All Categories ​ > ​ ​Administration ​ > ​ ​User Access and Profiles ​ > ​     Two Factor Authentication Setup

Two Factor Authentication Setup

Updated by Darren Cole

Add an extra layer of security to your user accounts by using Two-Factor Authentication (2FA). Insight supports the use of an authenticator app like Google Authenticator (Google and Google Authenticator are trademarks of Google LLC and this guide is not endorsed by or affiliated with Google in any way).

Typically, this app runs on your mobile phone. It generates 6-digit codes, which are entered during login, in addition to a password.

Two-Factor Authentication requires access to a smartphone with an authentication app every time a user logs in to Insight. If staff are not allowed phones in your setting, then 2FA is not suitable, and should not be enabled.

The following short tutorial walks through the setup at user level.

Setting up Two-Factor Authentication as a user

Unless 2FA is enforced at school or Trust level, each user needs to enable Two-Factor Authentication for their account, via Account > User Profile.

Next, click Enable Two-Factor Authentication.

Now follow the instructions to scan the QR code with your authenticator app of choice.

If you're unable to scan the QR code, you should be able to type the provided key in instead.

Enter the code from your authenticator app into the text box under Step 2 and click Next.

If successful, you will be presented with your recovery codes. Note these somewhere safe. They allow one-time access in the event that you lose access to your authenticator device. They should be used for emergency access, not as normal usage.

See the 2FA recovery codes guide for more detail.

Enforce Two-Factor Authentication for the school or Trust

Admin users can enforce use of 2FA for all users in the school. Similarly, Trust admin users can enforce use of 2FA for all users in all schools in the Trust.

Before enforcing 2FA, you should inform users as they will immediately be required to complete the 2FA setup, if they're already logged in to Insight. Otherwise, they will be required to complete the 2FA setup when they next log in. Therefore, It is worth considering the best time to enforce 2FA to ensure minimal impact on your staff. This includes ensuring phones are permitted and users have an authentication app installed.

To immediately enforce 2FA, open the Account menu > Admin > Two-factor authentication in the Users section

Tick the box labelled Require two-factor authentication for all users and click Save.

If users are already logged in to Insight, they will be required to complete the setup. If they're looking at a report, for example, they'll be unable to make any changes to it. Users should be warned about this, and advised to click the Home button. They'll then see the message prompting them to complete the 2FA setup.

At this point, the setup works the same as when set up for a user, as described above.

Account Recovery

If you lose your recovery codes and your authenticator access, then you will need to contact a user in your school or trust who has Admin access and ask them to disable Two-Factor Authentication for your account. This will enable you to get access to your account and then re-enable Two-Factor Authentication once logged in.

Admin users can disable Two-Factor Authentication for a user by accessing the Manage Staff screen (select Users from Admin) and editing the user.

Troubleshooting

Login codes are rejected

If you find that Insight is rejecting your 6-digit codes, from your authenticator app, when you attempt to log in it is worth checking that the time is correct on both your phone and the computer you're logging in to Insight on.

Authenticator apps generate codes based on the current time on your device. If your phone or computer clock is out of sync (even by a minute or two), the code it generates may not match what Insight expects, which can result in a login failure, even if the code looks correct.

How did we do?

Powered by HelpDocs (opens in a new tab)