This article covers how to enable, configure, and manage multi-factor authentication (MFA) for Biamp SageVue. MFA requires SageVue version 2.2.0 (released April 2022) or later.
Added security: Using MFA adds another layer of security in addition to the standard username and password credentials by requiring additional verification provided by the user. SageVue utilizes one-time authentication codes delivered via email or SMS messaging as the second form of verification.
Mutli-factor authentication must be enabled by the SageVue administrator and can be used with both local and LDAP logins.
MFA is disabled by default. It can be enabled on a per user basis or set as required for all users. Enabling MFA requires configuration of SMTP.
Setting MFA as required for all users
To enable MFA for all users logging into SageVue, navigate to Settings > MFA and change the Required for All Users setting to On and then select Save Settings.
During the first login with MFA enabled — or after the first login attempt — users will be prompted to choose a delivery method for the authentication code. The options are email or text message. The delivery option chosen is the default for future login attempts. However, users can switch options later. After selecting Send, the user will receive a one-time code via the chosen method to complete the current authentication.
Setting MFA as required for individual users.
Multi-factor authentication can be enabled on a per-user basis. This may be desirable if wanting to maintain a local admin account that can gain access without relying on any SMTP delivery methods.
Individual management of MFA can be accessed by clicking on the user name and profile image in the top left of the web GUI. This is the same location where a user will go to log out of SageVue.
Select the Setup MFA option from this menu. Enable the method(s) this user will use for receiving authentication codes. The user will be required to validate the chosen method by entering a one-time code sent to the email and/or phone number provided.
If both email and text messaging are enabled, the option set as primary will be the default for logging into SageVue.
At login, users have the option to resend the code if one was not received, as well as change the default delivery method. The option to Remember This Device is also provided. Checking this allows the user to skip the secondary verification step on subsequent login attempts. Devices are remembered for 180 days.
Authentication Code Expiration
One-time codes expire after 10 minutes. If a user is unable to log in within this timeframe, another code may be requested using the Click to resend option.
Admin local account for All Users
If multi-factor authentication is required for all users, it may be helpful to maintain a local SageVue admin account that does not require MFA. If there are issues with SageVue accessing the SMTP server, this account can be used for login until connectivity is restored.