Portals; Support for Multi-Factor Authentication (MFA) has been added

Multi-Factor Authentication (MFA) has been added for User and Client-based Portals.

WARNING: Any existing Portals with custom Login pages that wish to use MFA will need to be modified. The easiest way to do this is to define the Portals Multi-Factor options and then regenerate the Login page form the template.

The Portals form has been updated as follows:

• New "Multi-Factor" page
• Authentication page re-captioned to "Security" as per finCC Configuration form
• PWA page moved to after "Multi-Factor" page
• The Options page, "Other Options" section now clarifies whether: Client's Web User Id is their Email for Password Reset links and Mutli-Factor Authentication?
• The Options page, "Client's Web User Id is Email for Password Reset" option has been moved to the Security page to the right of the "Sign-In Method" dropdown.

NOTE: When running the Portal from within finPOWER Connect, there is no concept of Multi-Factor Authentication.

The following method on the JavaScript portal object have been updated:

• AuthenticateClient
• AuthenticateUser

These now take in additional parameters:

• mfaCode (String)
• mfaDefer (String)
• mfaActionCallback

The MfaActionCallback function is passed an object with an 'action' String property. Depending on the action, these other properties will exist:

• MfaEnterCode
• CodeLength
• Message

• MfaPair (Authenticator App only)
• MfaPairUrl

The built-in Portal Login form has been updated as follows:

• MFA controls added
• When the "I've forgotten my password" link is clicked, the main part of the form is hidden to prevent the form from becoming too long

The Client form, Web page now has the following buttons (as per the User form) which will affect ALL Portals that the Client can access:

• Reset Mutli-Factor Authentication
• This will remove all authenticated devices (i.e., those that the Client has signed in with and opted to "Skip this step" for a number of days)
• Forget any Authenticator App information
• Create Emergency Code
• This generates a code that can be given to the Client (e.g., over the phone) to allow them to access the Portal if for some reason they cannot receive email of SMS messages or are having trouble with their Authenticator App
• If the selected Portal has a Sign-In Method of "Client Id or Web User Id", the User is prompted whether to use the Client Id or Web User Id when generating the emergency code

The User form now has a "Portal Access" page (when licensed for Portals). This allows the same functionality described above for the Clients form but separates Portals from normal "Web Access" which typically relates to finPOWER Connect Cloud.