFA passcode from your TOTP application, and click verify
-
-
Confirm that your MFA status on the Profile page is updated to reflect MFA is Activated, and that the MFA method is the one you added.
Modify an MFA Method
-
Click the Edit button and enter the MFA passcode you receive from your currently configured MFA method, and click verify
-
Follow the steps above to select and verify the new MFA method.
Delete (Deactivate) an MFA Method
-
Click the Deactivate button & confirm you wish to deactivate
-
Enter the MFA passcode you receive from your currently configured MFA method, and click verify
-
Confirm that your MFA status on the Profile page is updated to reflect MFA is Deactivated, and that no MFA method is listed.
FAQ
What are all the MFA Methods and how should I choose one?
First and foremost, follow the guidance of your institution’s policies governing identify management and security.
Here are the available MFA methods:
-
Text Message: You will receive a text message to the number of the device provided with a 6-digit passcode. Using this method requires you are able to receive a text message, and that you are not using a virtual phone number.
-
Phone Call: You will receive an automated voice call to the number of the device provided with a 6-digit passcode. Using this method requires you are able to receive a voice call, and that you are not using a virtual phone number.
-
Time-Based One Time Passcode (TOTP): You will receive a valid one time passcode which is time-based and updates every 30 seconds.