Why is MFA mandatory for Procore Pay and how does it work?

 Important
Author note: Log changes to this page in JIRA: https://procoretech.atlassian.net/browse/ILR-91
 General Availability in Select Markets (United States)
flag-us.png Procore Pay icon-external-link.png  is available in the United States. It is designed for General Contractors and Owner-Builders who act as their own General Contractors on a job. Procore Pay extends the Invoice Management icon-external-link.png functionality in the Procore web application to handle the payment process between general and specialty contractors.

Background

What is Multi-Factor Authentication (MFA)?

Multi-Factor Authentication (MFA) is a method of logging in to an electronic system that requires a user to verify their identity in more than one way. Typically, a user will need to provide a combination of the following identity verification factors when MFA is configured:

  • Something only the user knows, like a password or PIN.
  • Something only the user is, like a fingerprint or facial recognition.
  • Something only the user has, like a mobile device.

In Procore, the factors used for MFA are a Procore password, and a time-based one time password (TOTP) that is sent to your mobile device from an authenticator app. You will need to download an authenticator app before you can use MFA with Procore. You can use any TOTP-compliant app.  

Answers to Common Questions

Why does Procore Pay require MFA?

To help safeguard your most sensitive operations from unauthorized account access, Procore Pay requires users to complete a multi-step account login process.  This process is called Multi-Factor Authentication (MFA). MFA is required for Procore Pay, regardless of whether or not you are using Pay to move money.

How does MFA work? 

To provide Procore Pay with a trusted method to safeguard sensitive bank account information and payment transactions, it is important for Procore Pay customers to ensure your environment has strong password management protections in place. To help ensure your most sensitive operations are guarded against unauthorized account access, Procore Pay users must complete a multi-factor account login process to authenticate their identity. 

These factors include:

  1. Enter your email address and password for your Procore user account. If you are an authorized user with access permission to Procore Pay, you will be prompted to enter your user name and password on the Procore login page.
  2. Enter a one-time password code generated by an MFA app on a mobile device. Next, a Time-Based One-Time Password (TOTP) code is sent to your mobile device. A TOTP code is a randomly generated secret code displayed on a user's mobile device using a TOTP-compliant app.

Which Procore Pay users are required to log in with MFA?

Authorized users who have been granted role-based permissions to the Company level Payments tool are required to log in using MFA before accessing the Company level Payments tool AND before performing secure financial operations. 

The table below details the roles and requirements for MFA:

Role Before logging in... Before performing these tasks...
Payments Admin
Payments Disburser
Payments Beneficiary

Which one-time password applications are compatible with Procore Pay?

Procore Pay has tested two applications that can be used in your company's environment: Google Authenticator and Auth0 Guardian. However, other TOTP-compliant applications can also be used, such as Microsoft Authenticator.

The application used in your company's environment is likely determined either by your company's owner and/or your IT department. Procore has tested these TOTP apps for compatibility with Procore Pay:

What are the MFA account lockout settings? 

To prevent repeated MFA login attempts as part of an attack, designated Procore Pay users are subject to these account lockout settings:

  • Number of failed login attempts to trigger account lockout: 10 (TOTP)
    Notes: 
    • Procore lockout settings configured in the Company level Admin tool do NOT apply with MFA enabled.
    • If you are locked out of your account, contact Payment Operations to request an MFA reset.

When are Procore Pay Users challenged by MFA?

Your company's authorized Payments Admins and the Payments Disbursers designated by your Payments Admin are required to complete an MFA challenge every time they perform one of these actions in the Procore web application:

  • Log in to your company's account in the Procore web application.
  • Navigate to the Company level Payments tool.
  • Creating or submitting a disbursement:
    • If using Procore Pay to send payments without the Workflows tool, before a Payments Disburser creates a disbursement in the Payments tool. 
    • If using Procore Pay with the Workflows tool, before the designated Workflow Approver submits a disbursement.
  • When the Company level Payments tool is idle for more than 30 minutes in a user session.

    Note: Procore Pay users are required to complete an MFA challenge at login, regardless of whether or not they are using Pay to move money.

Are MFA login attempts recorded? 

Yes. Every attempted MFA login and its outcome is logged. Records are retained in the log for six (6) years.

Is MFA required when testing the Payments tool in our company's sandbox account? 

Procore Pay is not available in your company's Sandbox account. 

What happens if I lose or replace the device where MFA is configured?

If you lose or replace your mobile device, you’ll need to restore access to your authenticator app. MFA must be reset to restore access after losing or damaging a device. Some device types and authenticator apps might also require an MFA reset to restore access after intentionally replacing a device. Contact Payment Operations if you need to have MFA reset so you can log into Procore Pay.

How do I troubleshoot user issues with MFA?

Below are tips for troubleshooting common issues with MFA as a Procore Pay user. 

Issue How to troubleshoot... How to escalate... For assistance
Your account has been locked after multiple consecutive login attempts. Number of failed login attempts to trigger account lockout: 10 Contact Procore Pay Operations to verify your identity and request an MFA reset.  Contact Payment Operations
You do not have your mobile device with you or your device is powered OFF.  You can finish authentication using the recovery code that you were provided during setup. See Set Up MFA for Procore Pay on Your Device   Contact Payment Operations
You forgot your Procore password.  Reset your Procore password. After resetting your password, be sure to type in the new password manually when logging in. Your browser could autofill a previous password that is no longer valid, so manual entry is recommended.   Contact Support
Your transaction expires.  When logging in with MFA, users must submit their first and second factor within five (5) minutes. If you exceed this time, you will need to log in again and obtain a new secret code (TOTP).    Contact Payment Operations
You need to remove or delete a user from MFA

You cannot remove MFA requirements for a user who has Payments Admin or Payments Disburser permissions. You must remove the user's permissions to Pay to remove the MFA requirement.

Payments Admins can remove the MFA requirement for a user who has the Payments Disburser permission by removing the user's Payments Disburser permission. Upon removal of the permission, the MFA requirement will no longer be enforced.

To remove the MFA requirement for a Payments Admin user by removing their Payments Admin permission, contact Procore Pay Support.

   Contact Payment Operations
Your account shows an 'incorrect code' message.  Make sure you entered the correct code, and check that the date/time settings on your mobile device are correct:

  • Android. Go to Settings > Date & Time. Tap to place a checkmark next to Automatic. To turn it off, go to Settings > Date & Time. Tap the box next to Automatic to remove the checkmark.

  • iOS. Go to Settings > General > Date & Time. Enable Set Automatically. If the setting is already enabled, disable it for a few moments and then re-enable it. 

   Contact Payment Operations

See Also