Version 5 of Lawmaker introduces multi-factor authentication to make the application more secure. Because of the additional security it provides, we will be able to make the application accessible from a wider range of locations and devices, enhancing resilience. (Note the expectation remains that you should access Lawmaker from a corporate device unless you are unable to do so, e.g., because the corporate network is not working).
What happens the first time you sign in?
Reset password
Your password will have been reset to a temporary password (communicated to you separately). When you login for the first time after the new release has been deployed, you will be asked to change it.
You can change it to what it was before or choose a new password. The password must be at least 10 characters long and must not be easily guessable (e.g. "password123"). We recommend you use three short words.
Set up MFA
After you have entered a password, you will be asked to setup MFA.
To do this you will need to install an authenticator app on your mobile phone if you don't already have one. There are a range of authenticator apps for Android phones and iPhones including Google Authenticator and Microsoft Authenticator - they all work in a similar way.
Lawmaker will display a QR code on the screen. Open your authenticator app and use it to scan the code. This will link your Lawmaker user account with the authenticator app and the app will start producing codes that can be used for signing in to Lawmaker.
On the "Set up MFA" page of Lawmaker, type in the code that is currently showing on the app and click "Verify Security Token".
You will then be taken to the Lawmaker dashboard and can continue working as normal.
What happens when you sign in for a second or subsequent time?
Whenever you login in future you will continue to be asked for your username and password and you may be asked to also provide a code from your authenticator app.
Whether you are asked for a code or not will depend on the risk associated with your login attempt. This is determined by considering things like where you are signing in from and what device you are using.
What happens if I get a new phone or lose my phone?
If you get a new phone then the authenticator app will enable you to transfer your MFA keys from the old phone to the new phone (e.g. the old phone will generate a QR code which can be scanned into the new phone). Some authenticator apps also enable you to do a secure backup of your keys as another way of retrieving them on a new phone.
If you lost your phone and so were unable to transfer your keys to a new device the appropriate action would be to ask for your account to be reset by an administrator so you could then setup MFA on a new phone (or on your old phone if you find it again). The administrator will need to be satisfied that it is a genuine request before proceeding to reset your account.
Help and support
If you have any problems signing in you should continue to contact your organisation's product owner in the first instance who will raise matters with the LDAPP project team as necessary.
More information about MFA
What is "multi-factor authentication"?
Multi-factor authentication means a user is only granted access to a system if they provide two or more different kinds of evidence as to their identity.
A password is one piece of evidence (it is something only the user should know). Further evidence can be something the user has in their possession (such as a card or USB stick) or an inherent characteristic of the user (e.g. a fingerprint).
For Lawmaker, in addition to providing a password, you will sometimes be asked to provide evidence that you have something in your possession (a mobile phone or tablet). The evidence will be a code generated by an app on your phone.
MFA makes Lawmaker more secure because, while it is conceivable that someone could find out your password or get hold of your phone, it would be difficult for someone to manage both at the same time.
How does it work in Lawmaker?
When you set up MFA and scan the QR code with your authenticator app, that code contains a unique key produced by Lawmaker (the key is essentially a very long and unique password).
The key gets stored in the authenticator app.
The authenticator app then uses a cryptographic algorithm to generate a six-digit code derived from the key plus the current time (hence why it changes all the time). The cryptography is needed so no-one intercepting your six-digit code can work out what the original key was.
Since Lawmaker knows what the key is, it can use the same algorithm to check that the code you type is valid. And since only your phone and Lawmaker should know what the key is (it is a shared “secret”) typing in a correct code is evidence that you have access to your phone and hence you are likely to be who you say you are.
What information about me or my Lawmaker account is stored on my phone?
The only thing stored on your phone is the key, i.e. the long code generated when you set up MFA. It is stored securely within the authenticator app. The code in itself does not contain any information about you or the Lawmaker application (it is essentially just a unique, random number). Equally, the Lawmaker application does not store any information about you or your phone as a result of setting up MFA.