How do I Enable and Configure Two-Factor Authentication or Multi-Factor Authentication on my KCM GRC Account?
Enabling multi-factor authentication (MFA) or two-factor authentication (2FA) on your account will require an additional identity verification step at the time you log in. Once MFA is enabled and configured for an account, our system will require the use of an authentication code generated by an authenticator application each time you log in to your account.
If you're an Administrator on your KnowBe4 KCM Governance, Risk and Compliance (GRC) account, or if your account holds sensitive information, it is recommended that you set up MFA for additional security.
Want users to self-enable MFA on their accounts? Click here to jump to those instructions.
If you are using single sign-on (SSO) to log into your account, this feature is not applicable–your SSO application will authenticate instead. For more information about single sign-on, please see this article.
Jump to:
Mandate MFA for All Users in KCM GRC
Mandate MFA for Individual User Accounts
Configure Authenticator Applications for KCM GRC
Set up MFA on Your Own Account
Disable MFA
Troubleshooting
Mandate MFA for All Users in KCM GRC
Note:
If you are adding Vendor User or Auditor user roles to your account, and you do not want to enforce MFA for these users, we recommend enabling MFA on individual user accounts, instead. To learn more, see the Mandate MFA for Individual User Accounts section below.Tip:
Selecting Mandatory for Secure MFA Login will require all users to set up MFA the next time they log into their account. Be sure that you and your users have downloaded an authenticator application prior to making this account-wide change.If you're an account admin, follow these steps to mandate MFA for all users in your account:
- Ensure you have downloaded an Authenticator application on your smartphone. Possible apps include Google Authenticator, Authy, and LastPass, among others.
- Click Settings at the top-right of the page, then click Account Settings.
- From the View Account page, select the Account Settings tab, as shown below.
- Scroll to the bottom of the page. On the left-hand side, you'll find the Secure MFA Login drop-down menu (shown below). Select Mandatory to require all of your users to use an authenticator application when logging in to their accounts.
- Be sure click the Save button to save the changes made to your account.
Note:
If you change the Secure MFA Login setting back to Optional, all users who have configured MFA will need to reset their MFA in order to turn this feature off. For details, see the Disable MFA section below.
Once you've changed this account-wide setting to Mandatory, you'll have to configure MFA for your own account the next time you log in. See the Configuring Authenticator Applications for KCM GRC section below for details.
Mandate MFA for Individual User Accounts
As an alternative to requiring MFA for all user accounts, you can mandate MFA for specific user accounts. Once an account administrator has made MFA "required" for a user account, the administrator will also have to reset or disable this feature.
If you're an account admin, follow these steps to mandate MFA for individual user accounts:
- Once you've logged into your account, click Settings at the top-right of the page, then click Manage Users.
- From the Manage Users page, find the user for which you'd like to mandate MFA. Click the update user icon on the right-hand side (shown below) to update the user's account information.
- From the User Management page, ensure the Settings tab is active, then click the Require MFA toggle. Click the Save button to save this change.
Once you've updated this user setting, the user will be prompted to configure their Authenticator Application upon their next login.
Note:
Each User Management page has an MFA Secure Login indicator (shown below). The indicator will display Disabled until the user configures their authenticator application for their KCM GRC account.
See the next section for details on configuring authenticator applications for KCM GRC.
Configure Authenticator Applications for KCM GRC
If your account admin has mandated MFA for your account, you will be prompted to configure your authenticator application the next time you log in. Follow the steps below:
- If you haven't already, download an authenticator application on your smartphone. Possible apps include Google Authenticator, Authy, and LastPass, among others.
- Using the authenticator application on your smartphone, capture the QR barcode shown in your KCM GRC account (pictured below). If this method is not successful, you can manually enter the Secret Token shown on this page.
- Once your authenticator application has recognized this QR code (or Secret Token) it will add "KB4 Compliance" to your application and begin to render authentication codes. Enter the first code in the Verify Code 1 field in your KCM GRC account. The console will automatically verify the accuracy of the code you provide.
- Wait until your application renders another code, then input this value into the Verify Code 2 field.
- Once both codes have been verified, the Enable Secure MFA Login button will be active, click this button to complete the setup.
Set Up MFA on Your Own Account
If you'd like to enable MFA for your own account follow the steps below:
- Ensure you've downloaded an authenticator application on your smartphone. Possible apps include Google Authenticator, Authy, and LastPass, among others.
- Log into your account and click your name at the top-right of the screen, then click Profile.
- From the User Profile screen, click the Set Up MFA button (see below).
- You will be directed to the Enable MFA screen, shown below. Follow steps one through four from the previous section to configure your authenticator application for your KCM GRC account.
Disable MFA
If you've enabled MFA for your own account or if your KCM administrator has enabled MFA for you, and you need to reset or turn off this feature, follow the steps below:
- Log into your account and click your name at the top-right of the screen, then click Profile.
- From the User Profile screen, click the Reset MFA button (shown below).
- Then, once you're prompted, click the Reset MFA button.
If you're an account administrator and you need to disable MFA for individual user accounts, follow the steps below:
- Navigate to the user profile for which you need to disable MFA. For instructions, see steps one and two from the Mandate MFA for Individual User Accounts section, above.
- Click the Require MFA toggle to turn the feature off.
- Click the Save button.
- Then, click the Reset MFA button to fully disable this user's multi-factor authentication.
Troubleshooting
If you're an admin and one of your users is unable to log into their account due to issues with multi-factor authentication, follow the steps below to reset the user's MFA.
- Once you've logged into your account, click Settings at the top-right of the page, then click Manage Users.
- From the Manage Users page, find the user who needs their MFA reset. Click the pencil icon on the right-hand side.
- Click the Reset MFA button on the left-hand side of the User Management page, as shown below.
- When prompted with Are you sure you want to reset MFA? click the Reset MFA button.
- Click OK.
The user will now be able to reconfigure their authenticator application for KCM GRC. For instructions, see the Configuring Authenticator Applications for KCM GRC section, above.
Comments
0 comments
Article is closed for comments.