Information

How To

Two-Factor Authentication (2FA) is the technical term for the process requiring a user to verify their identity in two unique ways before they are granted access to a system.

Traditionally, users are familiar to verification systems that require them to provide a unique identifier such as an email address and a password to gain access to the system. 2FA extends this model by adding an additional step to the verification process, in our case requiring the user to enter a one-time verification code that is generated via a mobile device that only the user has access to.

Overview

Why do I need 2FA?

2FA gives the user and administrator a peace of mind as it ensures that even if their password is compromised, the account cannot be accessed without entering a verification code.

How does it work?

When signing into LEAP, you’ll first need to enter your LEAP credentials. If the credentials are valid, you’ll then be prompted to enter a verification code which is generated via your mobile device.

Do I need to enter a code every time I log into LEAP?

No, if you’ve trusted a device or browser, you won’t need to enter a code until the device or browser is un-trusted.

Before You Implement 2FA

Should you introduce 2FA at your firm?

Whilst 2FA does provide a higher level of security, you should consider if 2FA is appropriate for your firm.

Educate your staff about 2FA

Make sure everyone understands why you are implementing 2FA. We recommend that you share this article with your staff.

Do all staff have a supported device with LEAP Mobile installed?

To implement 2FA, all staff will need LEAP Mobile installed on their iPhone, iPad or Android device.

Have a plan for lost devices

Ensure that you know who has administrator privileges in LEAP as only LEAP Admin users can deactivate the authenticated device.

Setting Your 2FA Firm Requirement

Click to edit heading

Only a LEAP Admin user is able to set a requirement for all users to activate 2FA on their mobile device.

Click to edit heading

Desktop: Click the LEAP Menu > Settings > Application Settings.

The LEAP Application Settings will open in a new window.

Click Firm > under Staff > Staff Members.

The Staff Members List will be displayed.
From the top-right corner, enable or disable Require Two-Factor Authentication for all staff.

If Require Two-Factor Authentication is enabled, you will receive a confirmation message stating that 2FA has been enabled for all staff once the process has been completed.

Once 2FA is enabled, the next time your firm's staff signs into LEAP, they will be prompted to activate 2FA on their mobile device.

Excluding a Staff Member from 2FA Firm Requirement

Click to edit heading

Only a LEAP Admin user is able to exclude a staff member from 2FA firm requirement.

Click to edit heading

Desktop: Click the LEAP Menu > Settings > Application Settings.

The LEAP Application Settings will open in a new window.

Click Firm > under Staff > Staff Members.

The Staff Members List will be displayed.
Select the staff you wish to exclude.

The Staff Details window will open.
Click Access & Permissions.
Under Two-Factor Authentication, disable Setup & Verification Codes.

Click to edit heading

If the user has already activated their mobile device, they will need to deactivate their device to stop receiving verification prompts when signing into LEAP.

Activating Your Device

Click to edit heading

Please ensure your LEAP Mobile app is updated to the latest version.

Only one mobile device can be activated and receive verification codes per LEAP user.

2FA Firm Requirement Mandatory

If your firm has made 2FA mandatory for you, the next time you sign into LEAP, you will be prompted to set up 2FA on your mobile device.

Open the LEAP Mobile app from your mobile device.

You will be prompted to activate your device.
Select Activate.

Optional Activation

You can activate your mobile device to receive verification codes, even if your firm has not made 2FA mandatory for you.

Click to edit heading

If your Firm Admin has restricted your access to LEAP Mobile, you will need to log into the Authenticator side of the LEAP Mobile App. Please see our article, LEAP Mobile Authenticator for more information.

Open the LEAP Mobile app from your mobile device.
- iPhone: Tap > under Profile & Security > Two-Factor Authentication > Enable Use As Authenticator.
- iPad: Tap > under Profile & Security > Two-Factor Authentication > Enable Use As Authenticator.
- Android: Tap Settings > Two-Factor Authentication > Enable Use As Authenticator.

Signing into LEAP

Click to edit heading

Enter your credentials then click Sign In.

You will be prompted to enter the verification code.
Open the LEAP Mobile app and sign in with your LEAP credentials to obtain the automatically generated two-factor code.
Enter the verification code displayed on the LEAP Mobile app.

The verification code will expire in 30 seconds. If you cannot enter the code by then, a new code will be automatically generated for you.

Click to edit heading

You can generate a verification code manually from the LEAP Mobile app:

iPhone: Tap > under Profile & Security > Two-Factor Authentication > under Manual Verification > Generate Code.
iPad: Tap > under Profile & Security > Two-Factor Authentication > under Manual Verification > Generate Code.
Android: Tap Settings > Two-Factor Authentication > under Offline Verification > Generate Code.

Trusting Your Desktop, Device and Browser

LEAP Desktop

Tick Trust this device before you click on Verify. Your desktop device is now trusted and will remain so until the device is un-trusted.

LEAP Mobile

Mobile devices will need to be manually trusted in LEAP Application Settings.

Browser

When you authorise access to a LEAP webpage via a browser, tick the Trust this browser (for 30 days) before you click on Login. The browser will be trusted for 30 days or until the browser history is cleared.

Managing Devices and Browsers

Click to edit heading

Desktop: Click the LEAP Menu > Settings > Application Settings.

The LEAP Application Settings will open in a new window.

Click Firm > under Staff > Staff Members.

The Staff Members List will be displayed.
Click on your name.

The Staff Details window will open.
Click Access & Permissions.
Under Two-Factor Authentication > Used Devices, click next to a device and select:
- Trust: to trust the selected device.
- Untrust: to untrust the selected device.
- Remove: to remove the selected device from the Used Devices list.
- Deactivate: to deactivate your paired mobile device.
Click Save.

Click to edit heading

If you are having issues logging in using 2FA whereby your Authenticator device is requesting a code or if you are not receiving a code, you can ask your LEAP Administrator to deactivate the Authenticator device using the steps above. You can then re-activate your device as needed.

Deactivating Your Mobile Device

Click to edit heading

You must deactivate 2FA on your mobile device before you uninstall/remove the LEAP Mobile app. If the LEAP Mobile app is uninstalled/removed prior to deactivating 2FA on the device, you can deactivate your device from the LEAP Application Settings.

There may be a time when you may need to deactivate 2FA on your device such as:

If you buy a new mobile device; or
You lose your mobile device.

If you need to change the device to receive verification codes, you will need to deactivate 2FA on the old mobile device and activate the new device for 2FA to receive verification codes.

From Your Paired Mobile Device

Click to edit heading

Open the LEAP Mobile app from your paired mobile device.
- iPhone: Tap > under Profile & Security > Two-Factor Authentication > Disable Use As Authenticator.
- iPad: Tap > under Profile & Security > Two-Factor Authentication > Disable Use As Authenticator.
- Android: Tap Settings > Two-Factor Authentication > Disable Use As Authenticator.

From LEAP Application Settings

Click to edit heading

Desktop: Click the LEAP Menu > Settings > Application Settings.

The LEAP Application Settings will open in a new window.

Click Firm > under Staff > Members.

The Staff Members List will be displayed.
Select the staff you wish to deactivate.

The Staff Details window will open.
Click Access & Permissions.
Under Two-Factor Authentication > Used Devices, click next to the Authenticator device then select Deactivate.

If you are not receiving the Two-Factor Authentication 2FA code

If you're unable to log in to LEAP or reset your password because you're not receiving the 2FA (Two Factor Authentication) code, follow these steps:

Click to edit heading

These steps can only be performed by the firm's LEAP Administrator.

From the firm's LEAP Administrator's device, they will navigate to the LEAP Menu > Settings > Application Settings > Under the Firms heading choose Members.
The LEAP Administrator will now turn OFF your two-factor authentication access AND remove your trusted device with the following steps:

Select the Staff name > Access & Permissions

Navigate to the Two-Factor Authentication header

Under the Setup & Verification Codes header, Disable the toggle

Under the Used Devices header, click the 3 vertical dotsand Deactivate your phone (Samsung or iPhone etc)

Click Save
The LEAP Administrator will now turn back ON your two-factor authentication access:

Select the Staff name > Access and Permissions

Navigate to the Two-Factor Authentication header

Under the Setup & Verification Codes header, Enable the toggle so it is green

Click Save
You may now login to the LEAP application on your phone.

LEAP mobile will prompt you to Set-Up Two-Factor Authentication.

If you are a single user firm and are unable to reset your password due to Two-Factor Authentication 2FA

If you are a single user firm and are unable to reset your password due to Two-Factor Authentication 2FA, you will need to contact LEAP for assistance.