.png)
Using Multi-Factor Authentication (MFA)
Multi-Factor Authentication or MFA, is a security measure implemented on all Portal users and API-integrated Partners that creates an additional layer of user verification by supplying a six-digit code to an authenticator app of your choice to verify you’re the user logging in or initiating a request/action.
Navigate to the Multi-Factor Authentication Enablement page by clicking Settings in the Admin category of the left-hand navigation panel. Then, click Multi-Factor Authentication Enablement under the Business Details section.
This is a beta feature and will not be required until deployed for general availability. Users with parent entities (Referrers or Facilitators) enrolled in MFA beta will likely be required to enroll.
Note: The page does not dynamically load the entire list of all MFA-enabled users.
By using the search button 🔍 in the search bar, you can either load with no criteria to populate the entire list, or enter in a specific user you’re looking for to filter.
Note: Facilitators & Referrers utilizing their own MFA configurations in place can use Single Sign-On (SSO) to automatically redirect to the Portal directly from their native application without manual sign-in or authentication required.
Warning: Any users logging into the Portal are still required to enroll in, and enable, MFA. Regardless of SSO configuration or not.
Enable MFA for your Portfolio
After navigating to the Multi-Factor Authentication Enablement page, you’ll see a list of existing users in your portfolio and whether or not they have enrolled in and enabled MFA.
Tip: To create an entirely new user with MFA enabled, follow “Creating New User MFA Enablement” below. For all existing platform users, skip to the “Existing User MFA Enablement” guides.
Step 1: From the Dashboard, navigate to Users (under Management)
Step 2: Click the Add User in the upper right corner.
Step 3: After entering the desired new user info, select “Yes” from the Multi-Factor Authentication Enabled dropdown.
Step 1: From the Dashboard, navigate to Settings (under Admin).
Step 2: Click Multi-Factor Authentication Enablement.
Step 3: Select the desired user from the list by clicking the checkbox.
Step 4: Click Enable on your selected user listing.
Step 1: From the Dashboard, navigate to Users (under Management).
Step 2: Click on the desired user from the page list to be redirected to their User Profile.
Step 3: Under the User tab (This will be the name of the User) in the User Profile menu. Then, click the edit icon in the upper right-hand corner.
Step 4: (Optional) Click API Roles and Add the “Multi-Factor Authentication” role if you are assigning a Referrer-level user the ability to manage its Merchants' MFA enablement.
Step 5: Click the Multi-Factor Authentication Enabled field and select Yes from the dropdown. Then, click the check icon in the upper right corner to confirm the change.
Note: Changing Multi-Factor Authentication Enanbed back to “No” will prompt a popup asking to disable or reset the MFA setup for that user.
Enroll Users in MFA
After enabling the MFA feature for the desired user, the user will be required to enroll in their preferred authenticator app (such as Microsoft/Google Authenticator, Okta Verify, or RSA SecurID) the next time they attempt to log in to the Portal.
Warning: Facilitators and Referrers are required to use an Authenticator app, only Merchant-level users can enroll with SMS.
To enroll in MFA using SMS text messaging as the authentication method, follow the steps below:
Step 1: Upon viewing the Portal prompt to secure your account, click Continue.
The prompt the MFA-enabled user will see upon the first login.
Step 2: Select Text (SMS) from the Select MFA Method prompt.
Method Selection, either SMS or Mobile Authenticator App.
Step 3: Confirm the phone number pulled from your User Profile and click Confirm.
Phone number confirmation. (Pulled from existing User Profile).
Step 4: (Optional) If your phone number does not match or is incorrect, click Modify to change the phone number. Then, click Confirm.
Phone Number editing if Modify is clicked.
This number can also be modified by accessing the user’s profile at a later date.
Warning: When changing a phone number for MFA SMS confirmation codes on behalf of a Merchant user, ensure that basic due diligence is performed to properly verify the user’s identity.
Step 5: After clicking Confirm, you will be sent the following SMS text message to the number you’ve confirmed:
“Payrix Verification Code: Use this one-time verification code to complete sign-in: XXXXXX. Do NOT share this code with anyone. This code is valid for 10 minutes. Reply STOP to opt out.”
Warning: If a Merchant replies “STOP” to opt out of the SMS messaging, they will not receive another MFA verification code until they text the same number “START” to opt back into the SMS messaging.
If the Merchant is unable to retrieve the number for to opt back into SMS, they should contact their Referrer or Facilitator to reset their MFA setup.
Step 6: Use this code to authenticate and complete the MFA enrollment.
The six-digit code was sent via SMS to complete MFA enrollment.
Successful enrollment message.
Step 1: Upon viewing the Portal prompt to secure your account, click Continue.
The prompt the MFA-enabled user will see upon the first login.
Step 2: Select Mobile App from the Select MFA Method prompt.
Method Selection, either SMS or Mobile Authenticator App.
Step 3: Download your preferred authentication app from the Apple App Store or Google Play Store.
Notification to download an Authenticator App
Step 4: After downloading and setting up your authenticator app, enroll using a QR code and scan the code presented on the Scan the QR Code prompt:
QR Code to enroll the Portal login to the preferred Authenticator App
Step 5: Enter the current six-digit code generated on your authenticator app to authenticate and complete the MFA enrollment.
Successful enrollment message.
Recommended MFA Authenticator Apps
There are many different multi-factor authentication apps available to choose from. Below is a list of trusted authentication apps we recommend for individuals to use in MFA enrollment:
App | iOS | Android |
 Microsoft Authenticator .svg?inst-v=f0990115-facb-45aa-bdb4-890afb5e4005) .png?inst-v=f0990115-facb-45aa-bdb4-890afb5e4005){kind=icon} | .jpg?inst-v=f0990115-facb-45aa-bdb4-890afb5e4005) |  |
 Google Authenticator | .jpg?inst-v=f0990115-facb-45aa-bdb4-890afb5e4005) |  |
 Okta Verify |  |  |
 RSA SecurID | .jpg?inst-v=f0990115-facb-45aa-bdb4-890afb5e4005) |  |
Reset User MFA Setup
In situations where users lose their device that contains the authentication code setup required for MFA, you can disable MFA for that user to allow them to re-enroll. If and when the user is ready to re-enroll, simply re-enable their MFA enrollment and the process shown above will be prompted again for the user to set up MFA.
Below are the recommended steps for each platform user access level to reset their individual MFA setup:
User Type | Reset Steps |
|---|---|
Facilitator | Contact a Facilitator-level user with the proper access to reset. |
Referrer | Contact Payrix support via ServiceDesk ticket or your Facilitator. |
Merchant | Contact your Referrer. |
Facilitators & Referrers can manage Merchant-level MFA enablement for convenient support of their portfolios.
Below are the steps a Facilitator or Referrer can take in the Portal to reset another (Merchant) user’s MFA setup:
Facilitators can take steps in the Portal to reset their Referrers' and Merchants' existing MFA setup (as well as Referrers being able to reset for Merchants), allowing them to re-enroll in cases where their secured device is lost/stolen, or when they wish to re-enroll using a different method (i.e. changing from SMS to Authenticator app, or vice versa)
Disable User MFA Setup
For scenarios where a Facilitator may want to use their own MFA solution or other unique situations you can follow the steps below:
Warning: MFA is required as part of information security and code of conduct policies. Do not attempt to deactivate MFA permanently as it may result in disciplinary action.
“Login As” Access
After users have become enrolled in Multi-Factor Authentication, they will also be prompted to submit an MFA code when logging in to their child entities' Portal views (e.g. Referrer logging in as one of its Merchants). The same rules will apply that a user can use Remember Me for 30 Days to only be required to authenticate this way one time every 30 days.
Remember Me
After enrolling in MFA, and attempting an additional login to the Portal prompting for the current temporary authenticator code to be entered. Users can toggle a checkbox that says “Remember me for up to 30 days” to ensure that a user are not prompted to enter a temporary authenticator code for MFA the next time they log in within the next 30 days.
Tip: Remember Me can be used by multiple devices under one account at a time.
Toggle the “Remember Me” checkbox, then enter the authenticator app code. This prevents the selection from not being saved.
Warning: For the “Remember Me” feature to work users must allow location sharing when prompted by their browser when accessing the Portal. Ensure that your browser is not set to block location sharing from the Portal URL.
Enable the MFA Announcement Lightbox
Multi-Factor Authentication is not yet fully enabled as a requirement for all users and will deployed to all soon. To inform your portfolio users that they will need to enroll in MFA soon. This lightbox will provide the option for the user to begin enrollment steps now, or decline and wait until it is required.
To enable this announcement lightbox, follow the steps below:
This process is only applicable to Facilitators as Referrers and Merchants cannot access the Hosts or Host Profile pages.
Step 1: Navigate to the Hosts page (under the Whitelabel section of the Settings page) and click the host that contains all other whitelabel configurations for your portfolio to enter its Host Profile page.
Step 2: In the Host Profile page, click the Features tab on the left-hand menu.
Step 3: Scroll down to the “Page: MFA announcement dialog” feature.
Step 4: Toggle on the feature for Merchant, Merchant Admin, Referrer, Referrer Admin, and Admin.
Now, the next time a Referrer or Merchant in your portfolio logs into the Portal, they will see a lightbox allowing them to enable and enroll in MFA from directly inside the prompt.
Warning: Closing and ignoring the MFA lightbox notification will force the lightbox to close and will not reappear. The user will have to contact their applicable parent user to enable MFA until required by all users upon production deployment.