Skip to content Skip to main navigation Skip to footer

Multi-Factor Authentication for Entrants, Admins, Judges and Viewers

Nucleus Provides Multi-Factor Authentication, MFA, for all user accounts. MFA provides an additional level of security for all Users protecting the sensitive data and assets provided and hosted in Nucleus. When Users log in they will need to enter a password and a 6-digit code which is defined by Admin Users via a range of delivery mechanisms. The result is that an unauthorised User will need to know not only the account’s password but also have access to the mechanism to which the code is sent.

There are 3 MFA options in Nucleus:

  • Google Authenticate – a code is generated in an app that needs to be downloaded to a phone (Android/iPhone supported only)
  • Email – an email containing a 6-digit code is sent to a specified email address
  • SMS – an SMS containing a 6-digit code is sent to a specified phone number (Restrictions Apply – see below)

Admin Users can decide which of these mechanisms each User Type can utilise and decide if MFA is mandatory or optional for each User Type. Although the use of MFA is highly advised, the choice to activate the function is at the discretion of Admins.

Once set up, Users log in as normal and are presented with a page to enter or set up their MFA after initial login. Please note that:

  • If Users use SMS or Email mechanism (using the same browser, device, and not clearing their cache) the code should last 30 days.
  • If they use Google authenticator, then the latest validation will last until they close the browser.
  • The criteria does not vary regarding the type of user, so it’s valid for Entrants, Viewers and Admins.

How to Set Up MFA

Although it is possible to switch on MFA using the instructions, in this section we recommend submitting a Support Ticket and discussing with BMT before this is actioned. BMT will be able to provide advice about which mechanisms to switch on and for which User Type.

  1. Log into the Admin Interface
  2. Go to Actions>Misc
  3. Select Configuration Values in the System Administration section
  4. On the next page there are 3 values which can be edited:
    1. Allowed MFA options for ‘Admin’ – Admins
    2. Allowed MFA options for ‘User’ – Entrants
    3. Allowed MFA options for ‘Viewer’ – Judges
  5. Select Edit next to the user type you wish to enable MFA for
  6. Enter any combination of GOOGLEAUTHSMSEMAIL in the Value field separated by commas to enable the required MFA mechanisms
  7. Click Save & Close
  8. If setting for Admin Users you will be required to enter a MFA code for your account
  9. Repeat steps 5 – 7 to enable MFA for multiple User Types

Setting Up SMS MFA

SMS messages are sent via AWS. This service is not immediately available as an application is required which AWS needs to approve. The application is based on regions and currently, only Europe has been tested. Sending SMS messages to United States phone numbers is extremely difficult due to US Government legislation so we advise that SMS is not the only option provided for these Users. If you wish to enable SMS for Users please submit a Support Ticket and confirm the regions to which you wish to send SMS messages. BMT will make the application on your behalf.

Also, note that the sending of SMS messages will incur additional AWS costs.

Setting Up Email MFA

Nucleus provides Email sending as standard, so there are no additional costs for this method. In order for the Emails to send you will need to ensure that the Email Templates are set up correctly.

There are 3 Email Templates you will want to consider editing depending on your MFA choices. These templates allow Admins to customise content specifically for the intended audience:

  • admin/mfa – sent to Admin Users
  • entrant/mfa – sent to Entrants
  • viewer/mfa – sent to Viewers

Each template can be customised as Admins require but needs to contain the special value: @@loginCode@@ which will include the 6-digit MFA code.

For more information about managing Email Templates read this guide.

How to Force Users to Set Up MFA

In addition to the above controls, it is possible to force all User Types to set up MFA. Otherwise, the MFA is optional and Users will only see the controls in their account settings. Forcing all Users to set up MFA will:

  • Force new Users to set up MFA on the first login or account creation
  • Force existing Users to set up MFA on their next login

Take these steps to force MFA setup:

  1. Log into the Admin Interface
  2. Go to Actions>Misc
  3. Select Configuration Values in the System Administration section
  4. On the next page, there are 3 values that can be edited:
    1. Force ‘Admin’ to set up MFA – Admins
    2. Force ‘User’ to set up MFA – Entrants
    3. Force ‘Viewer’ to set up MFA – Judges
  5. Select Edit next to the user type you wish to enable MFA for
  6. Enter Yes in the Value field
  7. Click Save & Close
  8. Repeat steps 5 – 7 to enable MFA for multiple User Types

How to Reset MFA

For any reasons, Admin Users have the ability to reset MFA for all other Users Types at any stage. This will allow the user to choose an new MFA type, if available. No emails containing MFA codes will be triggered to the user.

FOR ADMINS:

Please note that you will have to be a Super Admin in order to do this. This guide explains how to manage this process.

  1. Log into the Admin Interface
  2. Go to Actions>Admin Users
  3. Look for the relevant Admin and click on Reset MFA

FOR ENTRANTS:

  1. Log into the Admin Interface
  2. Go to Actions>Users
  3. Look for the relevant User
  4. Click on Actions>Reset MFA

FOR VIEWERS:

  1. Log into the Admin Interface
  2. Go to Actions>Viewers
  3. Look for the relevant Viewer
  4. Click on Actions>Reset MFA