Managing Multi-factor Authentication (MFA) and IP Settings

In this article, we will guide you through the enabling Multi-Factor Authentication (MFA) for Web Users in BigChange and managing IP settings for enhanced system security. These security measures ensure that only authorised users can access your system, enhancing overall security.

What is Multi-Factor Authentication (MFA)?

MFA is an additional layer of security used to verify a user's identity. It requires users to provide two or more verification factors to gain access to an application, such as BigChange. To access BigChange with MFA enabled, requires a user to enter an authentication code from a separate device (such as a smartphone) using an authenticator app (such as Google Authenticator) in addition to their BigChange login details.

Enabling MFA for All Web Users

To enforce MFA for all web users, follow these steps:

1. Login to BigChange as a System Administrator.
2. From the top navigation menu, select Account Settings followed by Settings.
3. You can either select General Account Settings via the quick links menu, or select Account and then Account Settings from the side menu on the left.
4. In the search box, type "multi" to locate the MFA setting under the Security section.
5. Tick Yes to enable MFA for all users.

Once enabled, any user logging into your BigChange system will be prompted to set up MFA.

Setting Up MFA as an individual Web User for the first time

When MFA is enabled, Web Users will need to set it up during their next login, this is a one-time only setup. To do this, follow these steps:

1. Login to BigChange.
2. You will be re-directed to your profile page and prompted to scan a QR code (using another device, such as smartphone).
3. Use a third-party authenticator app (such as Google Authenticator or Microsoft Authenticator) to scan the QR code.
4. The app will save BigChange (JobWatch) as an MFA code.
5. Once you have confirmed a code is being generated by the authenticator app, select Save.

Please do not share your QR code with other web users, as it will not work for them.

From now on, you will be prompted to enter a new code from the authenticator app each time you login.

MFA code not working? See article Resolving Multi-Factor Authentication (MFA) Issues – BigChange Help Centre

Resetting MFA for a Web User

If a Web User needs to reset their MFA, a System Administrator can do this on their behalf by following these steps:

1. Login to BigChange as a System Administrator.
2. From the top navigation menu, select Account Settings icon followed by Settings.
3. Select Web Users from the side menu on the left.
4. Select Add and Edit and search for the user.
5. Select the relevant Web User and select Reset Multi-Factor Authentication.
6. Confirm the reset.

The next time the Web User logs in, they will be prompted to set up MFA again by scanning a new QR code.

Setting IP Restrictions for Web Users

Setting IP restrictions allow you to limit Web User access to your BigChange system from specific IP addresses. This is useful for ensuring that users can only login from trusted locations.

Only one IP address can be entered into BigChange, restricting the Web User to only login from the location associated with that IP address.

Setting IP Restrictions for Individual Web Users:

1. Login to BigChange as System Administrator.
2. From the top navigation menu, select Account Settings icon followed by Settings.
3. Go to Web Users and select Add and Edit.
4. Search for the relevant Web User and select Edit.
5. Locate the IP Restriction field.
6. Enter the full IP address (of your trusted location) and select Save.
7. Once saved, BigChange will block any login attempts from IP addresses other than the specified one.

Do not impose IP restrictions to Web Users with dynamic IP addresses. 
For more information, see Managing Whitelisted IP Addresses – BigChange Help Centre

Setting the Frequency of MFA Authentication Requests

Setting the numbers of days between authentication requests when logging in determines the frequency your Web Users will be prompted to complete MFA.

To edit the number of days between MFA requests, go to Account Settings > Settings > General Account Settings > Security.

When you change the number of days between authentication requests for logging in, the previous setting must finish its duration before the new setting takes effect. For example, if the setting was originally 30 days and you change it to 7 days, you will need to wait the full 30 days before the new 7-day frequency starts working. Similarly, if you later change the setting from 7 days to 0 days, you will need to wait 7 days for this new change to take effect. 

Whitelisting IP Addresses

Whitelisting IP addresses allows users to bypass MFA when logging in from trusted locations, such as your office.

To add whitelisted IP addresses to BigChange, follow these steps:

1. Login as a System Administrator.
2. From the top navigation menu, select Account Settings icon followed by Settings.
3. From the side menu, select Account, followed by Whitelisted IP Addresses.
4. Add the IP addresses you want to whitelist.

This will allow users to log in without MFA from the whitelisted IP addresses.

Best Practices for MFA and IP Restrictions

To ensure maximum security, we recommend the following best practices:

• Enable MFA for all Web Users.
• Whitelist IP addresses only for trusted locations.
• Use IP restrictions for users who only need access from specific locations.
• Set the number of days to 0 for the security setting Number of days between authentication requests when logging in.