What's included in this article
- Overview
- Prerequisites
- Step 1: Request MFA to be Enabled for your School
- Step 2: Domain Verification
- Step 3: Apply the MFA Policy
- What Users Will Experience
- Session Timeout
- Supported MFA Methods
- Summary Checklist
Overview
Multi-factor authentication (MFA) adds an extra layer of security by requiring users to verify their identity using a one-time password (OTP) generated by an authenticator app, in addition to their regular login credentials.
Enquiry Tracker leverages WorkOS — a trusted identity and authentication platform — to power both MFA and Single Sign-On (SSO) support. WorkOS enables Enquiry Tracker to offer enterprise-grade authentication features, allowing schools to enforce secure login policies and integrate with their existing identity providers where SSO is in place.
Prerequisites
Before MFA can be enabled for a school, the school will need to have WorkOS enabled, this must be completed before proceeding and is performed by Enquiry Tracker staff.
Enabling MFA for a school involves three steps:
- Enabling WorkOS for your school
- Complete domain verification
- Apply the MFA policy
Step 1: Request MFA to be Enabled for your School
The first step is to raise a ticket and request MFA be enabled for your school along with providing us your IT contact who can verify your domain. Once we have that, a staff member will turn on WorkOS for your school.
We will also need to know your preferred method for authentication, they can be any of the following
- Email and Password
- Google OAuth
- Microsoft OAuth
Step 2: Domain Verification
Once WorkOS is enabled, the school's domain must be verified. This is a required step before any MFA policies can be applied at the domain level.
To complete domain verification:
- An invitation will be sent to your school's IT administrator to begin the domain verification process.
- The IT admin will receive an invitation and must verify that the domain belongs to your school.
- As part of verification, the school will need to copy a TXT record provided by WorkOS and add it to their DNS host.
Note: Domain verification is handled by the school's IT admin. Ensure they are available and prepared to update their DNS settings before initiating this step.
Step 3: Apply the MFA Policy
Once the domain has been verified, the MFA policy can be turned on.
- The policy is applied at the school level.
- Once enabled, every user in your school will be required to use MFA each time they log in.
What Users Will Experience
- The first time a user logs in after MFA is enabled, they will be presented with a setup screen where they must link an authenticator app (such as Google Authenticator, Microsoft Authenticator, or a password manager like 1Password) by scanning a QR code or entering a setup key.
- This setup screen is shown only once, as seen below
- On all subsequent logins, users will simply be prompted to enter the 6-digit code generated by their authenticator app.
Session Timeout
The current session token timeout is set to 4 hours of inactivity. Users who have been inactive for longer than this period will be logged out and required to authenticate again, including entering their MFA code.
Supported MFA Methods
Users can choose from any compatible authenticator app during setup, including:
- Google Authenticator
- Microsoft Authenticator
- 1Password (or other password managers that support OTP)
Note: The specific authenticator app options presented during setup are determined by WorkOS and cannot currently be restricted to a specific app.
Summary Checklist
| Step | Action | Responsible |
|---|---|---|
| 1 | Enable WorkOS for the school | Enquiry Tracker |
| 2 | Invite school IT admin for domain verification | Enquiry Tracker |
| 2a | Add TXT record to DNS host | School IT admin |
| 3 | Apply MFA policy at the school level | Enquiry Tracker |