Multi-Factor Authentication (MFA) should be utilized by all Facilitators and Referrers to structure an additional layer of security to increase the security of your information and prevent hacks and malicious attacks on your accounts.
MFA Platform Requirements
MFA is required when using a Session ID within the Portal or Payrix API.
MFA Browser Compatibility
MFA works with most browsers, but be sure to review pop-up blockers that may prevent the MFA announcement or “Remember Me” message from displaying.
MFA Enablement Deadline
MFA must be enabled for all users within your portfolio by April 2024.
After this time, any user not enrolled or enabled will be prompted to enroll in MFA and select their preferred authentication option: SMS/Text or Authenticator App). This is an automated requirement and cannot be skipped.
MFA Enrollment Reset and Management
MFA reset and re-enrollment is only required for users who damage their device, lose their device, purchase a new device, or have their device stolen.
/mfaAPI endpoint allows users to manage or reset their MFA setup. (This requires users with the need to submit an Implementations Ticket to be enabled.)
No scenario exists that would require a User to re-enroll in MFA after initial successful enrollment.
MFA Login Flow Changes
The “Remember Me” login function is still available for all users, including partners and merchants.
The “Login As” Portal function is still available for users with enabled and validated MFA to log in.
Merchants using Single Sign-On (SSO) to login to the Portal through their Referrer are not required to use MFA.
API Use Flow Changes with MFA
Facilitators and Referrers setting up platforms with the sole purpose of API usage are not required to use MFA as their private API key will act as their authentication method.
For Facilitators and Referrers that choose this option, disable Portal Access and Login As Access from the User Profile of any API-only user or enroll them in MFA for maximum security as normal.