Multi-Factor Authentication for Vendors - Frequently Asked Questions

Last updated November 19, 2024
Written by Joel Martin

What is Multi-Factor Authentication (MFA)? 


Multi-Factor Authentication (MFA) is powerful security method for protection against cybercriminals, requiring at least two verification factors to log into Felix. This additional layer of security prevents unauthorised users from accessing Felix, even if a password has been stolen.  


When you log into Felix, first you will be asked to enter your username and password. Then, you’ll be prompted to provide a second form of verification - you might choose to receive a code sent to your mobile phone number, or access a code via an authentication app, and enter this code to complete the login process.   


Refer to our Help articles to learn more about What is Multi-Factor Authentication, and How to enable MFA.


Why is MFA important? 


It’s critical to bolster the security features offered to Felix users, and MFA adds an extra layer of defence against to your account against malicious activity. This will make you less vulnerable to email phishing attacks or compromised credentials especially if you’re using the same username and password as login credentials across multiple websites.    


Who is MFA available for? 


MFA is available for Felix vendor users, and it’s strongly advised that vendors enable MFA to secure their Felix account as soon as possible. 


How do I set up MFA? 


To set up, please refer to our Help Article: How to Enable MFA 


Can I use my email as a form of MFA?


No, we are not allowing email as a form of MFA.


The reason for this is that many account breaches begin with compromised email credentials. If a malicious user gains access to your email account, they could perform a forgotten password action for Felix to reset your password, and then receive the MFA code in the same email account. This means your Felix account could be taken over by just one malicious user accessing your email account.


Therefore, the two options to enable MFA for your Felix account include SMS authentication (for Australian phone numbers only) and an Authenticator app.


Do I need to use MFA every time I log in?


No, you don't need to use MFA every time you log in.


When logging in with MFA, you can select "Remember me on this device for 30 days". 


Please note that clearing your cache may revoke this 30 day rule, as will using a different device or browser.



My team uses a shared account to log into Felix, why does this impose a security risk? 


Using shared accounts to access technology platforms that support your business, such as Felix, poses a significant security risk. While it may seem convenient to use a single login for multiple users, this practice can lead to major vulnerabilities.  


Here are some of the dangers of using shared accounts:  


  • Increased risk of account compromise: Compromised credentials is a common entry point to hack your systems and data. Shared accounts are significantly more accessible for cybercriminals to obtain, accessing sensitive customer and financial information, potentially causing significant harm to your business. If you’re a Felix vendor, imagine if potential hackers obtained a shared credential to login and update your payment information to their own bank account – think of the financial implications!  


  • Storage vulnerabilities: Shared credentials are often stored within Sharepoint, Google Drive, or even a Post-It note on a noticeboard – in places that multiple users can access. This increases the risk of this information getting into the hands of unauthorised users, including cybercriminals.  And for a hacker, the beauty of shared accounts is that it makes it difficult to track malicious activity (see next point). 


  • Difficult to investigate malicious activity: Using a shared account makes it difficult to link specific actions to employees and even harder to track cybercriminals. Shared accounts make it hard to monitor unusual access activity such as simultaneous logins or multiple logins from different devices or browsers.


  • Lack of transparency and accountability: One of the benefits of Felix is its traceable audit trail of activity. However, if multiple people are using the same account, it becomes impossible to determine who made which changes. This could include unapproved updates, mistakes, or in more serious cases, malicious activity by a hacker. 


  • Security vulnerabilities: Shared accounts lack robust security measures. For example, setting up Multi-Factor Authentication (MFA) for Felix becomes problematic with shared accounts, as the set up requires a unique access point, such as a mobile device, to receive an authentication code. MFA is a powerful security method for protection against cybercriminals - while a hacker may have stolen one proof of identity, such as access to your email platform, they still need to obtain and use other proofs of identity to access your account.  


  • Employee turnover risk: Shared accounts can become security risks when employees leave the organisation. If passwords aren't changed, former employees retain access to Felix and its confidential information. The more people with access to a shared account, the higher the compromise risk. 


  • Compliance violations: Many organisations have compliance and security standards to comply to, such as ISO27001. If your organisation or your customers are subject to such data protection regulations, using shared accounts to access SaaS solutions such as Felix is a violation of those requirements.  

 

How can I enable MFA if my team uses a shared account to access Felix? 


MFA requires a unique access point, such as a mobile device, to receive an authentication code. This acts a second proof of identity to access your Felix account.  


If you need to add individual users to their Felix account to allow for MFA set up, please refer them to our guide: How to add a new vendor user 


Can I still use a shared account to receive Felix approvals and notifications? 


When logging into Felix, it’s strongly advised to use an individual login to strengthen account security during this stage of account authorisation.  


Once logged into Felix, you can still benefit from the convenience of having notifications and messages sent to a shared mailbox or a mailing list - you can set up an additional user account with your shared email address (e.g. admin@yourcompany.com) in Felix for communication purposes only. 


How else can I exercise good cyber security hygiene when accessing Felix? 


While Felix prioritises security and compliance, a large part of account security remains in your hands as a user.  


Here’s how you can make your account security a priority: 


  • Use individual accounts to access Felix: Ensure all users have their own individual login. If you're a Felix enterprise user, please contact your Felix administrator to add your individual login. For our vendors, please refer to our guide How to add a new vendor user.

 

  • Vendors can enable Multi-Factor Authentication (MFA): MFA is a great tool for vendors to add an extra layer of defence against their Felix account, which strengthens the security of the entire supply chain.  Learn how do this in our Help article How to Enable MFA. 


  • Chose a strong and unique password: Never use the same password across multiple sites, and you might want to consider a passphrase. 


How can I enable MFA if I’m not located in Australia?  


There are two options to set up MFA for your Felix account. 

  • SMS authentication - SMS-based MFA is only available for Vendors with Australian mobile numbers (+61 Country Code). 
  • Authenticator App 


If you’re located outside of Australia, you can download an Authenticator App onto your device (the second option). Some popular Authenticator apps include Google Authenticator, Microsoft Authenticator, and Authy. 


Once you have downloaded the app, you can follow the steps in the first section of our help guide to set up MFA: How to Enable MFA     

Was this article helpful?