Multi-Factor Authentication (MFA) is now available in MerusCase. MFA means your users will be required to use another type of authentication to access their MerusCase accounts. Once MFA is enabled, users will be required to choose a second “factor”, in addition to their password, to prove they are who they say they are upon login.
MFA at a Glance
- MerusCase firms can choose to enable MFA for all users, enable for specific users, or leave MFA disabled.
- Only users with the status Active Administrator (“Administrator”) can enable MFA for the firm or individual users.
- Once MFA is enabled, all affected users are immediately logged out and required to set up MFA for their individual accounts.
- Users can select either SMS text or email as their second factor.
- Users will be required to authenticate using their second factor every 30 days, unless they log in from a different device or from a different location within the 30 day window.
- A user who loses access to their second factor will be required to contact an Administrator to reset their MFA.
Read on for more details about MFA in MerusCase, including:
- Enabling MFA for your firm or specific users
- Setting up MFA for an individual user
- Resetting MFA for an individual user
Only users with the status “Active Administrator” can enable MFA, either for all users at once, or on a user-by-user basis. We recommend enabling MFA during a time when no or limited users are in their accounts, as any users in their accounts will be immediately logged and directed back to the login screen to go through the MFA set up process. All other users will be directed through the MFA set up process the next time they login to MerusCase.
To enable MFA Firmwide: (Administrators only)
- Go to “Tools and Settings” > “Security Settings”.
- Click “Enable Multi-Factor Authentication”.
3. Click “Yes, I am sure” when prompted with the warning. This warning reminds the user that all users (including the user enabling MFA) will automatically be logged out of the application once MFA is enabled.
To enable MFA on for specific users: (Administrators only)
- Go to “Tools and Settings” > “User Management”.
- Select the user for which you want to enable MFA.
- Click the toggle button next to “Enable” under the Multi-Factor Authentication section in their profile.
4. Repeat this for all users for which you want MFA to be enabled.
Note: Any users for which MFA is enabled that are also currently logged into MerusCase will be immediately logged out of MerusCase and redirected to the login screen to set up MFA for their account.
Setting up MFA for an account
Users will be prompted to set up MFA as part of the login process once MFA is enabled by an Administrator.
Selecting their second factor
At the MerusCase login screen, after entering their username and password, a user will see this screen which will prompt them to select email or SMS text as their second factor.
Note - the software cannot be configured to require one second factor (email or SMS text) over the other. If you would like all your users to select email, for example, you will need to communicate that during your internal roll out.
The user will select their preferred second factor and fill in their phone number or email address based on their selection. Then they can click “Send Code” which will direct them to the Verification page.
Entering verification code
On the Verification page, a user will be prompted to enter the 9 digit verification code they received via email or text message.
A few items to note on this page:
- Checking “Remember this device” will allow a user to bypass the verification process for 30 days. (Unless the user logs in from a different device or location within that time frame.)
- If a user fails to enter their code within 10 minutes, they will receive an error message and be directed back to the login screen.
If you have users who select email for their second factor, and they are not receiving an email with their verification code at this step:
- First, have them check their spam folders for the email.
- Second, you may need to whitelist our dedicated IP address from which these emails are sent. That IP address is 220.127.116.11
When the user successfully enters their code and clicks “Verify”, they will be logged into their MerusCase account. The user will receive a notification that they have successfully registered their email or mobile device as their second factor for MFA.
Resetting MFA for a user
If a user loses access to their second factor, they will need to contact an Administrator who can reset their MFA and they can go through the setup process again.
To reset MFA, an Administrator will need to:
- Login to their account.
- Navigate to “Tools & Settings” > “User Management”.
- From the user list, click the user who needs the MFA reset.
- Click “RESET” in the lower right corner of their profile.
A few items to note on this screen:
- Under the Multi-Factor Authentication section, Administrators will be able to see any user’s MFA status, whether it’s Active or Inactive.
- The user’s Registered Method (sms or email) and Registered Destination (full email address or phone number) will also be displayed. (Note: Part of the phone number is blurred out in this screenshot for privacy reasons.)
- Administrators can view this information for all users in the account. All other user roles can see this information for their account only.
5. The Administrator will be prompted to confirm that they want to reset MFA for this user. Click ‘CONFIRM’.
6. The user will receive an email notifying them that their MFA has been reset, and they need to login to MerusCase again to re-register for MFA. After entering their username and password, they will be walked through the “Setting up MFA for your account” workflow outlined above.
FAQ’s - Multi-Factor Authentication
Can I enable MFA for only some of the users in our firm?
Yes, MFA can be enabled for specific users individually or for all users in the firm at once.
How often will I be asked to verify using my second factor?
If you leave “Remember this device” checked when entering your code, you will be asked to verify again in 30 days, unless you login from a different device and/or from a different location, which will require you to verify again.
My users are not receiving the email with their verification code during the setup process.
First, have them check their spam folders for the email. Second, you may need to whitelist our dedicated IP address from which these emails are sent. That IP address is 18.104.22.168
Does MerusCase have plans to do further work on Multi-Factor Authentication?
Yes. We are currently investigating additional MFA functionality for development in 2023 including but not limited to:
- Verification using an authenticator app.
- Integration with SAML
Will enabling MFA interfere with syncing the firm calendar or the firm contact list to my device?
No, users enabling MFA will be able to continue to sync calendar and contact information to their devices as before.
What do I do if my Administrator cannot reset my device, or if I am an Administrator I lose access to my MFA device?
If you have any trouble with MFA, you can always reach out to MerusCase support at firstname.lastname@example.org.