HSI supports Multi Factor Authentication (MFA) as an optional account setting. Once the MFA option is enabled, any users attempting to access data in the account must go through the multi-factor authentication process prior to logging in. The MFA process is account specific and not system specific.

When MFA is enabled on an account, during the login process, users can trigger either an SMS or Email to their allocated mobile number or email address – with a one-time six-digit code.

This six-digit code is a randomly created number, with an expiry period applied to that specific code. The code must be entered within the expiry period, for the user to confirm their identity.

If that code is not entered into the application within the expiry period, the user will need to trigger a new code before they can successfully log in.

The expiry period is as follows:

The SMS text received will read as follows:

Use the one-time code 123456 to access Solv

The Email received will show as follows:

When a user attempts to log into an account where MFA is enabled, the user will be navigated to the multi-factor authentication page.

For users with access to more than one client account, this page will appear after the user has selected their account, but before the system selection page.

The MFA page will show as follows:

The large button will either state “Send SMS for my One-Time Code” or “Send Email for One-Time Code” depending on the scenarios below.

The 'Send SMS' button is what is used to trigger the SMS or Email with the one-time code.

Scenario 1 – Valid mobile number exists for user:

If the user selects “Send SMS for my One-Time Code” and there is a valid mobile number against that user, then an SMS with the one-time code is sent and a pop-up message will show above the button which reads:

A 6 Digit One-Time Code has been sent

After the SMS has been sent the authentication page will show a timer that counts down from 60 seconds as follows:

If the 60 seconds passes without a valid code being entered, then a red message will appear:

Scenario 2 – No valid mobile number exists for user:

If the user selects “Send SMS for my One-Time Code” and there is no valid mobile number against that user, then a pop-up message will show above the button which reads:

There is no valid mobile number against your profile.

Select the button to send an email for your one One-Time Code.

At this point, the large button text will change from “Send SMS for One-Time Code” to “Send Email for One-Time Code”. This change can also be triggered directly by the user if they click the “I don’t have access to a mobile phone or number for this account” link.

If the user selects “Send SMS for my One-Time Code” then an Email with the one-time code is sent and a pop-up message will show above the button that reads:

A 6 Digit One-Time Code has been sent

If the user enters an invalid code, then a red validation message will show below the code box:

Otherwise, if the user enters the correct code within the expiry period they are granted access to the system.

Clicking the Cancel button will redirect the user to the login page or the account selection page.

If MFA is enabled for the account, once the user has been authenticated - if the user opens a new browser tab, then they should not be asked to re-authenticate until they have logged out of the session.