How to Set Up Multi-Factor Authentication
This page explains how to enable multi-factor authentication (MFA) for xAssets users who log in with database credentials. MFA adds a second verification step after the password, reducing the risk of unauthorised access from compromised credentials.
Prerequisites
- You must have Administrator or Configuration user group permissions.
- This applies to database authentication only. If you use Single Sign-On (SSO), configure MFA in your identity provider (Azure AD, Okta, etc.) instead.
- For email-based MFA, all users must have a valid email address on their Custodian record.
Choose an MFA Method
xAssets supports two MFA methods. You can enable one or both:
| Method | Setting | How It Works |
|---|---|---|
| Authenticator App | AUTHENTICATIONMFA |
Users scan a QR code with an authenticator app (Google Authenticator, Microsoft Authenticator, Authy, etc.) and enter a time-based code on each login. |
AUTHENTICATIONMFAEMAIL |
A one-time code is sent to the user's email address. The user enters the code to complete login. |
Authenticator app MFA is more secure and works offline. Email MFA is simpler to deploy but requires users to access their email at login time.
Step 1: Enable MFA
- Navigate to Admin > Settings.
- Search for the MFA setting you want to enable:
AUTHENTICATIONMFAfor authenticator app MFAAUTHENTICATIONMFAEMAILfor email MFA
- Set the value to one of:
- 1 -- Risk-based mode. MFA is triggered when the system detects a new browser, different IP address, or when the configured time interval has elapsed.
- 2 -- Always mode. MFA is required on every login.
- Save the setting.
Step 2: Configure the Time Interval (Optional)
For risk-based mode (value 1), you can control how many hours pass before MFA is required again:
- Search for the setting
AUTHENTICATIONMFATIME. - Set the value in hours. The default is 720 hours (30 days).
- For higher security, use a shorter interval such as 24 (daily) or 168 (weekly).
- Save the setting.
This setting has no effect when MFA mode is set to 2 (always).
Step 3: Verify the Setup
- Log out of xAssets.
- Log in again with a database-authenticated user account.
- For authenticator app MFA, the first login after enabling will display a QR code. Scan it with your authenticator app to pair it with your xAssets account.
- For email MFA, a one-time code will be sent to the email address on the user's Custodian record.
- Enter the code to complete the login.
Common Configuration Scenarios
| Scenario | AUTHENTICATIONMFA | AUTHENTICATIONMFAEMAIL | AUTHENTICATIONMFATIME |
|---|---|---|---|
| No MFA | 0 | 0 | -- |
| Email MFA on every login | 0 | 2 | -- |
| Authenticator app, risk-based, 7-day interval | 1 | 0 | 168 |
| Both methods, always required | 2 | 2 | -- |
Important Warnings
- If you enable email MFA, ensure all users have a valid email address on their Custodian record. Users without an email address will be locked out.
- After enabling MFA, inform users before their next login so they are prepared for the additional step.
- Test with a single user account before enabling for all users.
Related Articles
- Multi-factor Authentication — full reference for MFA settings
- Users — managing user accounts and linking Custodian records
- Settings — where MFA settings are configured