We have different resources available, depending on whether you would like to set up Single sign-on with optional two-factor authentication, or just two-factor authentication.
Follow the instructions below to set up Two-factor authentication on its own.
How long will it take?
- Completing the checklist to prepare - varies depending on the actions needed
- Switch on Two-factor authentication - 2 minutes
- Add IP Whitelisting - 2 minutes
Two-factor authentication is available for all schools and MATs to set up and use no matter what package you've purchased.
- You'll need either the Staff: User Details: Administer or School: General Admin: Administer permissions to set this up on the School MIS - if you don't have the permission, you'll need to ask your admin team to give you permission using these instructions.
- You'll need the User Details: Manage All Userspermission to set this up on the MAT MIS - if you don't have the permission, someone will need to assign you a new Business Role that contains this permission.
What is two-factor authentication?
Two-factor authentication (sometimes called Multi-Factor authentication or mfa) adds an extra layer of security for your MIS designed to ensure that your staff are the only people who can access their accounts using a code generated on their phone, even if someone else knows their Arbor password.
We recommend Google Authenticator as it’s free, but you can use other authentication applications instead, such as Microsoft Authenticator or Authy.
As part of two-factor authentication, you can use IP whitelisting to make it quicker for your staff to log in when they are at your site. You can allow staff to log into the MIS from your institution's public/external IP address without needing to complete the second step of the two-factor authentication.
IP Whitelisting allows you to create lists of trusted IP addresses or IP ranges from which your staff can access your MIS. When using a trusted IP address, the second step of the two-factor authentication is not required, and your staff will only need to input their email/username and password (no verification code needed) to log in.
Before setting up two-factor authentication
There are some steps you must complete before you start using two-factor authentication.
- Check staff know their password - During the first login, staff will be asked to verify their identity by filling in their Arbor password. This is only done once.
- Ask staff to download your authentication app - Your staff will need to have downloaded the authentication app you’ll use (e.g. Google Authenticator) so they can receive their access code to log in. If they have not downloaded the app and completed the setup, your staff will not be able to log in.
- Find out your IP address (optional) - This is required if you choose to use IP whitelisting. Find out your IP address by typing ‘What is my IP’ into Google. Remember the results depend on where you currently are, so the IP address in a different location will be different.
Setting up two-factor authentication
To get to the setup page, go to:
- School > Users & Security > Users > Two-Factor Authentication Setup on the School MIS
- Group Staff > Users & Security > Authentication Setup > Two-Factor Authentication Setup on the MAT MIS
To turn on two-factor authentication, click the Enable two-factor authentication using… box and select Authentication app, then click the Save settings button.
As you're not using Single Sign On (SSO), ticking the Bypass two-factor authentication for SSO accounts? box will not have an effect.
When staff log in once they have set up the app, they will need to enter the security code from their app into Arbor to log in.
Top Tip: If at any point in the future you would like to switch two-factor authentication off, change this back to the ‘Do not enable two-factor authentication’ option.
Using this section, you can add your IP address (or a range of addresses) to your whitelist.
- Find out your IP address by typing ‘What is my IP’ into Google.
- You must use your public/external IP, not a private or internal IP.
IP Whitelisting allows you to create lists of trusted IP addresses or IP ranges from which your staff can access your MIS without the need to use two-factor authentication. When using a trusted IP address, the second step of the two-factor authentication is not required, and your staff will only need to log in using their standard login email and password, with no verification code required.
When using a different IP address, they will still need to complete the second step of two-factor authentication when logging in.
Click +Add in the IP Whitelist section.
In the slide over type in the IP address and click the Save changes button.
- Once Two-factor authentication has been switched on, you can see the new process for your staff to log in here: Logging in when Two-factor authentication is enabled
- You can help troubleshoot and fix login issues here: Troubleshooting Two-factor authentication and Google authenticator App issues