Enabling Multi-Factor Authentication

Laserfiche Directory Server administrators can turn on multi-factor authentication (MFA) for select or all Laserfiche users.

Your Laserfiche Directory Server site must be licensed for multi-factor authentication (MFA) to turn on MFA for Laserfiche users. If your Laserfiche Directory Server site is not licensed for multi-factor authentication, you cannot use MFA for Laserfiche users. You may still configure MFA for SAML and Active Directory users through your identity provider.

Choose from the options below and follow the instructions to turn on MFA:

  1. To turn on MFA for an individual Laserfiche user:
    2. Navigate to the Accounts tab. Click on the Laserfiche user and set the MFA Status to Required.
  2. To turn on MFA for all Laserfiche users or select Laserfiche users:
    3. Navigate to the Settings tab. Under the General tab, scroll down to the Multi-factor authentication section. By default, both options below are set to No.
    1. Multi-factor authentication always required for Laserfiche users: If this option is toggled Yes, all Laserfiche users will be required to use MFA. This is a database wide setting that cannot be overridden for individual Laserfiche users, regardless of the Laserfiche user's MFA Status.
    2. Multi-factor authentication inherited behavior is enabled for Laserfiche users: If this option is toggled Yes, Laserfiche users whose MFA Status is set to Inherited will be required to use MFA.
  3. To turn on MFA when batch importing Laserfiche users
    4. Navigate to Batch Import of Laserfiche User Accounts with a Comma Separated Values (CSV) File.

Note: When an administrator turns on multi-factor authentication, Laserfiche users must configure MFA before they are able to use MFA to sign-in. To learn more about how Laserfiche users can configure MFA, see Laserfiche Users Configure Multi-Factor Authentication.

MFA Status Descriptions

MFA Status Description
Inherited

Affected by the value of the MFA inherited behavior is enabled for Laserfiche users option found in the Settings tab, under the General tab.

  • If MFA inherited behavior is enabled for Laserfiche users is toggled Yes, then all Laserfiche users whose MFA status is set to Inherited will be required to use multi-factor authentication to sign in.
  • If MFA inherited behavior is enabled for Laserfiche users is toggled No, then Laserfiche users will not be required to use multi-factor authentication to sign in even if their MFA Status is set to Inherited.
Required This Laserfiche user must use multi-factor authentication to sign in. This does not depend on the MFA options in the Settings tab.
Not Required
  • This Laserfiche user is not required to use multi-factor authentication to sign in. If the MFA always required for Laserfiche users is set to Yes, then this MFA Status will be bypassed.

    • Note: If MFA Status is changed from Required or Inherited to NotRequired for a user, MFA secrets will be cleared automatically.

    Clear MFA Secret

    The link Clear MFA Secret appears after the user has completed configuration.

    Clicking Clear MFA Secrets will reset the MFA secret for the selected Laserfiche user. This means that the user will be required to reconfigure MFA before signing in if their MFA Status is set to Required or Inherited and MFA is enabled.

    Configuring Multi-Factor Authentication as a User

    If multi-factor authentication has been enabled, Laserfiche users are required to configure MFA during their next sign in

    1. Sign in using your current credentials.
    2. If multi-factor authentication has been enabled, you will be automatically redirected to the Multi-Factor Authentication Required page. Click Ready to Configure MFA to continue.
    3. Download an authenticator app, such as: 
      1. Google Authenticator
      2. Microsoft Authenticator
    4. To configure MFA on your authentication app, choose one of the options below
      1. Use the app to scan the QR code provided on the Configure Multi-Factor Authentication page
      2. Click [Can't Scan?] to receive a secret key. Then, manually type the secret key into the authentication app.
    5. In the Configure Multi-Factor Authentication page, type the one-time passcode shown in the authenticator app. Click Submit.

    After multi-factor authentication has been configured, follow these steps to sign in.

    1. Enter your user credentials in the sign in page. Check the box for I have an MFA code.
    2. Once the check-box is checked for I have an MFA code, the Sign In button will gray out. Using your authentication app, enter the code. For an example, see the image below.
    3. Click the Sign In button to sign-in.

    Note: If the device with the secret key is lost or changed, contact your administrator to clear your existing MFA secret.

    Additional Information

    Administrators can view additional documentation from various identity providers to turn on MFA for SAML and Active Directory users.