.png)
Using Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is a security measure implemented on all Portal users and API-integrated Partners that creates an additional layer of user verification by supplying a six-digit code to an authenticator app of your choice to verify you’re the user logging in or initiating a request or action.
To access the Multi-Factor Authentication Enablement page, click Settings in the Admin category on the left navigation panel. Then, click Multi-Factor Authentication Enablement under the Business Details section.
Note: The page does not dynamically load the entire list of all MFA-enabled users.
By using the search button 🔍 in the search bar, you can either load with no criteria to populate the entire list, or enter in a specific user you’re looking for to filter.
Note: Referrers using their own MFA configurations in place can use single sign-on (SSO) to automatically redirect to the Portal from their native application without manual sign-in or authentication required.
Warning: Regardless of SSO configuration, any users logging in to the Portal are still required to enroll in, and enable, MFA.
Enroll Users in MFA
After enabling the MFA feature for the desired user, the user will be required to enroll in their preferred authenticator app (such as Microsoft/Google Authenticator, Okta Verify, or RSA SecurID) the next time they attempt to log in to the Portal.
Warning: Referrers are required to use an Authenticator app. Only Merchant-level users can enroll with SMS.
To enroll in MFA using SMS text messaging as the authentication method, follow the steps below:
Upon viewing the Portal prompt to secure your account, click Continue.
The prompt the MFA-enabled user will see upon the first login.
Select Text (SMS) from the Select MFA Method prompt.
Method Selection, either SMS or Mobile Authenticator App.
Confirm the phone number pulled from your User Profile and click Confirm.
Phone number confirmation. (Pulled from existing User Profile).
(Optional) If your phone number does not match or is incorrect, click Modify to change the phone number. Then, click Confirm.
Phone Number editing if Modify is clicked.
This number can also be modified by accessing the user’s profile at a later date.
Warning: When changing a phone number for MFA SMS confirmation codes on behalf of a Merchant user, ensure that basic due diligence is performed to properly verify the user’s identity.
After clicking Confirm, you will be sent the following SMS text message to the number you’ve confirmed:
“Payrix Verification Code: Use this one-time verification code to complete sign-in: XXXXXX. Do NOT share this code with anyone. This code is valid for 10 minutes. Reply STOP to opt out.”
Warning: If a Merchant replies “STOP” to opt out of the SMS messaging, they will not receive another MFA verification code until they text the same number “START” to opt back into the SMS messaging.
If the Merchant is unable to retrieve the number to opt back into SMS, they should contact their Referrer to reset their MFA setup.
Use this code to authenticate and complete the MFA enrollment.
The six-digit code was sent via SMS to complete MFA enrollment.
Successful enrollment message.
Upon viewing the Portal prompt to secure your account, click Continue.
The prompt the MFA-enabled user will see upon the first login.
Select Mobile App from the Select MFA Method prompt.
Method Selection, either SMS or Mobile Authenticator App.
Download your preferred authentication app from the Apple App Store or Google Play Store.
Tip: See Recommended MFA Authenticator Apps for a list of links and QR codes to download and use in MFA enrollment.
Notification to download an Authenticator App
After downloading and setting up your authenticator app, enroll using a QR code and scan the code presented on the Scan the QR Code prompt.
QR Code to enroll the Portal login to the preferred Authenticator App
Enter the current six-digit code generated on your authenticator app to authenticate and complete the MFA enrollment.
Successful enrollment message.
Recommended MFA Authenticator Apps
Many different multi-factor authentication apps are available to choose from. Below is a list of trusted authentication apps we recommend for individuals to use in MFA enrollment:
App | iOS | Android |
 Microsoft Authenticator .svg?inst-v=14c55d01-2edb-43a1-8b54-4b1a456598dd) .png?inst-v=14c55d01-2edb-43a1-8b54-4b1a456598dd){kind=icon} | .jpg?inst-v=14c55d01-2edb-43a1-8b54-4b1a456598dd) |  |
 Google Authenticator | .jpg?inst-v=14c55d01-2edb-43a1-8b54-4b1a456598dd) |  |
 Okta Verify |  |  |
 RSA SecurID | .jpg?inst-v=14c55d01-2edb-43a1-8b54-4b1a456598dd) |  |
Reset User MFA Setup
In situations where users lose their device that contains the authentication code setup required for MFA, you can disable MFA for that user to allow them to re-enroll. If and when the user is ready to re-enroll, simply re-enable their MFA enrollment and the process shown above will be prompted again for the user to set up MFA.
Below are the recommended steps for each platform user access level to reset their individual MFA setup:
User Type | Reset Steps |
|---|---|
Referrer | |
Merchant | Contact your Referrer. |
Referrers can manage Merchant-level MFA enablement for convenient support of their portfolios.
Below are the steps a Referrer can take in the Portal to reset another (Merchant) user’s MFA setup:
“Login As” Access
After users have become enrolled in MFA, they will also be prompted to submit an MFA code when logging in to their child entities' Portal views (for example, a Referrer logging in as one of its Merchants). The same rules will apply that a user can use Remember Me for 30 Days to only be required to authenticate this way one time every 30 days.
Remember Me
After enrolling in MFA and attempting an additional login to the Portal, which prompts for the current temporary authenticator code to be entered, users can select the Remember me for up to 30 days checkbox. This ensures that users are not prompted to enter a temporary authenticator code for MFA the next time they login within the next 30 days.
Tip: Remember Me can be used by multiple devices under one account at a time.
Select the Remember me for up to 30 days checkbox, then enter the authenticator app code. This prevents the selection from not being saved.
Warning: For the Remember Me feature to work, users must allow location sharing when prompted by their browser when accessing the Portal. Ensure that your browser is not set to block location sharing from the Portal URL.
More on Multi-Factor Authentication (MFA)
MFA should be used by all Referrers to structure an additional layer of security to increase the security of your information and prevent hacks and malicious attacks on your accounts.
MFA Platform Requirements
MFA is required when using a Session ID within the Portal or Payrix API.
MFA Browser Compatibility
MFA works with most browsers, but be sure to review pop-up blockers that might prevent the MFA announcement or Remember Me message from displaying.
MFA Enablement Deadline
MFA must be enabled for all users within your portfolio by April 2024.
After this time, any user not enrolled or enabled will be prompted to enroll in MFA and select their preferred authentication option: SMS/Text or Authenticator App). This is an automated requirement and cannot be skipped.
MFA Enrollment Reset and Management
MFA reset and re-enrollment is only required for users who damage their device, lose their device, purchase a new device, or have their device stolen.
The new
/mfaAPI endpoint allows users to manage or reset their MFA setup. (This requires users with the need to submit an Implementations Ticket to be enabled.)No scenario exists that would require a User to re-enroll in MFA after initial successful enrollment.
MFA Login Flow Changes
The Remember Me login function is still available for all users, including partners and merchants.
The Login As Portal function is still available for users with enabled and validated MFA to log in.
Merchants using SSO to log in to the Portal through their Referrer are not required to use MFA.
API Use Flow Changes with MFA
Referrers setting up platforms with the sole purpose of API usage are not required to use MFA as their private API key will act as their authentication method.
For Referrers that choose this option, disable Portal Access and Login As Access from the User Profile of any API-only user or enroll them in MFA for maximum security as normal.