What is 2-Step Authentication?
Two-Step Authentication (also known as 2SA) is a type, or subset, of multi-factor authentication (also known as MFA). It is an additional level of security as it is a way of confirming users' identities by using a combination of 2 different factors:
- something they know (a password)
- something they have (a device), or
- something they are (answers to questions only they know)
Unleashed uses a third-party authenticator app that enables two-step authentication. The authenticator app generates a code that is frequently refreshed and which only you can use in order to authenticate your login request.
Having this additional layer of security makes it significantly harder for someone to get access to your account, even if they have managed to get hold of your password.
When you set up 2SA you will provide a secret key to an authenticator app. This secret key is unique to your Unleashed account and is passed to a Time-based One-Time Password algorithm (TOTP) that generates a unique authentication code that must match the code generated by your unique secret key within Unleashed. If the authentication codes do not match, you will need to try again. The authentication codes can be sent to your alternative email address if necessary.
- Your Unleashed user email address and password
- A device on which to install your authenticator app (smartphone or desktop of your computer)
- An alternative email address (required in cases where you may not have access to your phone or computer) - this email address cannot contain the "+" sign and must be different to your Unleashed login email address
For new accounts, you will need to set up your 2SA within 14 days of your account creation.
There are several Authentication apps available. Your company may already have a security policy stipulating an authenticator app that you must use. If so, all you need to do is add your Unleashed account to that app during the setup. If you do not have a recommended application, here are a few recommendations:
Google Authenticator → https://support.google.com/accounts/answer/1066447
Authy → https://authy.com/download/
Microsoft Authenticator → https://www.microsoft.com/en-us/account/authenticator
Chrome Authenticator → https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai
Please note that this process can take anywhere from 2 minutes (if you are simply adding Unleashed to an existing authenticator app) to around 10 minutes for someone using an authenticator app for the first time.
- After Unleashed receives a valid login email address and password combination, you will be prompted to set up 2SA
- Install an Authenticator app on your phone or computer from the recommended list or install the authenticator app instructed by your Account Owner/Administrator (note: you may already be using an authenticator app, in which case simply add your Unleashed account)
- Open your Authenticator app and scan the QR (Quick Response) code, or click on the wording "or enter your key manually" which will reveal characters that you can use for the authenticator app instead of scanning the QR code
- After entering or scanning the QR code, the authenticator app will reply with your unique authentication code which is usually valid for between 30 and 60 seconds before a new code is generated.
This is an example from Google Authenticator on a mobile device:
- Input the code (in this example, it would be 123 456)
- You will now be asked to provide an alternative email address so that an authentication code can be emailed to you if you don't have your phone or computer with you - this cannot be the same email address as your Unleashed login email address
- Click "Send Verification Code".
- A confirmation message will pop up:
- Verify your alternative email address by retrieving the email and supplying the code that was emailed to the address (emailed authentication codes are valid for 15 minutes)
- You are now set up for 2SA
- Click on "Got It" to take you to Unleashed
- The next time you login to Unleashed you will be prompted for a new authentication code. There is an option to "Remember me for 30 days" which you can check so that you only have to authenticate every 30 days. Please consider your situation carefully before enabling this option. If you need to have an authentication code emailed to your alternative email address, click on "Lost your mobile device?".
Authentication codes are generated and are only valid for a limited time to ensure security. Authenticator app codes are generally valid for between 30 and 60 seconds. Authentication codes sent to your alternative email address are valid for 15 minutes. Sometimes you may enter a code that has already expired and you will be "challenged" to provide another code.
After 3 failed attempts, you will be offered the option of having the authentication code emailed to your alternative email address.
What is a User?
As per Unleashed's Terms and Conditions, a User is defined as follows:
An Invited User is a unique individual authorised by You to use the Services for Your benefit in accordance with this Agreement, including Your employees, representatives, contractors and agents and the employees, representatives, contractors and agents of Your Affiliates (if any).
Note: We will be implementing session management in the near future. This will automatically time out inactive sessions and you will be required to authenticate when you next login.
|Single User - 1 person using 1 device||
Set up your 2-step authentication. In this scenario, any of the recommended methods are a good fit and you could also use the "remember me for 30 days" option.
|Single User - 1 person using multiple devices||
Where it is a legitimate multiple device situation, you will need to use the same device and/or alternate email address for authentication. In this scenario, the Google Authenticator app is the recommended method.
|Single User with access to multiple organizations||
Set up your 2-step authentication once and access your other organizations within Unleashed as usual.
|One device that multiple users use for short periods
(e.g. a Warehouse PC)
Each user sets up their 2-step authentication and must log out of Unleashed between sessions. In this scenario, any of the recommended methods are a good fit and you could also use the "remember me for 30 days" option.
|A user logs on with a generic email address
(e.g firstname.lastname@example.org, email@example.com)
The identified "custodian" of the email address will need to set up authentication for the generic email address with an agreed alternative email address. In this scenario, any of the recommended methods are a good fit.
|A QBO Customer is using the Intuit single sign-on facility||
There is currently no change to this process.
|A QBO Customer is using the Unleashed log in||
Set up your 2-step authentication. In this scenario, any of the recommended methods are a good fit.
|A User has lost their device||
Use the "lost device" option which emails an authentication code to the alternative email address you entered during setup.
Question: When I input my 6 digit code I get the message "Your authentication information is incorrect. Please try again."
Answer: This could be related to the device's date and time - make sure it is set correctly by turning on the automatic time zone feature
Question: How long does my session last before Unleashed logs me out?
Answer: Currently Unleashed does not log you out but will be introducing session management later this year to identify idle sessions and time them out
Question: How long does it take for my alternative email address verification email to arrive in my inbox?
Answer: This should be almost instantaneous. In the event you have not received it within a few minutes, please check your spam folder.