You will be able to find the Multi Factor Authentication (MFA) settings on the authentication page which is a sub page to the account page.
Multi Factor Authentication (MFA) requires entering a code received via your mobile device as well as your username and password, when logging on to Catenda Hub. When an organization requires MFA it's applied at a organization level. All projects belonging to that organization will then require MFA to access their projects. This will force all users to enable MFA to access projects belonging to that organization.
This page contains information about the following topics:
Enabling MFA
Log onto Catenda Hub and go to the Account page:
Click on the Authentication tab:
Scroll down to the section for MFA:
Click on Enable MFA
Authentication app
You will need to install an authentication app that you trust on your mobile device.
We recommend the Google Authenticator and the Microsoft Authenticator but you can theoretically use any application that supports the connecting of MFA / Two factor authentication.
App permissions
In order for you to be able to scan the QR code with your camera you will have to give your authentication app permission to your camera.
When you install the application you might be asked if you want to give the camera permission only while using the app, ask every time or don't allow.
If you selected ask every time you will be asked for permission each time where you can say don't allow which turns off the permission for the app.
Google Authenticator
Click on the plus on the bottom right and Scan a QR code.
Here you will scan the QR code that the authentication page gives you.
Alternatively you can use your camera to scan the code and type in the setup key that you see in the URL that is opened.
Microsoft Authenticator
Make sure you are in the Authenticator menu on the bottom.
Note: make sure you are not in the Verified IDs menu as you can scan a qr code here but this will not work.
Next click on the plus in the blue bar on the top right.
Select Other account (Google, Facebook, etc.)
If your app does not have permission to your camera you may/may not be asked to give permission to your camera.
If your app has access to your camera you can scan the QR code that the authentication page gives you.
If your app does not have access to your camera you will be asked to manually create an account.
Account name: The name you give to your account
Secret key: This is the key you would have gotten if you had been able to scan the qr code.
You can use your camera app to scan the code.
The URL that opens when you scan the code can look something like this:
otpauth://totp/<Catenda account email address>?secret=<Secret key>&issuer=Catenda&algorithm=SHA1&digits=6&period=30
If you type in the code after "secret=" in the secret key that you see in the URL that is opened, Account name can be anything.
Note: If you create an account with the wrong secret key the app will generate one-time codes anyway so Catenda might not accept the code if the wrong secret key was used.
Success or fail
Success
After successfully enabling MFA you will see this message.
Once enabled you will need to have your mobile device at hand every time you log onto Catenda Hub.
The MFA can be disabled again by clicking on Disable MFA.
Incorrect code
If you did not insert the right code, you will get the message incorrrect code.
Note: If you have scanned the QR-Code you can try inputting the code within the given timeframe for that code while you have this menu open.
If you close this menu, you will have to remove the code that is being generated in your authenticator app and scan the QR-Code again to set up a new code pairing.
Modifying MFA
After connecting an MFA code you can safely edit the account name of the code.
You can do so in the following ways:
Google authenticator
Long press the code
Click on the pencil on the top right to change the name.
Microsoft authenticator
Click on the code.
Click on the gear button on the top right
Click on the pencil the change the name
Transferring MFA
Deactivating and reactivating
It is only possible to use MFA app code pairing at a time.
If you wish to switch to a different code pairing, perhaps because your current one has been compromised, you follow these steps:
You should also use this method if you wish to change the app you use for MFA.
Disable your MFA on the authentication page
Prepare the app you want to use to re-connect your MFA
Generate a new code-pair by scanning the QR code like in the enabling section
Note: Be careful with this method as your account will temporarily be vulnerable while it is deactivated and you will not be able to access projects where MFA is required during this time.
Transferring through backup
If you wish to start using a new device without your code temporarily being disable you can use a different installation of the same MFA app and transfer the code from the old installation to the new installation.
Google authenticator
Old device:
Tap on the hamburger menu top right
Tap on Export accounts
Select the accounts you wish to export
New device:
Tap on the hamburger menu top right
Tap on import accounts
Tap on scan QR code
Scan the QR code that is displayed on the old device when you went through the export process.
Microsoft authenticator
Old device:
Tap the hamburger menu top right
Turn on backup
New device:
Install and open the Microsoft Authenticator app on your new device
Tap "Begin Recovery."
Note 1: Do not set up any accounts using Microsoft Authenticator until after you have used the Recovery tool because it will overwrite matching site accounts.
Note 2: This method requires you to backup your MFA codes which means they are stored in your app providers cloud service. Only use this method if you trust your app providers backup service. If not you are better off deactivating and reactivating.
Disabling MFA
You can disable MFA by clicking the disable button shown above, then entering your password to confirm. After disabling you no longer be able to access projects requiring MFA.
After disabling the code on Catenda Hub, the code will remain on the application that you connected with. This code will now be useless and can safely be deleted.
How to delete the old code:
Google authenticator
Long press the code
Click on the trashcan on the top right.
Microsoft authenticator
Click on the code.
Click on the gear button on the top right
Click on remove account
MFA on non-mobile devices
Authenticator apps are more secure than SMS/Email code solutions as there is no communication that can be intercepted between the two systems after the original configuration.
While it is better to use an app on a mobile application, see note below, It is possible to get MFA codes on other systems than just mobile devices.
The recommended desktop application for this is Authy.
Functionally, these types of applications use the same TOTP protocol as the app on your mobile device and should be just as secure.
Note: Desktop apps can be less secure as they might be easier to hack or get access to. This is because desktop systems are often, if not always, connected to the local network which might be infected. Mobile devices that are not always connected to the network can therefore be harder to get into.
Who can enforce MFA on projects?
Enterprise customers can request an organization option to be turned on which makes it so that all users that are part of their projects have to use MFA to enter the project.
To enable MFA on your organization's projects, contact Catenda support. When MFA is required on an organization's projects you will see this message when attempting to open the project.
