What is Two-Factor Authentication?


Two-Factor Authentication (2FA) is an access management method that requires two forms of identification to access a system.  This means that a user gains access using "something you know" (a password) and "something you have" (typically, a time-sensitive token provided via an app or plugin).  


Why use it?


2FA greatly improves information security by eliminating the risks of compromised passwords.  Even if a password is shared, hacked or guessed, it will not expose any information, because the second factor (the token) is required to gain access to an account.  


2FA is also much easier to use than earlier token-based systems.  Because it is supported by a variety of trusted apps and browser plugins, it does not depend on specific hardware, and users can use a familiar app for all their 2FA logins.


Planning your 2FA rollout


Once 2FA is enabled your PPP account, any user who has full access to any of your account's client companies will be required to enroll in 2FA.  The enrollment process consists of connecting the user's Presto account to an authenticator app such as Google Authenticator.  Once the user is enrolled in 2FA, they will be required to provide their email address, password, and the code from their authenticator app when they log on.


If you intend to use 2FA for your Presto account, it is important to plan the rollout carefully so as to not disrupt operations. We suggest the following steps to prepare for 2FA:


  • Review the list of users who have access to your account.  Every user that has access to any company owned by your PPP account will be required to use 2FA.  This may include contractors or partners as well as your employees.  Implementing 2FA is a good time to review who has access to your client companies and remove any unneeded access.  You can see this information by selecting a client company in the nav and going to Setup -> Sharing.
  • Select 2FA app(s). This is optional, but in most cases you will want to designate one or more 2FA apps or plugins that are officially supported by your IT department.  If you offer multiple options, each user can choose which app or plugin they wish to use. Once they have done so, they must use that method each time they log on: a user cannot enroll using Google Authenticator and then decide that they would rather use 2FAS.
  • Set an enrollment start date and deadline.  We strongly suggest setting an enrollment period during which users are given the option to enroll.  This allows users to set up an authenticator app and complete the process when it is convenient for them to do so.  Once the enrollment period is over, all users will be forced to enroll in 2FA and to use 2FA to log in.  To avoid any disruption of operations, allow a sufficient enrollment period so that all of your users can complete the enrollment process and avoid being locked out.  
  • Eliminate any password sharing.  Remember that when logging on to a system that uses 2FA, you need "something you know" (the account password) and "something you have" (your authenticator app or plugin).  Your users may share passwords, but they can't share phones or computers -- so once 2FA has been implemented, only one person will be able to use each account.  Password sharing is always a bad idea, and 2FA makes it impossible.  
  • Notify your users of the 2FA requirements, dates, and supported apps or plugins.  Be sure to include all users who have access to any of your client companies, not just your employees.


All of these steps should be complete before the beginning of the enrollment period.  


Once you have decided on the dates of your enrollment period, contact Presto Support at [email protected] with the start of the enrollment period and the date when you wish 2FA to be enforced.  



2FA enrollment process


During the enrollment period, users are shown a popup like the one below, displaying the date by which they must be enrolled in 2FA:



If the user opts to enable 2FA before the end of the enrollment period, they will see a page like the one shown below.  When the end date is reached, all users will be required to enroll, and will not be able to navigate to other pages until they have successfully enrolled (so the message on the page is slightly different).



Once the user has entered their password, they will see a QR code, as shown below.  The user can scan this code using their authenticator app.  If they are using a browser plugin on a computer instead of a mobile app, they can manually enter the setup key.  A six digit code is displayed in the authenticator app next to Presto Insta-Shops.  This code is good for 30 seconds, after which it refreshes.  The code must be entered on the screen as shown below:



Once the code is entered, the user sees a success message:



Once a user is enrolled, they will be prompted to enter a code when they log in (after entering email and password).  The user opens their authenticator app or popup, looks for Presto Insta-Shops, and enters the code on the login screen as shown below:




2FA problems


The most common problem with 2FA logins is the code expiring.  If the user does not enter the 2FA code within 30 seconds of the time that it was generated by their authenticator app, they will see an error message ("The passcode is incorrect").  In this case, the user should simply go back to their authenticator app and get a new code.  They do not have to provide their email and password again.


Sometimes a user may make an error in the 2FA enrollment process and not be able to recover.  They may also run into problems if they lose their phone or laptop (or get a new one).  If this happens, contact Presto Support at [email protected] and request that the user be unenrolled from 2FA.  Our support team will unenroll them from 2FA, and they can redo the enrollment process.