The Administrators can now configure the additional security layer with One Time Passwords (OTPs).

First level authentication is enforced by entering the username and password and second level of authentication includes entering the One Time Password (OTP) which is another verification code sent to the user’s registered email address. OTPs are valid for only one login attempt and are interval-based.

The user has to enter the unique OTP received for the successful login.

Note:

This feature is supported only for web application where authentication happens using Form Login page.
This feature is not supported for SSO authentication mechanism; however, MFA can be achieved for SSO authentication on the respective SSO provider platform.

Figure: Multi-Factor Authentication

Business Benefits of OTP:

Unique OTP Verification Code – As OTPs are unique, temporary, and expire within a short interval of time, it prevents reuse or hacking of these verification codes.
Enhances Security – OTPs provide an additional layer of security when primary verification of username/password is compromised.

Configuration

A new section Multi-Factor Authentication is added on the Domain page (Admin > Basic > Infrastructure > Domain) to configure OTP Authentication. Specify the required fields.

Figure: DOMAIN

The following table describes the fields under the section Multi-Factor Authentication on the DOMAIN page.

Field	Description
Multi-Factor Authentication
Enable Multi-Factor Authentication	MFA is disabled by default. To enforce OTP authentication, you must select Enable Multi-Factor Authentication checkbox. If selected, the user will be asked for OTP authentication.
OTP Expiry Time (in mins)	Specify the time in minutes for which the OTP will be valid. The minimum and default OTP Expiry time is 15 minutes. The maximum OTP Expiry time is 30 minutes.
OTP Length	Specify the length of the OTP. The minimum and default length of the OTP can be 5 characters. The maximum length can be up to 16 characters. Note: OTP is only numeric.
Maximum number of attempts	Specify the maximum number of attempts to enter the incorrect OTP. The minimum number for retrying OTP attempt is 1. The default number for retrying OTP attempts are 3. The maximum number for retrying OTP attempts are 99. Note: By default, if you exceed maximum number of incorrect attempts then the user has to login once again to the SummitAI application.
Lock user account	If selected, user account will be locked once you exceed the maximum number of incorrect attempts. By default, Lock User Account is not selected. Note: To unlock the account, user has to contact the administrator.
OTP Recipients
Customer	Select one of the options from the drop-down list. Available options are as follows: ALL – Choose ALL to select all customers. SELECT - Choose SELECT and specify the specific customers.
Location	Select one of the options from the drop-down list. Available options are as follows: ALL - Choose ALL to select all locations. SELECT - Choose SELECT to select the specific locations. Note: If you select both the Customer and Location, the OTP will be sent to the users of the Customer located in that configured location. For example: Consider SummitAI is Customer and Bangalore is the Location. The OTP will be sent to the SummitAI users at Bangalore location.
User List	Select one of the options from the drop-down list. Available options are as follows: ALL - Choose ALL to send the OTP to all the users under the configured domain. SELECT - Choose SELECT to specify the User in the Type in field to send the message.
	Click icon to add new recipients by selecting the required OTP Recipients options available in the drop-down.
	Click icon to delete the recipients by selecting the required OTP Recipients options available in the drop-down.

To Sign in
To sign-in to SummitAI web application:

Type in the SummitAI URL in the address bar of the browser. The SIGN IN page is displayed.

Figure: SIGN IN Page
Specify the username and password.
Click SIGN IN. If username and password is correct, then the user will be redirected to OTP authentication page.

Figure: OTP Verification

Figure: E-mail Sample Screenshot

OTP will be sent to the user’s registered e-mail address. Enter the OTP received via e-mail.
The following table describes RESEND OTP usage.

Click

Action

RESEND OTP

To resend the OTP if you have not received OTP or if your OTP is expired.

OTP expiry time is displayed based on the Multi-Factor Authentication configuration.

For example: “OTP will expire in 04:50 min”

As per the above message, your OTP will get expire after 04:50 mins.

Click Verify.

OTP

Action

Is correct

The user is allowed to login to the application.

Is not correct

The user is not allowed to login to the application. Error message will be displayed with left-out attempts.

For example: Invalid OTP, you are left with 2 more attempt(s).

User may re-enter the OTP.

Note: User account will get locked if the user exceeds the maximum number of incorrect OTP attempts, based on Multi-Factor Authentication configuration.