We have different resources available, depending on whether you would like to set up Single sign-on with optional two-factor authentication, or just two-factor authentication.
Follow the instructions below to set up Two-factor authentication on its own.
What is two-factor authentication?
Two-factor authentication adds an extra layer of security for your MIS designed to ensure that school staff are the only people who can access their accounts using a code generated on their phone, even if someone else knows their Arbor password.
We recommend Google Authenticator as it’s free for our schools, but you can use other authentication applications instead, such as Microsoft Authenticator or Authy.
As part of two-factor authentication, you can use IP whitelisting to make it quicker for your staff to log in when they are at your school site. You can allow staff to log into the MIS from the school's IP address without needing to complete the second step of the two-factor authentication.
IP Whitelisting allows you to create lists of trusted IP addresses or IP ranges from which your staff can access your school’s MIS. When using a trusted IP address, the second step of the two-factor authentication is not required, and your staff will only need to input their email/username and password (no verification code needed) to log in.
Who can set up these features?
Two-factor authentication is available for all schools to set up and use no matter what package you've purchased.
- School: Permissions: View
- Either the Staff: User Details: Administer or School: General Admin: Administer permissions
If someone else will be setting this up, look here for how to assign these permissions on an ad-hoc basis if needed.
Setting up two-factor authentication
Before completing the setup
There are some steps you must complete before you start using two-factor authentication.
- Check staff know their password - During the first login, staff will be asked to verify their identity by filling in their Arbor password. This is only done once.
- Ask staff to download your authentication app - Your staff will need to have downloaded the authentication app you’ll use (e.g. Google Authenticator) so they can receive their access code to log in. If they have not downloaded the app and completed the setup, your staff will not be able to log in.
- Find out your school’s IP address (optional) - This is required if you choose to use IP whitelisting. Find out your IP address by typing ‘What is my IP’ into Google. Remember the results depend on where you currently are, so the IP address of a school in a different location will be different.
Completing the setup
To get to the setup page, go to School > Users & Security > Users > Two-Factor Authentication Setup.
To turn on two-factor authentication, click the Enable two-factor authentication using… box and select Authentication app, then click the Save settings button.
This means that when staff log in once they have set up the app, they will need to enter the security code from their app into Arbor to log in.
Top Tip: If at any point in the future you would like to switch two-factor authentication off, change this back to the ‘Do not enable two-factor authentication’ option.
Using this section, you can add your school IP address (or a range of addresses) to your whitelist.
Top Tip: Find out your IP address by typing ‘What is my IP’ into Google.
IP Whitelisting allows you to create lists of trusted IP addresses or IP ranges from which your staff can access your school’s MIS without the need to use two-factor authentication. When using a trusted IP address, the second step of the two-factor authentication is not required, and your staff will only need to log in using their standard login email and password, with no verification code required. This can save your staff a lot of time when logging in using a school computer!
When using a different IP address, they will still need to complete the second step of two-factor authentication when logging in.
Click +Add in the IP Whitelist section.
In the slide over type in the IP address and click the Save changes button.
- Once Two-factor authentication has been switched on, you can see the new process for your staff to log in here: Logging in when Two-factor authentication is enabled
- You can help troubleshoot and fix login issues here: Troubleshooting Two-factor authentication and Google authenticator App issues