Two-factor authentication - Documentation

Two-factor authentication adds an extra layer of security to your Brightspot account beyond a traditional username and password.

If you lose the authentication device

If you lose the device with the authenticator app, you cannot log in to Brightspot. In addition, if the person who has (or stole) your device also knows your username and password, that person can log in to your account.

If you lose the device with the authenticator app, ask your Brightspot administrator to reset your authentication code. For details, see Reset two-factor authentication.

Enable/disable 2FA by site

Depending on your company’s policy, you may not be required to use two-factor authentication when logging in to Brightspot. Regardless of that policy, you can enable two-factor authentication for your own account.

You can disable two-factor authentication if the following conditions are true:

Your company’s policy does not require two-factor authentication.
You enabled it on your own account.

How to enable two-factor authentication

Install an authenticator, such as Google Authenticator, on your device. The authenticator must be able to read QR codes.
In the header, click your username, then click Enable Two-Factor Authentication. The Enable Two-Factor Authentication widget appears.
Using the authenticator on your device, scan the QR code in the widget. The device responds with an authentication code.
Enter the authentication code in the Code field.
Click Verify.

Two-factor authentication is enabled.

How to disable two-factor authentication

In the header, click your username, then click Disable Two-Factor Authentication. The Disable Two-Factor Authentication widget appears.
Using the authenticator on your device, scan the QR code in the widget. The device responds with an authentication code.
Enter the authentication code in the Code field.
Click Verify.

Two-factor authentication is disabled.

Enable/disable 2FA by role

You can enable or disable two-factor authentication at the role level, which overrides any setting you made at the site level.

Warning

Enabling two-factor authentication for a role locks all accounts associated with that role until the users are able to enter an authentication password. Ensure that your users are trained and have an authenticator installed on their phones before enabling two-factor authentication at the role level.

Enable or disable two-factor authentication at the role level

From the Navigation Menu, expand Admin, and select Users & Roles.
In the Roles widget, select the role for which you want to enable or disable two-factor authentication. The Edit Tool Role widget appears.
Toward the right of the widget, select more_horiz> Advanced. A widget appears.
From the Two-Factor Authentication Required field, select one of the following:
- Default—Two-factor authentication setting for the role’s users is the same as at the site level.
- Required—Role’s users need two-factor authentication to log in.
- Not Required—Role’s users do not need two-factor authentication to log in.
Click Save.

Note

Individual users can enable two-factor authentication even if it is not required at the role level. For details, see Overriding two-factor authentication.

Enable/disable two-factor authentication by user

You can enable or disable two-factor authentication at the user level, which overrides any setting you made at the site level or at the role level.

Warning

Enabling two-factor authentication for a user locks that account until the user is able to enter an authentication password. Ensure that the user is trained and has an authenticator installed on a device before enabling two-factor authentication.

How to enable or disable two-factor authentication at the user level

From the Navigation Menu, expand Admin, and select Users & Roles.
In the Users widget, select the user for whom you want to enable or disable two-factor authentication. The Edit Tool User widget appears.
Toward the right of the widget, select more_horiz> Advanced. A widget appears.
From the Two-Factor Authentication Required field, select one of the following:
- Default—User’s two-factor authentication setting is the same as at the role level; if that level is set to Default, user’s setting is the same as at the site level.
- Required—User needs two-factor authentication to log in.
- Not Required—User does not need two-factor authentication to log in.
Click Save.

Note

Individual users can enable two-factor authentication even if it is not required. For details, see Overriding two-factor authentication.

First login with two-factor authentication

How to log in for the first time with two-factor authentication

If you don’t have an authenticator (such as Google Authenticator) installed on your device, install one. The authenticator must be able to read QR codes.
Log in to Brightspot with your username and password. The Enable Two-Factor Authentication widget appears.
Using the authenticator on your device, scan the QR code in the widget. The phone responds with an authentication code.
Enter the authentication code in the Code field.
Click Verify. The dashboard appears.

Subsequent logins with two-factor authentication

How to log in subsequently with two-factor authentication

Log in to Brightspot with your username and password. A two-factor authentication prompt appears.
Retrieve the two-factor password from your authenticator.
Enter the password in the login prompt.
Click Log In.

Overriding two-factor authentication

Depending on your company’s policy, you may not be required to use two-factor authentication when logging in to Brightspot. Regardless of that policy, you can enable two-factor authentication for your own account.

You can disable two-factor authentication if the following conditions are true:

Your company’s policy does not require two-factor authentication.
You enabled it on your own account.

How to enable two-factor authentication

Install an authenticator, such as Google Authenticator, on your device. The authenticator must be able to read QR codes.
In the header, click your username, then click Enable Two-Factor Authentication. The Enable Two-Factor Authentication widget appears.
Using the authenticator on your device, scan the QR code in the widget. The device responds with an authentication code.
Enter the authentication code in the Code field.
Click Verify.

Two-factor authentication is enabled.

How to disable two-factor authentication

In the header, click your username, then click Disable Two-Factor Authentication. The Disable Two-Factor Authentication widget appears.
Using the authenticator on your device, scan the QR code in the widget. The device responds with an authentication code.
Enter the authentication code in the Code field.
Click Verify.

Two-factor authentication is disabled.

Reset two-factor authentication

If a user configured for two-factor authentication loses the authentication device, there is an immediate security risk: the person who found (or purloined) the device may be able access the user’s Brightspot account. When a user reports a stolen device used for two-factor authentication, you need to reset the authentication protocol.

You can reset a user’s two-factor authentication if two-factor authentication is required for the user at the site, role, or user level.

Warning

Resetting two-factor authentication immediately locks that user’s account until the user can enter a new authentication password.

How to reset a user’s two-factor authentication

From the Navigation Menu, expand Admin, and select Users & Roles.
In the User’s widget, select the user for whom you want to reset two-factor authentication.
Click settings, and from the menu select Reset Two-Factor Authentication for This Tool User. The Reset Two-Factor Authentication widget appears.
Click Reset.