Multi-factor authentication

For enhanced security, you can choose to enable Multi-factor authentication or MFA, a security mechanism that allows you to combine your username and password authentication, with, as a second factor, an additional authentication mechanism through a second device (typically your phone).

MFA works by requiring additional verification 6 digit code. With OTPs, a new code is generated each time an authentication request is submitted. Pelcro currently supports the following multi-factor authentication mechanisms:

  • One-time passwords (OTPs) sent via SMS to your phone.

Enabling Multi-factor Authentication (MFA) for your site

First, you'll need to enable multi-factor authentication for your site and site collaborators. To do that, you'll need to have the Site Owner privilege. Learn more about collaborator permissions here.

  • Navigate to your site settings by clicking your profile menu > Settings
  • Under Security settings, click Multi-factor Authentication
  • You'll then arrive to the Multi-factor Authentication screen from which you can control whether to enable or disable MFA for your collaborators. When enabled, collaborators will need to setup their devices to login with multi-factor authentication.

  • Additionally, you must configure a "Grace Period" for your MFA to take effect. The value for this required field is the amount in days during which your collaborators (for which MFA was enabled) can still log in to your site, without being prompted for MFA. This give your collaborators a sufficient time before they are forced to setup their MFA according to your requirements.

  • After you mark the checkbox and enter your desired grace period, click Submit for your changes to take effect.
  • When MFA has been enabled, you should see a pop-up banner message indicating the date before which you (and your relevant collaborators) will need to setup MFA device.

Setting up Multi-factor Authentication (MFA) for your account

As a collaborator, you can set up your MFA as follows:

  • Navigate to your password settings by clicking your profile menu > Password
  • If MFA has been enabled for your account, you should see a section called "Multi-factor authentication". This section should show:
    • The current status for your MFA authentication mechanism: Active or Inactive.
      • Active: You have an active device which is currently setup to receive OTP codes.
      • Inactive: You do not have an active device setup (or your device is no longer active, in case of the device being inaccessible or lost)
    • The button to setup your MFA device
  • Click Setup to be redirected to the MFA setup screen.
  • Please note that when relying on SMS as the OTP authentication method, Pelcro will send you an SMS with a 6 digit authentication code when prompted. SMS cannot be delivered in all countries, so you'll need to check that your country is supported before proceeding further.
  • If you do not have a phone number currently saved under your collaborator profile, you'll need to enter a phone number which you can receive SMS OTP on. The phone number needs to be in the E.164 international standard [+][country code][phone number]. Alternatively, this field will automatically be populated with the phone number which is currently saved under your profile information.
  • Click "Send Authentication Code". At which point, you should receive a message on your phone with a 6-digit OTP. Enter your 6 digit OTP and click "Verify".
  • The SMS will be received from "Pelcro" if your country supports Alphanumeric Sender IDs. The body of the SMS will reference the company name which is currently set under your account information. If there is no company name present, it will not be included in the SMS. We highly recommend populating the company name so that it can be reflected for collaborators for increased trust.
  • If you do not receive your OTP, you can click "Resend Code" for Pelcro to attempt sending you the OTP again. Please note that you're allowed a maximum of 3 retries, after which you'll need to wait for 15 minutes before trying to resend the code again.

  • Once you've entered the OTP authentication code successfully, you'll be redirected to your Dashboard. You'll notice that the notification banner is no longer there. This confirms you have successfully setup MFA for your account.

  • On your next login, after you enter your username and password, you'll be prompted to enter your 6 digit authentication code.

Enabling Multi-factor Authentication (MFA) for a collaborator

  • You can enable or disable MFA for your account, as well as other site collaborator accounts. To do that, you'll need to have site admin privileges. Learn more about collaborator permissions here.

    • Navigate to your site settings by clicking your profile menu > Settings
  • Under Account settings, click Collaborators
  • You'll see the list of the collaborators for your site, along with a "MFA Status" column which will show you whether MFA is enabled or disabled for a given collaborator.
  • Click on the three dots "···" menu to the right-most column of the desired collaborator, followed by "Edit Collaborator".
  • Click the "Enable MFA" checkbox as needed. Please make sure to enter a valid phone number for the collaborator.
  • Click "Submit" to update the collaborator.
  • When MFA has been enabled (and depending on the grace period setting), the collaborator should see the pop-up banner message indicating the date before which the collaborator will need to setup MFA device.

Lost access to MFA device

  • If the device that a collaborator is currently using for MFA (e.g. their phone) is lost, damaged, or not working, they can recover access to their account. Pelcro collaborators must contact another administrator (or the site owner) to disable MFA for them. Once they are able to regain access, they will have to setup a new MFA device before the grace period expires.

  • The collaborator can either contact an administrator directly, or alternatively, they can click the "Unable to access device" link on the MFA verification page, which will automatically send an email to notify the support email address listed under site settings for assistance.

  • If the device that a site owner is currently using for MFA (e.g. their phone) is lost, damaged, or not working, they can recover access to their account. Site owners must contact their Pelcro account manager directly (or Pelcro support) to disable MFA for them. Once they are able to regain access, they will have to setup a new MFA device before the grace period expires.


Did this page help you?