How does MFA work with Procore Pay and why is it required?
Background
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) is a method of logging in to an electronic system that requires a user to verify their identity in more than one way. Typically, a user will need to provide a combination of the following identity verification factors when MFA is configured:
- Something only the user knows, like a password or PIN.
- Something only the user is, like a fingerprint or facial recognition.
- Something only the user has, like a mobile device.
In Procore, the factors used for MFA are a Procore password, and a time-based one time password (TOTP) that is sent to your mobile device from an authenticator app. You will need to download an authenticator app before you can use MFA with Procore. You can use any TOTP-compliant app.
Answers to Common Questions
- Why does Procore Pay require MFA?
- How does MFA work?
- Which Procore Pay users are required to log in with MFA?
- Which one-time password applications are compatible with Procore Pay?
- What are the MFA account lockout settings?
- When are Procore Pay users challenged by MFA?
- Are MFA login attempts recorded?
- Is MFA required when testing the Payments tool in our company's Sandbox?
- What happens if I lose or replace the device where MFA is configured?
- How do Procore Pay users troubleshoot user issues with MFA?
Why does Procore Pay require MFA?
To provide Procore Pay with a trusted method to safeguard private data related to payment transactions, it is important for end users to ensure strong password management protections are in place in your environment. To help safeguard your most sensitive operations from unauthorized account access, Procore Pay requires users to complete a multi-step account login process. This process is called Multi-Factor Authentication (MFA). It is also commonly referred to as 2FA.
How does MFA work?
Which Procore Pay users are required to log in with MFA?
Authorized users who have been granted role-based permissions to the Company level Payments tool are required to log in using MFA before accessing the Company level Payments tool and before performing secure financial operations.
The table below details the roles and requirements for MFA:
Role | Before logging in... | Before performing these tasks... |
---|---|---|
Payments Admin | ||
Payments Disburser | ||
Payments Beneficiary |
Which one-time password applications are compatible with Procore Pay?
Procore Pay has tested two applications that can be used in your company's environment: Google Authenticator and Auth0 Guardian. However, other TOTP-compliant applications can also be used, such as Microsoft Authenticator.
The application used in your company's environment is likely determined either by your company's owner and/or your IT department. Procore has tested these TOTP apps for compatibility with Procore Pay:
What are the MFA account lockout settings?
To prevent repeated MFA login attempts as part of an attack, designated Procore Pay users are subject to these account lockout settings:
- Number of failed login attempts to trigger account lockout: 10 (TOTP)
Notes:- Procore lockout settings configured in the Company level Admin tool do NOT apply with MFA enabled.
- If you are locked out of your account, contact Payment Operations to request an MFA reset.
When are Procore Pay Users challenged by MFA?
Your company's authorized Payments Admins and the Payments Disbursers designated by your Payments Admin are required to provide multiple verifications every time they perform one of these actions in the Procore web application:
- Log in to your company's account in the Procore web application.
- Navigate to the Company level Payments tool.
- Creating or submitting a disbursement:
- If using Procore Pay to send payments without the Workflows tool, before a Payments Disburser creates a disbursement in the Payments tool.
- If using Procore Pay with the Workflows tool, before the designated Workflow Approver submits a disbursement.
- When the Company level Payments tool is idle for more than 30 minutes in a user session.
Are MFA login attempts recorded?
Yes. Every attempted MFA login and its outcome is logged. Records are retained in the log for six (6) years.
Is MFA required when testing the Payments tool in our company's sandbox account?
Procore Pay is not available in your company's Sandbox account.
What happens if I lose or replace the device where MFA is configured?
If you lose or replace your mobile device, you’ll need to restore access to your authenticator app. MFA must be reset to restore access after losing or damaging a device. Some device types and authenticator apps might also require an MFA reset to restore access after intentionally replacing a device. Contact Payment Operations if you need to have MFA reset so you can log into Procore Pay.
How do I troubleshoot user issues with MFA?
Below are tips for troubleshooting common issues with MFA as a Procore Pay user.
Issue | How to troubleshoot... | How to escalate... | For assistance |
---|---|---|---|
Your account has been locked after multiple consecutive login attempts. | Number of failed login attempts to trigger account lockout: 10 | Contact Procore Pay Operations to verify your identity and request an MFA reset. | Contact Payment Operations |
You do not have your mobile device with you or your device is powered OFF. | You can finish authentication using the recovery code that you were provided during setup. See Set Up MFA for Procore Pay on Your Device. | Contact Payment Operations | |
You forgot your Procore password. | Reset your Procore password. After resetting your password, be sure to type in the new password manually when logging in. Your browser could autofill a previous password that is no longer valid, so manual entry is recommended. | Contact Support | |
Your transaction expires. | When logging in with MFA, users must submit their first and second factor within five (5) minutes. If you exceed this time, you will need to log in again and obtain a new secret code (TOTP). | Contact Payment Operations | |
You need to remove or delete a user from MFA |
You cannot remove MFA requirements for a user who has Payments Admin or Payments Disburser permissions. You must remove the user's permissions to Pay to remove the MFA requirement. To remove the MFA requirement for a Payments Admin user by removing their Payments Admin permission, contact Procore Pay Support. |
Contact Payment Operations | |
Your account shows an 'incorrect code' message. | Make sure you entered the correct code, and check that the date/time settings on your mobile device are correct:
|
Contact Payment Operations |