General Questions
What is Multi-Factor Authentication (MFA)?
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) is a security feature that requires two forms of verification when you log in:
- Something you know: Your password
- Something you have: A time-based code from your authenticator app
Why should I enable MFA?
Why should I enable MFA?
MFA significantly reduces the risk of unauthorized account access. Benefits include:
- Protection against password breaches: If your password is compromised in a data breach, attackers still can’t access your account
- Defense against phishing: Even if you accidentally enter your password on a fake site, attackers can’t log in without your authenticator code
- Compliance: Many security standards and regulations recommend or require MFA
- Peace of mind: Know that your account and data are protected by an additional security layer
Is MFA required?
Is MFA required?
MFA is currently optional and user-controlled. You can enable or disable it at any time from your Account Settings.Your organization may have policies recommending or requiring MFA for certain roles. Check with your administrator for your organization’s specific requirements.
Admin-enforced MFA (where organizations can require MFA for all users) is planned for a future release.
Does MFA work with Single Sign-On (SSO)?
Does MFA work with Single Sign-On (SSO)?
If your organization uses SSO with an Identity Provider (like Okta, Azure AD, or Google Workspace), your MFA experience depends on your setup:
- IdP-level MFA: Your Identity Provider may already enforce MFA during SSO login. In this case, Elementum MFA may be redundant.
- Elementum MFA + SSO: You can enable Elementum MFA in addition to SSO, adding another layer of security.
- SSO-only organizations: If SSO is enforced and local login is disabled, Elementum MFA options may not be available.
Setup Questions
Which authenticator apps are supported?
Which authenticator apps are supported?
Elementum MFA works with any authenticator app that supports the TOTP (Time-based One-Time Password) standard, including:
- Google Authenticator (iOS, Android)
- Microsoft Authenticator (iOS, Android)
- Okta Verify (iOS, Android)
- 1Password (iOS, Android, Desktop)
- Authy (iOS, Android, Desktop)
- Duo Mobile (iOS, Android)
- LastPass Authenticator (iOS, Android)
- Many others
Can I use MFA on multiple devices?
Can I use MFA on multiple devices?
Each MFA setup is tied to one authenticator entry. However, depending on your authenticator app:
- Apps with sync (Microsoft Authenticator, Authy, 1Password): Your codes automatically sync across devices signed into the same account
- Apps without sync (Google Authenticator): Codes exist only on the device where you scanned the QR code
What if I can't scan the QR code?
What if I can't scan the QR code?
If you can’t scan the QR code (camera issues, using desktop authenticator, etc.):
- Click “Can’t scan? Enter code manually” below the QR code
- Copy the displayed secret key
- In your authenticator app, choose “Enter setup key manually” or similar
- Enter the account name (e.g., “Elementum”) and paste the secret key
- Ensure Time-based (TOTP) is selected as the key type
- Save and use the generated code to verify setup
Can I use SMS or email codes instead of an app?
Can I use SMS or email codes instead of an app?
No. MFA currently supports only TOTP authenticator apps. SMS and email-based verification are not available.TOTP apps are generally more secure than SMS (which can be intercepted through SIM swapping attacks) and more reliable than email (which can have delivery delays).
Can I use a hardware security key (like YubiKey)?
Can I use a hardware security key (like YubiKey)?
Hardware security keys are not currently supported. Only TOTP-based authenticator apps are supported.Support for hardware security keys may be considered for future releases.
Usage Questions
How often will I be prompted for MFA?
How often will I be prompted for MFA?
You’ll be prompted for your authenticator code:
- Every new login: When you enter your username and password
- After session expiration: When your session times out due to inactivity
- After logging out: When you explicitly log out and log back in
- While actively using Elementum within a session
- When switching between pages or apps within Elementum
- If you’re already logged in and open a new browser tab
My code was rejected. What should I do?
My code was rejected. What should I do?
The most common cause of rejected codes is time sync issues. Try these steps:
- Enable automatic time on your device:
- iOS: Settings > General > Date & Time > Set Automatically
- Android: Settings > System > Date & time > Automatic
- Wait for a fresh code: If your current code is nearly expired, wait for the next one
- Verify the correct entry: Make sure you’re using the code for Elementum, not another service
- Force time sync in your authenticator app (if available)
Does MFA affect API access?
Does MFA affect API access?
No. MFA applies only to interactive login through the Elementum web interface.API access using API keys or service account credentials is not affected by MFA. API authentication continues to work as before.This is standard practice—API calls are typically automated and can’t interactively provide MFA codes.
Will MFA slow down my login?
Will MFA slow down my login?
MFA adds one additional step to login: entering a 6-digit code. For most users, this adds only a few seconds.Tips for a smooth experience:
- Keep your authenticator app easily accessible
- Use Face ID/Touch ID to unlock your authenticator quickly
- Enter codes promptly when they appear (they’re valid for 30 seconds)
Recovery Questions
What if I lose access to my authenticator?
What if I lose access to my authenticator?
If you lose access to your authenticator device (phone lost, broken, or reset):
- Contact your organization administrator
- Verify your identity through your organization’s process
- Administrator requests MFA removal from Elementum Support
- Once MFA is disabled, log in with your password only
- Immediately re-enable MFA on your new device
Are there backup codes?
Are there backup codes?
No, backup codes are not currently available.To protect yourself:
- Use an authenticator app with backup/sync features (Microsoft Authenticator, Authy, 1Password)
- Know your organization’s recovery process before you need it
- Consider setting up your authenticator on multiple devices if your app supports sync
Can I recover my account myself if locked out?
Can I recover my account myself if locked out?
Currently, no. If you lose access to your authenticator and can’t generate codes, you must:
- Contact your organization administrator
- Complete identity verification
- Have them request MFA removal from Elementum Support
How do I switch to a new phone?
How do I switch to a new phone?
Before disposing of or resetting your old phone:
- Log into Elementum using your old phone’s authenticator
- Go to Account Settings > Security
- Disable MFA
- Set up your authenticator app on your new phone
- Re-enable MFA and scan the new QR code
- If your app has cloud backup, restore on your new device
- If not, follow the lost device recovery process
Administrator Questions
Can administrators enforce MFA for all users?
Can administrators enforce MFA for all users?
Not currently. MFA is currently user opt-in only.Admin-enforced MFA is on the roadmap for a future release. This will allow administrators to:
- Require MFA for all users
- Require MFA for specific roles
- Set grace periods for compliance
- Monitor enrollment status
Can administrators see who has MFA enabled?
Can administrators see who has MFA enabled?
There is no dedicated MFA enrollment report currently available.Administrators can:
- Review the Activity Log for MFA enablement/disablement events
- Manually track adoption through user communications
- Contact Elementum Support for assistance with adoption data
How do administrators help users who are locked out?
How do administrators help users who are locked out?
When a user loses authenticator access:
- Verify the user’s identity through your established process (manager confirmation, HR verification, security questions, etc.)
- Contact Elementum Support with:
- User’s email address
- Confirmation that identity was verified
- Your administrator credentials/authorization
- Support disables MFA for the user’s account
- Notify the user to log in and re-enable MFA
Does MFA affect service accounts?
Does MFA affect service accounts?
No. Service accounts are API-only accounts that cannot be used for interactive login. MFA does not apply to service accounts.
Security Questions
How secure is TOTP-based MFA?
How secure is TOTP-based MFA?
TOTP (Time-based One-Time Password) MFA is a well-established security standard (RFC 6238) used by major platforms worldwide. Key security properties:
- Codes are time-limited: Valid for only 30 seconds
- Codes are one-time use: Cannot be reused even within the validity window
- Secret is device-bound: The secret key never leaves your authenticator device during normal use
- Offline generation: Codes are generated locally without network communication
- No shared database: Elementum doesn’t store your actual codes, only verifies them
What data does Elementum store for MFA?
What data does Elementum store for MFA?
For MFA, Elementum stores:
- Your MFA enrollment status (enabled/disabled)
- An encrypted secret key used to verify your codes
- Timestamps of MFA events (enable, disable, successful/failed verifications)
- Your actual authenticator codes
- Access to your authenticator app or device
- Your device information (beyond what’s in normal access logs)
Can MFA be bypassed?
Can MFA be bypassed?
MFA cannot be bypassed through the normal login flow. However:
- Account recovery: Administrators can request MFA removal for account recovery (after identity verification)
- Session hijacking: If an attacker compromises an active session, MFA won’t help (it protects login, not existing sessions)
- SSO bypass: If your organization uses SSO, attackers who compromise your IdP credentials may not need Elementum MFA
Current Limitations
What features are not currently available?
What features are not currently available?
The following features are not currently available for MFA:
These features may be added in future releases.
| Feature | Status |
|---|---|
| Backup codes | Not available |
| SMS verification | Not supported |
| Email verification | Not supported |
| Hardware security keys | Not supported |
| Admin enforcement | Not available |
| Multiple device registration | Single setup (use app with sync) |
| Enrollment reporting | Not available |
| Conditional MFA (risk-based) | Not available |
Related Documentation
Last updated: January 2025