Skip to main content

Multi-Factor Authentication (MFA)

NirmIQ supports Time-based One-Time Password (TOTP) multi-factor authentication for enhanced account security.

Overview

MFA adds an additional layer of security by requiring:

  1. Something you know (your password)
  2. Something you have (your authenticator app)

This protects accounts even if passwords are compromised.

Supported Authenticator Apps

NirmIQ MFA works with any TOTP-compatible authenticator:

  • Google Authenticator (iOS, Android)
  • Microsoft Authenticator (iOS, Android)
  • Authy (iOS, Android, Desktop)
  • 1Password (with TOTP support)
  • Bitwarden (with TOTP support)
  • Hardware tokens (YubiKey with TOTP)

Setting Up MFA

Step 1: Access Security Settings

  1. Click your profile avatar in the top right
  2. Select Profile Settings
  3. Go to the Security tab
  4. Find Multi-Factor Authentication

Step 2: Begin Setup

  1. Click Enable MFA
  2. You'll see a QR code and secret key

Step 3: Add to Authenticator App

Using QR Code (recommended):

  1. Open your authenticator app
  2. Tap Add Account or +
  3. Select Scan QR Code
  4. Point your camera at the QR code
  5. The account "NirmIQ" will appear

Using Manual Entry:

  1. Open your authenticator app
  2. Tap Add Account or +
  3. Select Enter Key Manually
  4. Enter:
    • Account name: Your email
    • Key: The displayed secret key
    • Type: Time-based

Step 4: Verify Setup

  1. Enter the 6-digit code from your authenticator app
  2. Click Verify
  3. MFA is now enabled

Step 5: Save Backup Codes

Important: Save your backup codes securely!

  1. You'll receive 10 backup codes
  2. Each code can only be used once
  3. Store them in a secure location (password manager, safe)
  4. These are your recovery method if you lose your device

Using MFA

During Login

  1. Enter your email and password
  2. When prompted, enter the 6-digit code from your authenticator
  3. Click Verify

For Sensitive Actions

MFA may be required for:

  • Digital signatures
  • Changing security settings
  • Administrative actions

Enter your current code when prompted.

Backup Codes

When to Use

Use a backup code if you:

  • Lost access to your authenticator device
  • Uninstalled the authenticator app
  • Changed phones without transferring

How to Use

  1. At the MFA prompt, click Use Backup Code
  2. Enter one of your 10 backup codes
  3. The code is consumed (can't be reused)

Regenerating Backup Codes

If you've used several codes or suspect they're compromised:

  1. Go to Profile SettingsSecurity
  2. Click Regenerate Backup Codes
  3. Enter your current MFA code to confirm
  4. Save your new codes securely
  5. Old codes are invalidated

Disabling MFA

To disable MFA:

  1. Go to Profile SettingsSecurity
  2. Click Disable MFA
  3. Enter your password
  4. Enter your current MFA code (or backup code)
  5. Confirm

Note: Your organization may require MFA. If so, you cannot disable it.

Organization MFA Policies

Administrators can enforce MFA for their organization.

Requiring MFA

  1. Go to AdminSecurity Settings
  2. Enable Require MFA
  3. Choose which roles require MFA:
    • All users
    • Admins only
    • Specific roles
  4. Set grace period (days before enforcement)
  5. Save

Grace Period

New users have a grace period to set up MFA:

  • Default: 7 days
  • After grace period: Must enable MFA to continue

Monitoring Compliance

View MFA status for all users:

  1. Go to AdminUser Management
  2. The MFA column shows status:
    • ✅ Enabled
    • ⏳ Grace period
    • ❌ Not enabled (past grace period)

Troubleshooting

Code Not Working

Check time sync:

  • TOTP codes are time-based
  • Ensure your phone's time is set to automatic
  • Try the code again after a few seconds

Try adjacent codes:

  • NirmIQ accepts codes from the previous and next time window
  • Wait 30 seconds and try the new code

Lost Device

  1. Use a backup code to log in
  2. Go to Profile SettingsSecurity
  3. Disable MFA
  4. Re-enable with your new device
  5. Save new backup codes

No Backup Codes

Contact your administrator for account recovery:

  1. Admin verifies your identity
  2. Admin can reset your MFA
  3. You'll need to set up MFA again

Best Practices

1. Use a Secure Authenticator

Choose an authenticator with:

  • Cloud backup (Authy, 1Password)
  • PIN/biometric protection
  • Multi-device sync

2. Store Backup Codes Safely

  • Use a password manager
  • Keep a printed copy in a secure location
  • Don't store with your password

3. Register Multiple Devices

If your authenticator supports it:

  • Add NirmIQ to multiple devices
  • Ensures access if one device is lost

4. Update When Changing Phones

Before wiping your old phone:

  1. Set up authenticator on new phone
  2. Transfer NirmIQ account
  3. Verify new device works
  4. Then wipe old phone

Security Benefits

MFA protects against:

  • Password breaches: Even if your password is leaked, attackers can't access your account
  • Phishing attacks: Stolen credentials alone aren't enough
  • Credential stuffing: Reused passwords from other breaches won't work
  • Unauthorized access: Physical possession of your device is required