Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Introduction

Lawmaker uses multi-factor authentication to make the application more secure.

The first time you sign in after your account has been created (or reset)

After you’ve updated your password, you’ll be asked to set up MFA.

To do this you will need to install an authenticator app on your mobile phone if you don't already have one. There are a range of authenticator apps for Android phones and iPhones including Google Authenticator and Microsoft Authenticator - they all work in a similar way.

Be aware you will never be asked to pay any money when signing up to activate your Lawmaker account.  This is a scam.  If you are asked to subscribe or make a payment, stop immediately and remove the app from your phone.

 Fake Multifactor Authentication (MFA) Scam

There are many fake apps, which will look very similar to the genuine Microsoft or Google Apps, and these may ask you to pay an annual or monthly subscription fee to use the app.  The genuine apps will never ask for payment.  They are free.  Some of these fake apps may also mine your phone for personal data and/or share password or MFA tokens with unauthorised third parties putting Lawmaker, other corporate systems and potentially your own digital identity at risk.

 How to avoid downloading a fake app

Ensure you are downloading the app from a reliable source such as Google Pay store or Microsoft.  A genuine app, may not be the first on the list, so scroll down a bit and check.  Under the name of the App, will be the source - for Google it will be Google LLC, and for Microsoft it be Microsoft Corporation (check the spelling carefully, fake apps may have just one wrong letter).  Tap on the app to open it and then tap on the source name and you will be taken to the organisation’s web site.  Check the web site carefully.  If the logo looks slightly odd (maybe a slightly different colour or shape), or there are spelling mistakes in the text, it’s likely a fake authenticator.  If all looks good, download the app and proceed with the instructions.  Remember you will never be asked to pay for the app or take out subscription.  Stop at this point and delete the app.

Lawmaker will display a QR code on the screen. Open your authenticator app and click on the plus sign to add a new account. Follow the instructions in the app to scan the code on your computer’s screen. This will link your Lawmaker user account with the authenticator app and the app will start producing codes that can be used for signing in to Lawmaker.

Type in the code that is currently showing on the app and click Verify Security Token.

When you sign in for a second or subsequent time

Whenever you login in future you will first be asked for your username and password. You may then be asked to also provide a code from your authenticator app to provide additional assurance of your identity.

If the dialogue box above appears then open up your authentication app on your phone. Type the code showing on the phone into the dialogue box and click Continue.

What happens if I get a new phone or lose my phone?

If you get a new phone then the authenticator app will enable you to transfer your MFA keys from the old phone to the new phone (e.g. the old phone will generate a QR code which can be scanned into the new phone). Some authenticator apps also enable you to do a secure backup of your keys as another way of retrieving them on a new phone.

If you lost your phone and so were unable to transfer your keys to a new device then contact Lawmaker support to get your account reset.

More information about MFA

What is "multi-factor authentication"?

Multi-factor authentication means a user is only granted access to a system if they provide two or more different kinds of evidence as to their identity.

A password is one piece of evidence (it is something only the user should know). Further evidence can be something the user has in their possession (such as a card or USB stick) or an inherent characteristic of the user (e.g. a fingerprint).

For Lawmaker, in addition to providing a password, you will sometimes be asked to provide evidence that you have something in your possession (a mobile phone or tablet). The evidence will be a code generated by an app on your phone.

MFA makes Lawmaker more secure because, while it is conceivable that someone could find out your password or get hold of your phone, it would be difficult for someone to manage both at the same time.

How does it work in Lawmaker?

When you set up MFA and scan the QR code with your authenticator app, that code contains a unique key produced by Lawmaker (the key is essentially a very long and unique password).

The key gets stored in the authenticator app.

The authenticator app then uses a cryptographic algorithm to generate a six-digit code derived from the key plus the current time (hence why it changes all the time). The cryptography is needed so no-one intercepting your six-digit code can work out what the original key was.

Since Lawmaker knows what the key is, it can use the same algorithm to check that the code you type is valid. And since only your phone and Lawmaker should know what the key is (it is a shared “secret”) typing in a correct code is evidence that you have access to your phone and hence you are likely to be who you say you are.

What information about me or my Lawmaker account is stored on my phone?

The only thing stored on your phone is the key, i.e. the long code generated when you set up MFA. It is stored securely within the authenticator app. The code in itself does not contain any information about you or the Lawmaker application (it is essentially just a unique, random number). Equally, the Lawmaker application does not store any information about you or your phone as a result of setting up MFA.

  • No labels