Multi-Factor Authentication - Disclosurely Security

MFA setup, authenticator apps, SMS verification, hardware tokens, backup codes, and enforcing multi-factor authentication for whistleblowing security.

Multi-Factor Authentication (MFA)

Add an essential layer of security to protect your whistleblowing platform with multi-factor authentication.

Overview

Multi-factor authentication (MFA) significantly strengthens account security by requiring two or more verification methods to access your Disclosurely account. Even if someone obtains your password through phishing, data breach, or guessing, they cannot access your account without the second factor. For organizations handling sensitive whistleblowing data, MFA is essential to protect reporter confidentiality, prevent unauthorized case access, and maintain compliance with security standards like ISO 27001 and SOC 2.

MFA is mandatory for Organization Administrators and strongly recommended for all users with access to whistleblowing cases. Enabling MFA reduces the risk of account takeover by 99.9% according to industry research, making it one of the most effective security controls available.

Why MFA Matters for Whistleblowing Platforms

Protecting Sensitive Data

Whistleblowing platforms contain extraordinarily sensitive information that requires the highest level of protection:

• Reporter identities: Unauthorized access could expose whistleblowers to retaliation
• Investigation evidence: Confidential documents, financial records, and witness statements
• Case details: Sensitive allegations involving executives, harassment, or fraud
• Secure communications: Private messages between reporters and investigators
• Personal data: Names, contact information, and employment details

A single compromised account could expose this sensitive data, damage trust in your reporting system, create legal liability, and violate regulatory requirements. MFA prevents this by ensuring that stolen passwords alone cannot grant access.

Common Security Threats MFA Prevents

Phishing Attacks:

• Fraudulent emails tricking users into revealing passwords
• Fake login pages that capture credentials
• MFA blocks access even if password is compromised

Credential Stuffing:

• Automated attacks using leaked passwords from other breaches
• Many users reuse passwords across multiple sites
• MFA stops these attacks at the authentication stage

Password Guessing:

• Brute force attacks trying common passwords
• Social engineering to guess passwords from personal information
• MFA makes password guessing ineffective

Insider Threats:

• Former employees attempting to access systems after departure
• Unauthorized colleagues trying to access restricted cases
• MFA limits access to authorized devices and methods

Session Hijacking:

• Attackers stealing active session tokens
• Network interception of login sessions
• MFA with device binding prevents session theft

Learn more about overall security controls in the Security Overview documentation.

Supported MFA Methods

Authenticator Apps (Recommended)

Time-based One-Time Passwords (TOTP) generated by authenticator applications provide the best balance of security and convenience.

Supported Authenticator Apps:

• Google Authenticator (iOS, Android)
• Microsoft Authenticator (iOS, Android)
• Authy (iOS, Android, Desktop)
• 1Password (iOS, Android, Desktop, Browser)
• Bitwarden Authenticator (iOS, Android)
• Any TOTP-compatible authenticator

How It Works:

1. During setup, scan a QR code with your authenticator app
2. App generates new 6-digit codes every 30 seconds
3. Enter current code when logging in
4. Works offline, no network connection required
5. Codes synchronized via secure time-based algorithm

Benefits:

• Works without cellular or internet connection
• More secure than SMS (no SIM swap risk)
• Fast and convenient
• Multiple accounts in one app
• Backup and sync options (app-dependent)

SMS Verification

Text message codes sent to your mobile phone provide accessible MFA for users without smartphones or authenticator apps.

How It Works:

1. Enter your mobile phone number during setup
2. Receive 6-digit code via SMS at login
3. Enter code to complete authentication
4. New code required for each login session

Considerations:

• Requires cellular connection or SMS capability
• Vulnerable to SIM swap attacks (rare but possible)
• May have delays in code delivery
• International SMS may have additional costs
• Less secure than authenticator apps but better than password-only

Email Verification

Email codes provide a fallback MFA option when other methods aren't available.

How It Works:

1. Configure backup email address
2. Receive verification code via email at login
3. Enter code to complete authentication
4. Different email than primary account email recommended

When to Use:

• Backup method if phone unavailable
• Users without mobile devices
• Temporary access for specific situations
• Not recommended as primary MFA method

Hardware Security Keys (Enterprise Plan)

Physical USB or NFC security keys provide the highest level of security for Enterprise customers.

Supported Keys:

• YubiKey 5 Series
• Google Titan Security Keys
• Feitian ePass FIDO Keys
• Any FIDO2/WebAuthn compatible key

How It Works:

1. Insert USB key or tap NFC key
2. Press button to confirm
3. Cryptographic challenge-response authentication
4. Phishing-resistant authentication

Benefits:

• Most secure MFA method available
• Phishing resistant (cannot be tricked)
• No codes to enter
• Works offline
• Durable and long-lasting

Biometric Authentication

Device biometrics like fingerprint and Face ID can be used in conjunction with other MFA methods on supported devices.

Supported Biometrics:

• Apple Touch ID and Face ID
• Windows Hello (fingerprint, facial recognition)
• Android fingerprint sensors
• Platform-specific biometric authentication

How It Works:

• Stored locally on your device, never transmitted
• Used to unlock authenticator apps or hardware keys
• Provides convenient second-factor on trusted devices
• Combines with other MFA methods for enhanced security

Setting Up MFA

For Users

Initial MFA Setup:

1. Navigate to Security Settings

   • Log into your Disclosurely account
   • Click your profile icon in top right
   • Select "Account Settings" > "Security"
   • Click "Enable Multi-Factor Authentication"

2. Choose MFA Method

   • Select authenticator app (recommended)
   • Or choose SMS or email verification
   • Follow on-screen instructions

3. Configure Your Method

   • For authenticator: Scan QR code with your app
   • For SMS: Enter and verify mobile number
   • For email: Confirm backup email address

4. Save Backup Codes

   • Download or print 10 single-use backup codes
   • Store securely (password manager or safe location)
   • Use if primary MFA method unavailable
   • Each code works only once

5. Verify Setup

   • Enter verification code to confirm
   • Test MFA by logging out and back in
   • Ensure backup codes stored securely

Managing MFA:

• Add multiple MFA methods for redundancy
• Regenerate backup codes if used or lost
• Update phone number if it changes
• Remove and re-add if changing devices
• Review trusted devices periodically

For Administrators

Enforcing MFA Organization-Wide:

1. Navigate to Organization Settings

   • Dashboard > Settings > Security
   • Find "Multi-Factor Authentication" section
   • Configure MFA enforcement policy

2. Configure MFA Requirements

   • Required for Admins: Mandatory (cannot be disabled)
   • Required for All Users: Toggle to enforce MFA for everyone
   • Grace period: Set transition period for users to enable MFA
   • Exemptions: Specify any exempted accounts (not recommended)

3. Communication and Rollout

   • Notify users of MFA requirement before enforcement
   • Provide setup instructions and support resources
   • Set reasonable grace period (7-14 days recommended)
   • Monitor MFA adoption via administrator dashboard

4. Monitor Compliance

   • View MFA enablement status for all users
   • Identify users who haven't enabled MFA
   • Send reminder notifications
   • Lock accounts after grace period expires
   • Generate MFA compliance reports for audits

Best Practices for Administrators:

• Enable MFA yourself before requiring it for others
• Provide user training and documentation
• Offer IT support during rollout period
• Consider department-by-department rollout
• Document MFA policies for compliance
• Review MFA methods allowed in your organization
• Disable less secure methods if required by policy
• Regularly audit MFA usage and compliance

Learn more about configuring security settings in Team Management.

Troubleshooting MFA

Lost Access to MFA Device

If you lose access to your authenticator app or phone:

1. Use Backup Codes

   • Enter one of your saved backup codes at login
   • Access account and reconfigure MFA
   • Generate new backup codes

2. Contact Administrator

   • Organization administrator can temporarily disable MFA
   • Allows you to log in and set up new MFA method
   • All MFA resets are logged for security auditing

3. Contact Support

   • If administrator unavailable or you are the administrator
   • Identity verification required
   • Email: support@disclosurely.com
   • Include: Organization name, account email, description

MFA Codes Not Working

If authentication codes are rejected:

• Check time synchronization: Authenticator apps require accurate device time

  • iOS: Settings > General > Date & Time > Set Automatically
  • Android: Settings > Date & Time > Automatic date & time

• Verify correct account: Ensure using code for Disclosurely, not another service

• Wait for new code: Don't reuse codes; wait for next 30-second cycle

• Check code entry: Ensure no spaces, all 6 digits entered correctly

• Try backup code: Use backup code if authenticator not working

SMS Codes Not Arriving

If you don't receive SMS codes:

• Check phone number is entered correctly in settings
• Ensure phone has cellular signal
• Check spam/blocked messages
• Wait 5 minutes and request new code
• Try alternative MFA method (authenticator app)
• Contact your mobile carrier about SMS blocking
• Update phone number if it changed

Locked Out of Account

If you can't access your account:

• Use backup codes if available
• Contact your organization administrator for MFA reset
• Contact Disclosurely support with identity verification
• Administrator accounts: Email security@disclosurely.com

MFA Best Practices

For All Users

• Enable MFA as soon as possible, don't wait for enforcement
• Use authenticator app rather than SMS when possible
• Save backup codes securely (password manager recommended)
• Don't share MFA codes with anyone
• Don't photograph or screenshot QR codes
• Keep backup codes separate from device
• Update MFA settings when changing devices
• Review active sessions and trusted devices regularly
• Report suspicious MFA prompts you didn't initiate

For Administrators

• Make MFA mandatory for all users, not just administrators
• Provide adequate notice before enforcement
• Offer training and support during rollout
• Monitor MFA adoption rates
• Regularly review MFA method security
• Disable less secure methods if policy requires
• Document MFA requirements for compliance
• Include MFA in security awareness training
• Audit MFA reset requests for suspicious activity

For Mobile Device Users

• Enable device passcode/biometric lock
• Use authenticator app with cloud backup (Authy, 1Password)
• Don't root/jailbreak devices with MFA apps
• Keep authenticator app updated
• Set up MFA on multiple devices for redundancy
• Use device-level encryption
• Enable remote wipe capability if device lost

Related Pages

• Authentication - Complete authentication overview
• Security Overview - Comprehensive security architecture
• Access Control - User permissions and roles
• Best Practices - Security recommendations