Starting from 22 April 2024, the use of a WithSecure Business Account for WithSecure Elements will also require that Multi-Factor Authentication (MFA) is used by everyone.
This change will immediately affect logins to:
If the same account is also used with any of the other services that use the WithSecure Business Account, these services will also use MFA. Such services include:
- WithSecure Community
- WithSecure Partner Portal
- Any other service that uses the WithSecure Business Account, either currently or in the future.
Currently the only way to configure MFA is through the Elements Security Center, but we will add this possibility to other services later.
Accounts that are only used for the WithSecure Community or WithSecure Partner Portal are not affected at this time, only accounts shared with WithSecure Elements.
We are making this change because as a cyber security vendor, our solutions must follow industry best practices and ensure that sensitive information and powerful capabilities are not misused due to password compromise. By using MFA, we can make life more difficult for attackers. Please see our recent article “Raising the bar” for more information about how MFA helps us all.
Enforcement schedule
MFA enforcement will begin on 22 April 2024, but please note that some geographical regions will start at different times. This will give users time to enable MFA before enforcement starts.
In the Elements Security Center, there has been a banner highlighting the lack of MFA for users since 1 February 2024. This message will be updated to include information about the enforcement schedule.
Starting from 22 April 2024, enforcement will be introduced for users in Europe, Middle East, and Africa (EMEA), as well as the Americas.
Users in the Asia-Pacific region will have longer to take MFA into use due to operational reasons, and their enforcement will happen starting on 31 July 2024.
What if I don’t have MFA configured?
Currently, when a user logs in to the Elements Security Center, and they have not yet configured MFA, they will see a banner advising them to configure MFA with their account. A link in the banner will start the configuration for them. They can skip this if they do not currently have time to complete the configuration, and continue to work normally in the Elements Security Center.
Once enforcement is enabled, after the next login the user will be prompted to configure an authentication method. They will not be able to use the Elements Security Center until they have enabled MFA.
For this reason, we strongly advise that MFA is configured already during the pre-enforcement period, so that this change is less disruptive later. Security Administrators can already check for MFA status for all users in their organization using the “Management / Organization Settings” view in the Elements Security Center.
For users already following the best practices and recommendations, there is no impact of these changes.
MFA methods available
There are multiple methods available for authenticating your Business Account credentials when you log in. In addition, device biometrics from laptops or smartphones can be used to simplify login from trusted devices when some of the following authentication methods are configured.
Choose the most secure authentication method available to you. FIDO2 is the best option, followed by authenticator apps. SMS should only be used as a last resort. Note that if you lose your mobile device and have not backed up your security keys or authenticator app, you will lose access to your account, so SMS can be used as a backup method in such situations.
Security keys (USB)
We support passkey technology with hardware security keys such as Yubico Yubikey, Google Titan, and others that support the FIDO2 standard
Smartphones as a security key storage
In addition to hardware security keys, it is also possible to use similar technology directly from smartphones and tablets which support the FIDO2 standard.
Authenticator apps for TOTP (Time based One Time Password)
When you log in using your WithSecure Business Account with TOTP authentication configured, you will be prompted to enter a time-limited security code as secondary identification. This security code can be displayed to you using an application supporting TOTP.
Some options for smartphones and laptops:
- Microsoft Authenticator, Google Authenticator, and many others for smart phones
- Password managers for laptops, for example 1Password, KeepassXC, and many others
Auth0 Guardian Authenticator app supporting push notifications
The Auth0 Guardian application can also be used. This application is available for Android and iOS, and it can receive a simple push notification when you log in using your WithSecure Business Account.
SMS for OTP (One Time Password)
It is possible to use SMS for receiving a one time password, which then needs to be entered into the login dialog. We recommend only using this as part of a secondary “fallback” method of authenticating, as the SMS messages may incur a cost to the user, and also SMS messages may be vulnerable to security breaches.
Find out more
You can find out more about how to configure MFA in the Welcome to WithSecure Elements guide
