Multi-Factor Authentication (MFA)
Add an extra layer of security to your CastellanAI account with multi-factor authentication.
MFA significantly reduces account compromise risk, even if your password is compromised.
Why Use MFA?
| Metric | Value |
|---|---|
| Risk Reduction | 99.9% reduction in account compromise |
| Required For | Administrator and Security Analyst roles |
| Methods | Multiple authentication methods supported |
Supported MFA Methods
- 📱 Authenticator App
- 🔑 Hardware Key
- 📧 SMS/Email (Backup)
Authenticator App (Recommended)
Use a time-based one-time password (TOTP) app for secure, offline authentication codes.
Supported Apps:
| App | Platform |
|---|---|
| Microsoft Authenticator | iOS, Android |
| Google Authenticator | iOS, Android |
| Authy | iOS, Android, Desktop |
| 1Password | All platforms |
Advantages:
- Works offline
- No phone number required
- Fast authentication
Hardware Security Key
Use a physical security key (FIDO2/WebAuthn) for the highest level of security.
Supported Keys:
| Key | Type |
|---|---|
| YubiKey 5 Series | USB-A, USB-C, NFC |
| Google Titan | USB-A, USB-C, Bluetooth |
| Feitian ePass FIDO | USB-A |
| Any FIDO2-compatible key | Various |
Advantages:
- Phishing-resistant
- No codes to enter
- Cannot be remotely compromised
Hardware keys provide the strongest protection against phishing and account takeover attacks.
SMS or Email (Backup Only)
Receive verification codes via SMS or email.
SMS/Email should be used as a backup method only. Prefer authenticator apps or security keys for primary authentication due to SIM-swapping and email compromise risks.
Use Cases:
- Account recovery when primary method unavailable
- Temporary access during device replacement
- Emergency situations
Setting Up MFA
- 1️⃣ Navigate
- 2️⃣ Choose Method
- 3️⃣ Complete Setup
- 4️⃣ Save Backups
Step 1: Navigate to Profile Settings
Go to your profile page and access MFA settings.
Navigation Path: Profile → Security → Multi-Factor Authentication
Step 2: Choose Authentication Method
Select your preferred MFA method. You can configure multiple methods for redundancy.
Set up at least two methods (e.g., authenticator app + security key) for account recovery options.
Step 3: Complete Setup Process
For Authenticator App:
- Scan the QR code with your authenticator app
- Enter the 6-digit code from your app
- Save your backup codes in a secure location
For Security Key:
- Insert your security key when prompted
- Touch the key to activate it
- Provide a nickname for the key
Step 4: Save Backup Codes
Download and securely store your backup codes. These are one-time use codes for account recovery.
Store backup codes in a secure location (e.g., password manager, offline storage). Without them, account recovery requires administrator assistance.
Backup Code Format:
XXXX-XXXX-XXXX
XXXX-XXXX-XXXX
XXXX-XXXX-XXXX
(10 codes total)
Managing MFA Devices
- 👁️ View Devices
- ➕ Add Devices
- 🗑️ Remove Devices
- 🔄 Regenerate Codes
View Active Devices
See all MFA devices associated with your account:
Path: Profile → Security → Manage Devices
| Information | Description |
|---|---|
| Device name | Nickname you assigned |
| Type | Authenticator, Security Key, SMS |
| Last used | Date of last authentication |
| Added date | When device was registered |
Add Additional Devices
Configure multiple authentication methods for redundancy.
Recommended Setup:
- Primary: Authenticator App
- Secondary: Hardware Security Key
- Backup: SMS/Email (emergency only)
Path: Profile → Security → Add New Method
Remove Devices
Remove lost or compromised devices from your account.
Path: Profile → Security → Manage Devices → Remove
You must have at least one active MFA method (unless you're a Viewer).
Regenerate Backup Codes
Generate new backup codes if needed:
- Used all existing codes
- Suspect codes were compromised
- Lost access to stored codes
Path: Profile → Security → Regenerate Backup Codes
Regenerating codes invalidates all previous backup codes immediately.
Troubleshooting MFA Issues
- ❌ Invalid Code
- 📱 Lost Device
- 🔑 Key Not Recognized
- 🔒 Account Locked
"Invalid code" error
Common Causes & Solutions:
| Cause | Solution |
|---|---|
| Time drift | Sync device time automatically |
| Code expired | Wait for next 30-second cycle |
| Wrong account | Verify correct app entry selected |
| Copy error | Re-type code manually |
Lost Authenticator Device
Recovery Steps:
- Use a backup code to log in
- Navigate to Security settings
- Remove the lost device
- Configure a new MFA method
Contact your administrator for account recovery assistance.
Security Key Not Recognized
Troubleshooting:
| Issue | Solution |
|---|---|
| Browser incompatible | Use Chrome, Firefox, Edge, or Safari 14+ |
| USB issue | Try different port |
| Outdated firmware | Update key firmware |
| Wrong key type | Verify FIDO2 compatibility |
Account Locked After Failed Attempts
Resolution Options:
| Method | Timeframe |
|---|---|
| Wait | Auto-unlock after 15 minutes |
| Self-service | Use "Unlock Account" link |
| Admin assist | Contact administrator |
MFA Enforcement Policies
CastellanAI enforces MFA requirements based on user roles:
| Role | MFA Required | Grace Period |
|---|---|---|
| Administrator | ✅ Required | 7 days |
| Security Analyst | ✅ Required | 7 days |
| Incident Responder | Recommended | 30 days |
| Viewer | Optional | Not enforced |
📝 MFA Setup Checklist
- Choose primary MFA method (authenticator app recommended)
- Complete setup and verify code works
- Save backup codes in secure location
- Set up secondary MFA method (hardware key recommended)
- Test account recovery with backup code
- Document recovery procedures
What's Next?
| Guide | Description |
|---|---|
| User Activity Monitoring | Track user activity and audit logs |
| Roles & Permissions | Role-based access control management |
| Access Control | IP and time-based access restrictions |