Multi-Factor Authentication (MFA)

Introduction

Bud has enhanced its Multi-Factor Authentication (MFA) features to give organisations greater control over security settings. In line with GDPR best practices, Training Providers can now manage MFA status for their own users, as well as Learners and Employer contacts. These self-service options strengthen data protection, reduce the risk of unauthorised access, and minimise admin overhead by allowing MFA to be enabled, disabled, or re-registered without contacting Bud Support—even in cases like lost devices.  This article will walk you through the features so that managing MFA becomes effortless.

User role

  • System Administrator

Prerequisites

Before Multi Factor Authentication (MFA) can be applied directly to specific users, providers will need to ensure that they have the "MFA" functionality enabled within their tenancy. Please contact Bud Support or your Customer Success representative if you need assistance with this. 

In order to access the "Admin" navigation menu and subsequently the "Security Settings" page the training provider user must have the "System Administrator" role assigned. Due to the nature of the controls this enables, it is likely the number of users in your organisation with this elevated role will be limited and should continue to be assigned ONLY to those who will specifically need to use it in their job role.  

How to access the MFA Security Settings

Providing the criteria in the pre-requisite requirements section has been met, then the training provider user can access the security settings page via the "Admin" menu which will be visible to them.

Security settings page - general navigation

The security settings page allows the user to control the MFA settings for three main user types

  • Training Providers - Internal users of the platform (e.g. trainers, administrators)
  • Learners - You will see all learners that appear would normally appear in the main learner list 
  • Employers - This will show all employer contacts associated to your tenancy where they have completed their invitation to become a Bud user. NB: this list shows individual employer contacts, not employers so the number displayed will be greater that the number of employers if there are more than one contact per employer. 

Depending upon the tab selected you will be able to search relevant users by FirstName, Surname or Email. When searching it is advisable to use as specific a search term as possible in order to narrow the results that are returned (i.e. Searching "Andrew" will return more targeted results than searching "And"). The search may also look at data that is not visible in the table so results may appear broader than expected.

It is also possible to re-order the list by column headers for all columns except MFA Status (NB: once a column has been sorted by ascending or descending it cannot be changed again without refreshing the page and returning to the default sorting position).

If you want to see a longer list of users you can also select "users per page" to change the view from the default setting of 10 records per page. 

To Navigate the pages you can use the pagination options at the bottom of the page. 

 

MFA Status types 

DisabledThe user does not currently have MFA enabled for their account
PendingMFA has been requested for the user, but they have not yet connected an authentication method to their account
EnabledMFA is active for this user and they will use a registered device to log in to Bud
UnknownThis user exists in the tenancy but their MFA status cannot be determined (Likely due to an incomplete user registration process)

 

Changing an individual user's MFA status

To change a user's MFA status, where permitted, clicking on the action menu alongside the MFA Status column will display the options available for that user. Please see the MFA considerations section below for details of the permitted actions available. 

Bulk changing user's MFA statuses

If you require all user's of specific type i.e. Learner's, Employers or Training provider users to be required to use MFA to access the Bud platform then it is possible to bulk enable MFA.

IMPORTANT - PLEASE NOTE: The "Bulk Enable All" process is NOT reversible for Learners and Employers and will result in all users of that type being set to MFA "enabled" permanently. All Training Provider users will become enabled if used for that user type and will have to be individually set to "disabled" in order to undo the change. Please ensure that this button is used will the full consent of your business following the correct consultations and business practice analysis.

You will be required to confirm that you wish to continue. Should you proceed you will then be informed how many of the users of that type were changed to enabled (This number will not always match the total number of users for that type as some may have already been enabled, or are not able to be updated - See MFA considerations for further details).

 

MFA considerations

  • Users can exist in multiple tenancies e.g. A user may work at Training Provider A, but also be a learner at Trainer Provider B. Where this is the case, the MFA status may be controlled by another organisation. If a user is enabled by Training provider A, they will not be permitted to be disabled by Training Provider B as the MFA is associated to the user account directly and not the tenancy.
  • Training provider users can have their MFA status Enabled OR Disabled
  • Learners and Employer contacts can only have their MFA status Enabled. Once MFA is enabled for a learner or employer contact it CANNOT be disabled.
  • When a user is in a "pending" status the only option available will be "Disable" - This option will only be visible for Training provider users
  • Re-Register is available for all user types with a current MFA status of "Enabled". Re-register would typically be used where a user has changed the mobile device they use to log on to MFA. (NB: If a user is re-registered but using the same device/authenticator app then they may need to delete the "old" account in their authenticator app before connecting a new one)
  • MFA requires users to have access to a device that supports one of the many authenticator apps available in the Google Play Store, Apple App Store or Windows App store. These authenticator apps are predominantly free of charge and often pre-installed on modern devices.
  • It is possible that user will show an MFA status of "Unknown" and will not be able to be actioned. This is typically caused by a user having been created by a training provider and not invited to self-register. Once the users receives the "Welcome to Bud" email and logs into their account for the first time, the users status will be updated from unknown. 

  • If "bulk update all" is used and there are no users available to update a message will be returned indicating this is the case. This process can be undertaken an indefinite number of times, so it is recommended that this process is used periodically to ensure that any eligible new users added since the last attempt are then updated. 

 

Related to