As an enterprise class developer, Mason’s highest priority is the security, safety, and privacy of customer data. To support this, the Mason Controller adheres to password best practices and supports Multi-factor Authentication (MFA).
Mason Controller Password Requirements
Mason Controller accounts have password requirements to ensure stronger security. All new passwords (e.g. created during a password resets or during new account creation) must meet the following criteria:
- minimum 8 characters
- no passwords from history of last 5 passwords
- no passwords from dictionary of common insecure passwords
- no user info (name, email, etc)
Multi-Factor Authentication (MFA)
Multi-factor Authentication (MFA) is a security mechanism that utilizes more than one authentication method to validate a user. Username and password verification alone is inadequate when data breaches and identity theft are common in society today, so the addition of a second authentication method that requires access to a physical device (e.g. a user’s phone) increases security significantly.
Mason’s implementation of MFA utilizes a “One Time Passcode” (OTP) for this secondary factor, leveraging an authentication app installed by Controller users on their mobile devices. Today, Mason supports Google Authenticator and Microsoft Authenticator. If your company is interested in using a different authenticator app, please reach out to Mason Support.
All Users May Opt-in to MFA
Mason Controller users may enable MFA at any time through the Settings option under the User Actions menu, which shows both their current MFA status along with options to Enroll or Unenroll. Unenrolling will remove the current secondary factor, allowing the user to restart the process at a later time (required, for example, if they are about to change their authentication app or device).
Note: If company-wide MFA enforcement (see below) is enabled, end users won’t be able to access Controller without re-enrolling in MFA. However, users will be able to enable MFA irrespective of company-wide MFA enforcement.
Company-wide MFA Enforcement
A Mason customer can mandate company-wide MFA enrollment to access Controller. The Controller account user administrator (user:admin scope) is permitted to enable/disable MFA company-wide. The user administrator is shown under Manage Users (see above screenshot).
Changing Company-wide MFA Enforcement
To change company-wide MFA enforcement, the user administrator (with user:admin scope) should select Settings from the user actions menu (the “...” at the top right). This should reveal an Accounts tab with MFA enforcement status and management actions. Iif the Accounts tab is not visible, the user administrator may not have the required user:admin scope.
Clicking on the relevant action link will trigger a dialog with additional information before confirming the change.
Note: If there is more than one Controller account, MFA can be enforced company-wide by enabling MFA at the account level for each individual Controller account.
When MFA is enforced company-wide, all users in the account must enroll in MFA the next time they log in before they can access Controller. As a result, we recommend notifying all Controller users before enforcing company-wide MFA to minimize disruption to access.
Disabling Company-wide MFA Enforcement
If company-wide MFA enforcement is disabled, users that have already configured MFA will now be able to opt-out of MFA but will not have MFA automatically removed from their accounts.
Updating Individual MFA
Even if company-wide MFA is enabled, users may change or update their MFA without requiring the intervention of a user administrator. In this case, after Unenrolling their MFA choice (for example, if they have acquired a new phone), they will be required to re-enroll when they log in again.
The MFA Enrollment Process
This section describes the MFA enrollment process.
Step 1: Initiation
The MFA enrollment process is initiated during login if either company-wide MFA enforcement is enabled or if a user has chosen to enroll in MFA. Users scan the presented QR code with their authenticator app, and then enter the code from the app.
Step 2: Recovery Code
After scanning the QR code and entering the correct confirmation code, the user will be shown a recovery code. This should be stored in a safe and secure location, as it is required to regain access in the event a user is unable to use their authenticator app (see How To Use A Recovery Code for more information).
Step 3: Confirmation
Upon successful enrollment the user will be presented with a success message. When the user logs in next, they will be required to use their OTP code from their authenticator app.
MFA Enrollment Status
The status of any user’s MFA enrollment status can be viewed in the User Management list for the account.
Unenrolling a User from MFA by the User Administrator
In the event a user cannot access their account (e.g. due to losing access to both their recovery code and OTP app), they must contact a user administrator who can reset a user’s MFA enrollment as follows:
- In the User Management list, select the user to view their details
- In the Security section of the user details drawer, next to the MFA status, click the Reset Link and confirm in the dialog that pops up. This will unenroll that user from MFA.
Using a Recovery Code
In the event a user has lost access to their authentication app, they can use the single-use recovery code that was generated during initial MFA setup.
To regain access using a recovery code, the user goes through the standard login flow (username, password, and MFA passcode). If they cannot access their MFA/OTP app, they can click the “Try another method” link (see Step 3 image) and then select “Recovery code”. At this point they will be prompted to enter their recovery code. Upon success, they will be given a new recovery code and then the standard login flow will apply (including re-enrolling in MFA if mandated).
Note: If a user has lost access to both their authenticator app and their recovery code, they will need to contact their appropriate Controller administrator to reset MFA for their account. If a user is unsure whom to contact, they can contact Mason Support for the identity of the appropriate individual in their organization to regain access.
Who is able to enforce company-wide MFA for all users? User administrator (user:admin scope) is required for a user to enable company-wide MFA. We recommend that at least two users have this permission to ensure redundancy. In addition, it is a best practice to routinely audit user permission levels to ensure they are set correctly for the job function of the user.
The user administrator is shown under Manage Users (see screenshot).
Is it possible to prevent users from opting in to MFA? All users may enroll in MFA, as this aligns with security best practices. For further information, please contact Mason Support so we can understand and address your needs.
How does MFA impact access to a Mason device? MFA is currently only utilized for Controller access and does not change access to a Mason device.
How does MFA impact CLI? MFA is only used for Controller logins and does not impact CLI. CLI V2 uses API keys to ensure secure logins. There is no plan for MFA support in CLI V1. For more information, please contact Mason Support.