TABLE OF CONTENTS


How MFA works

This feature allows users to enable and disable Multi-factor Authentication on a self-service basis, giving them an additional layer of security on their First AML account. It also allows administrators to disable MFA for a user if they have been locked out of their account.

This is available to all customers regardless of tier and model (self-service & managed service).

All users are able to enable or disable MFA for their own logins. Certain users are able to enable and disable MFA for other users. These users are:

  • Platform Administrators
  • Compliance Officers
  • Team Administrators
  • First AML Administrators


MFA is Enabled for all new users but if you need to enable your own MFA please go to the how to enable MFA section.


Choosing an authenticator app

If you are new to MFA or If you don't already have an App to use when setting up MFA on your First AML login, you will need to choose and download one from your device's App Store, if you already have one you can log in and will be prompted to set up MFA with your first login.  


We can recommend using one of the following Authenticator Apps:


Google Authenticator:


Android device download and set up instructions


Apple device download and set up instructions


Microsoft Authenticator:


Android device download


Apple device download


Set up Instructions for all devices


If you and your company are new to MFA and Authenticator Apps it would be best to confirm internally if there is a process for deciding if all staff should use the same Authenticator App and which one that would be. 


Now that you have an Authenticator App you can now log into the First AML Platform with the steps below.


Logging in with MFA

At your next login to the First AML platform, after inputting your email address and password you will be prompted to set up MFA. Please have your mobile device and Authenticator App ready before proceeding. 


You will be prompted to add another authentication method. The available options include an external authenticator app e.g. Google Authenticator or Security Key.


Select your preferred authentication method. The following screenshots show the set-up experience using an authenticator app. Scan the QR code using the authenticator app. Your app will prompt you to enter a one-time security code. Click ‘Continue’ after inputting the code.


To use your security key, please follow the onscreen instructions to connect your security key.


After clicking ‘Continue’, you will be prompted to note down a recovery code. This recovery code allows you to log in without your MFA device should you need to. We suggest you note this down and store it somewhere safe e.g. password manager.

Tick ‘I have safely recorded this code’ and then click ‘Continue’.


Optional: trust this device

After setting up your MFA device, you can choose to trust the current device you are currently logging in on. If you don’t wish to do so, select ‘Remind me later’ or ‘Not on this device’. This will allow you to log in faster on your current device.


If you do choose to trust your current device to allow for an easier login flow, you will see the below success page once you complete registration.



Once you have logged in, you can navigate to the profile screen to confirm the MFA setup. The profile page will log each device and the last login time for your login.


This step can also be undertaken as you are logging in. You can tick the box below where you enter your one-time code to allow for the device to be remembered for: 

  • 30 days OR
  • After 7 days of not logging in 

If you do not check 'remember this device' when logging in, you will be prompted to reenter code at refresh / idle.

 



How to enable MFA

MFA settings are controlled within the ‘Profile’ screen. This screen can be accessed by clicking on your login user icon (located in the bottom left) of your screen once you log on. Click the ‘Profile’ section to navigate to the page.



The ‘Profile’ screen (screenshot below) contains your user information. MFA is disabled as a default for all users. To enable MFA, click the ‘Enable MFA’ button.


MFA is now enabled for your login. You will be prompted to set up MFA when you next log in to First AML.


How to remove devices

If you wish to change authentication devices, please navigate to the Profile screen. Select the three dots next to the last login time under the ‘Last Use’ column. You will have the ability to select ‘Remove’ to remove this device.


Once you click remove, you will see the screen below confirming that this device has been removed.


How to disable MFA

Navigate to the Profile tab and select ‘Disable MFA’


Once you disable MFA, the Multi-factor authenticator section will show the ‘Enable MFA’ button. This allows you to re-enable MFA if needed.


Managing MFA with the admin users screen

For users with the ability to add users to the platform, you will also be able to enable MFA when adding new users to the platform and manage the MFA settings for all users within your office/firm.

After clicking ‘Add a new user’, there is a toggle under the Role dropdown. The default is MFA disabled.


To enable MFA for a new user, click the toggle to enable MFA and then click ‘Save user’.


You can manage MFA for all users using the MFA column.


Click the pencil icon to the far right to edit an individual MFA status.


You can use the toggle to enable or disable MFA for a user.


Security key/token compatibility

Can I use a security token in place of an authentication app

Yes, you will be prompted when you first log in if you would like to use an authenticator or security key. Select security key and follow the steps.

Can I switch from an authenticator app to a security token

Yes, you will need to disable the MFA and then enable it again to go through the set up process of the security token. 

FAQS

Authenticator code isn't working/I have two First AML profiles in my authenticator app

There was likely an error when connecting the authenticator app, please remove the profiles from your Authenticator App and restart the process.

I am an SSO customer and would like to enable MFA 

For customers configured for single sign-on, it will not be possible to configure MFA. You will need to disable SSO to configure MFA. Please speak to First AML Support if you would like to switch from SSO to MFA.

Can I enable MFA for all of my users 

Currently, the MFA enablement is enabled on a user basis. If you have a large number of users you wish to enable this for, please speak to your First AML Customer Success Manager who will help you with this process. 

Where can I go for additional support?

Please raise a support ticket via the First AML Help Centre with your query. The team will then get in touch with any additional information they require and if needed, guide you through the setup process.