Multi-Factor Authentication
Multi-factor authentication (MFA) adds a second step to signing in, so a password alone is not enough. Kanshin supports authenticator-app codes (TOTP) — the six-digit codes from an app like a phone authenticator. You manage MFA from the Authenticators page under Security.
How MFA works in Kanshin
MFA is set up per user. Once a user has MFA enabled, their sign-in requires both their password and a current code from their authenticator app. The codes are time-based and rotate every 30 seconds.
Enrolling a user
From the Authenticators page you enroll a user in MFA:
- Start enrollment for the user. Kanshin generates a secret and shows it as a QR code.
- The user scans the QR code with their authenticator app, which begins producing six-digit codes.
- The user enters a current code to verify the setup. Verifying confirms the app is working and switches MFA on for that user.
Until it is verified, MFA is set up but not yet active, so a mis-scanned code never locks anyone out.
Backup codes
When a user enrolls, Kanshin also produces a set of backup codes — one-time codes to use if the authenticator app is unavailable (a lost phone, for example). Show these to the user to store safely:
- There are ten backup codes.
- Each works once. Using one consumes it.
- They are stored securely and can be used in place of an authenticator code during sign-in.
Managing MFA
From the Authenticators page you can see each user’s MFA status — enabled, pending verification, or disabled — and disable MFA for a user who needs to re-enroll (for example after changing phones). Disabling turns the requirement off; the user can then enroll again with a fresh authenticator.
Encouraging or requiring MFA
You can make MFA part of your organization’s security policy so that it is expected for sign-in. Combined with per-user enrollment here, this lets you roll MFA out across your organization.
Related pages
- Users & People — the users you enroll in MFA
- Security Policies — making MFA part of your sign-in rules
- Single Sign-On — where the MFA prompt fits in the sign-in flow