Setting Up and Managing Two-Factor Authentication (MFA/2FA)

Two-Factor Authentication (MFA/2FA) adds an extra layer of security to your Brightidea account by requiring a time-based code from an authenticator app in addition to your password.

Getting Started

Two-Factor Authentication can be enabled at either the System (Enterprise) level or the Pipeline (Initiative) level. Prerequisites:

Brightidea login must be enabled:
- System Setup > Access Tab > Authentication Sub Tab > Enable Brightidea login
- Site Setup > Access Tab > Authentication Sub Tab > Enable Brightidea login

Enabling MFA (System Level)

Navigate to System Setup > Access Tab > Security Sub Tab.
Locate the option: Two-factor Authentication
Hover over the info icon to see the tooltip:
“Enabling this option will enable two-factor authentication when using Brightidea login (email/password) on the Enterprise login page.”

Enabling MFA (Pipeline/Initiative Level)

Navigate to Site Setup > Access Tab > Security Sub Tab.
Locate the option: Two-factor Authentication
Hover over the info icon to see the tooltip:
“Enabling this option will enable two-factor authentication when using Brightidea login (email/password) on the Initiative login page.”

User Login Experience with MFA

When MFA is enabled, users will be prompted to set up Two-Factor Authentication the first time they log in.

After entering email and password, users will see a setup screen:

Enable Two-Factor Authentication (End Users)

Step 1: Install an authenticator app on your mobile device (e.g. Google Authenticator, Authy, Microsoft Authenticator).
Step 2: Scan the displayed QR code into your authenticator app.
- If unable to scan, use the 16-character key provided.

Step 3: Enter the 6-digit verification code generated by the app. Your authenticator app will generate a 6-digit time-based code. Enter the 6-digit code in the field and click Verify.

Once verified, 2FA will be enabled for your account. You will be prompted for a code every time you log in.

Managing Two-Factor Authentication (Administrators)

Resetting a User's MFA/2FA

If a user has lost access to their authenticator app, administrators can reset their 2FA:

Go to System Setup > Users > Manage.
Search for and select the user.
Click Reset Two-Factor.

After the reset, the user will be prompted to reconfigure their 2FA upon next login.

Enforcing Two-Factor Authentication

Site-Level Enforcement

To require 2FA for all users on a single Brightidea site:

Go to Site Setup > Access > Security.
Check the box labeled Two-factor Authentication.
Click Save Changes.

Affiliate-Wide Enforcement

If your organization wants to enable 2-factor auth across all initiatives, you can enable 2FA enforcement by

Go to System Setup > Access > Security.
Check the box labeled Two-factor Authentication.
Click Save Changes.

Example screenshot:

This ensures consistent security policy enforcement at the organizational level.

Important Notes:

Make sure your mobile device's clock is set to automatic/time-sync mode.
Incorrect device time can cause verification errors.
Administrators cannot retrieve or view a user's code. They can only reset 2FA for that user.
If 2FA is enabled site-wide or enterprise-wide, users must complete setup before accessing their accounts.
If you need assistance setting up 2FA across multiple affiliates or have additional questions, please contact Brightidea Support or your Customer Success Manager.
MFA uses the Time-Based One-Time Password (TOTP) protocol.
Once configured, users only need to set up MFA once per system (not per initiative).
If MFA is disabled and later re-enabled, users do not need to repeat the setup process.
If MFA is disabled, Brightidea reverts to the standard login experience.
Resetting MFA forces a user to re-pair their authenticator app on next login.

Table of Contents: