Enabling multi-factor authentication (MFA)
What is MFA?
Multi-factor authentication (MFA), also known as two-factor authentication (2FA), is a security measure that enhances the protection of your business account.
When MFA is enabled, users are required to provide an additional verification code from an authentication app in addition to their password.
How MFA works in SmartAccounts
- To enable MFA, users must first complete a strong authentication process on the Setting – My user data page.
- This can be done using an ID card, Mobile-ID, or Smart-ID.
- Next, the user must open an authentication app (such as Authenticator) on their phone and scan the provided QR code.
- A code generated by the app must then be entered into SmartAccounts.
- If the device is remembered, the authentication code will not be requested for the next 30 days (provided the login is from the same browser and device).
- If the device is not remembered, the authentication code will be required for each login attempt.
Now, let’s go through the process in detail.
Enabling multi-factor Authentication (MFA)
User authentication
- Navigate to Settings > My user data.
- Activate MFA.
- Authenticate your account using an ID card, Mobile-ID, or Smart-ID.
- Upon successful authentication, your personal identification code will be saved and can be used later for deactivating MFA or recovering your account.
Enabling MFA
- Open an authentication app (such as Authenticator) on your phone.
- Scan the QR code displayed on the screen.
- Enter the generated authentication code into SmartAccounts.
- Choose whether you want the device to be remembered or not.
- Confirm the setup.
Deactivating MFA
- Navigate to Settings > My user data.
- Click the pencil icon next to MFA.
- In the pop-up window, click Disable MFA.
- Authenticate your account using an ID card, Mobile-ID, or Smart-ID.
- Deactivation will be successful if the entered personal identification code matches the one used during MFA activation.
Devices
Remembering a device
A device can be remembered either during MFA activation or on the login screen when entering the authentication code. The device is remembered on a per-device and per-browser basis. This means that if a user logs in from the same computer but using a different browser, the authentication code will still be required.
Devices are remembered for 30 days, meaning that within this period, the authentication app’s code will not be requested during login. Once the 30-day period expires, the authentication code will be required again, and the device can be re-remembered.
Managing devices
Devices can be viewed and managed under Settings > My user data > MFA by clicking the pencil icon.
Each remembered device displays its memory timestamp and operating system.
If multiple devices are listed, the currently active device is marked with a green dot.
Removing a device
A device can be removed from the list by clicking the trash bin icon next to its name. Removal takes effect immediately, meaning that the authentication code will be required upon the next login.
Logging in
When a device is remembered
If MFA is enabled and the device has been remembered, logging in proceeds as usual. Within 30 days after MFA activation, the authentication app’s code will not be requested.
When a device is not remembered
If MFA is enabled but the device is not remembered, an authentication code will be requested during login. The option to remember the device will also be available on the same screen.
MFA and logging in with social media accounts
MFA only applies to password-based logins. If logging in using a Google or Facebook account, MFA will not be checked.
Where else is MFA used?
If MFA is enabled, the authentication app’s code will be required in addition to login for the following actions:
- Changing the username.
- Changing the password.
- Connecting a social media account (Note: If MFA is not enabled, a password will be required when connecting social media accounts).
- Deleting a company account.
- Requesting a new password via the Forgot Password link.
MFA