Two Factor Authentication

It is possible to enable two-factor authentication to add further security.

This can be provided via the following:

• Microsoft Authenticator

• Google Authenticate

• Authy

Best practice surrounding authentication of users stipulates that 2 factor authentication should be used. This is particularly true in Local Government and Health where all of our customers work.

For all services, which are not customer facing we now have the means to provide 2 factor authentication. In the context of OneVu this would be:

• OneVu Control (Management area)

• Customer Service Vu

• Forms Portal

I.e. places which back office staff can access content and user information and or case data.

Best practice built in

Part of IEG4's product strategy is to use government best practice and, within its technical strategy, to ensure we take a standards based approach to the things we do.

To that end when building two factor authentication we have provided via two mechanism that both hold true to the strategic elements mentioned.

The two mechanisms are:

• Via SMS (leveraging GOV.UK Notify)

• Via an authenticator app (Microsoft, Google, Authy)

It is enabled by IEG4 and you will need to request it to be enabled via the help desk i.e. here

IEG4

Functionality provided

When this functionality is enabled a person logs in as normal and shown below:

The user then has the ability to choose between getting a code sent in a text message and using the authenticator app.

Note that it is possible to limit this to being just SMS / Authenticator App or both by each application.

---

Integration via SMS

Leveraging GOV.UK Notify we are able to send text messages to users. If a user select this option they will be presented with the following the first time they access it. I.e. their phone number needs to be captured and associated with their user account before they can enter the two factor code.

We have purposefully made this a combination of 6 letters and numbers for additional security.

Note

In order to use this function you need to:

a) Provide us with a Template ID in Notify

b) Add the content we provide you to this template

c) Be aware only the first 25,000 SMS from Notify are free of charge.

Integration via an Authenticator App

We have provided support for three distinct authentication apps.

• Microsoft

• Google

• Authy

In practice your organisation is likely to use Microsoft as its 2nd factor authenticator but have support for all three.

So when a user chooses the Authenticator app option they will see this:

In order to connect the authenticator app to a user's account they scan the QR Code and this creates the link. This is a one off process and at the point of making the connection for the first time the code they are provide is then entered in the confirmation box.

As Microsoft will be the most common client local government and the NHS we show below how this works. So in the Microsoft Authenticator app there is an Add Account function.

The user selects 'Work or school account' and the camera is triggered to scan the QR Code.

The user once connected will be given a code and it is this that is entered.

The linking via QR Code is a one-off activity.

Security is a core tenet of the design of our systems and it is why this functionality has been built for our local government and health customers.