Document toolboxDocument toolbox

Multi-factor authentication guide

Owned by Matt Lynch
Last updated: 01 Mar 2024
5 min read

Introduction

Lawmaker uses multi-factor authentication to make the application more secure.

The first time you sign in after your account has been created (or reset)

After you’ve updated your password, you’ll be asked to set up MFA.

To do this you will need to install an authenticator app on your mobile phone if you don't already have one. There are a range of authenticator apps for Android phones and iPhones. We recommend using Google Authenticator or Microsoft Authenticator - make sure you download the official app from a trusted source (see below).

You will never be asked to pay any money when signing up to activate your Lawmaker account. If you are asked to subscribe or make a payment by the authenticator app, stop immediately and remove the app from your phone as this is likely to be an attempted scam.

There are fake authenticator apps which will look very similar to the genuine apps but may ask you to pay an annual or monthly subscription fee to use the app.  The genuine apps will never ask for payment. Some fake apps may also attempt to steal data from your phone including personal data, passwords and MFA tokens which could put Lawmaker, other corporate systems and potentially your own digital identity at risk.

To avoid downloading a fake authenticator app, ensure you are downloading the app from a reliable source such as Google Play store or Microsoft’s store.  The genuine app may not always be the first on the list within the store if you search for an authenticator app.

Other things you can check for:

  • Check that the publisher of the app is who you would expect, for Google it will be Google LLC and for Microsoft it be Microsoft Corporation (check the spelling carefully as fake apps may have just one wrong letter). 

  • Look for grammar mistakes in the description which may indicate that it is not a real app.

  • Check the reviews - a lack of reviews or suspicious content may suggest the app is fake.

Lawmaker will display a QR code on the screen. Open your authenticator app and click on the plus sign to add a new account. Follow the instructions in the app to scan the code on your computer’s screen. This will link your Lawmaker user account with the authenticator app and the app will start producing codes that can be used for signing in to Lawmaker.

Type in the code that is currently showing on the app and click Verify Security Token.

When you sign in for a second or subsequent time

Whenever you login in future you will first be asked for your username and password. You may then be asked to also provide a code from your authenticator app to provide additional assurance of your identity.

If the dialogue box above appears then open up your authentication app on your phone. Type the code showing on the phone into the dialogue box and click Continue.

What happens if I get a new phone or lose my phone?

If you get a new phone then the authenticator app will enable you to transfer your MFA keys from the old phone to the new phone (e.g. the old phone will generate a QR code which can be scanned into the new phone). Some authenticator apps also enable you to do a secure backup of your keys as another way of retrieving them on a new phone.

If you lost your phone and so were unable to transfer your keys to a new device then contact Lawmaker support to get your account reset.

More information about MFA

What is "multi-factor authentication"?

Multi-factor authentication means a user is only granted access to a system if they provide two or more different kinds of evidence as to their identity.

A password is one piece of evidence (it is something only the user should know). Further evidence can be something the user has in their possession (such as a card or USB stick) or an inherent characteristic of the user (e.g. a fingerprint).

For Lawmaker, in addition to providing a password, you will sometimes be asked to provide evidence that you have something in your possession (a mobile phone or tablet). The evidence will be a code generated by an app on your phone.

MFA makes Lawmaker more secure because, while it is conceivable that someone could find out your password or get hold of your phone, it would be difficult for someone to manage both at the same time.

How does it work in Lawmaker?

When you set up MFA and scan the QR code with your authenticator app, that code contains a unique key produced by Lawmaker (the key is essentially a very long and unique password).

The key gets stored in the authenticator app.

The authenticator app then uses a cryptographic algorithm to generate a six-digit code derived from the key plus the current time (hence why it changes all the time). The cryptography is needed so no-one intercepting your six-digit code can work out what the original key was.

Since Lawmaker knows what the key is, it can use the same algorithm to check that the code you type is valid. And since only your phone and Lawmaker should know what the key is (it is a shared “secret”) typing in a correct code is evidence that you have access to your phone and hence you are likely to be who you say you are.

What information about me or my Lawmaker account is stored on my phone?

The only thing stored on your phone is the key, i.e. the long code generated when you set up MFA. It is stored securely within the authenticator app. The code in itself does not contain any information about you or the Lawmaker application (it is essentially just a unique, random number). Equally, the Lawmaker application does not store any information about you or your phone as a result of setting up MFA.