Our Knowledge Base Center articles are being updated for our new platform design. Need assistance? Reach out to support@learnworlds.comTwo-factor Authentication (2FA) is a security measure that adds an extra layer of protection to your account and requires you to provide two different forms of identity confirmation before you can gain access to a website. In addition to a standard password, a second form of confirmation is required, usually a one-time password (OTP) sent through email or a mobile app authenticator.
Utilizing two-factor authentication (2FA) will significantly strengthen the security of your LearnWorlds school, fortifying its defenses against unauthorized access attempts.
In this article, we'll provide detailed information on setting up two-factor authentication (2FA) for your LearnWorlds school. Additionally, we'll walk through the user flows to ensure a smooth and effective process.
LearnWorlds offers a 2FA (Two-factor Authentication) for all user roles (users, affiliates, plain admins, instructors, reporters, seat managers) however, the LearnWorlds admin (school owner) is excluded.Enable 2FA (Two-factor Authentication) for Users
Go to Website settings → Authentication and click on the LearnWorlds tab. You can:
1. Enable/disable the 2FA.
2. Choose whether mandatory (active for all users) or optional (each user activates it themselves).
3. Choose which roles (users, affiliates, plain admins, instructors, reporters, seat managers) it applies to
Note: The LearnWorlds admin (school owner) is excluded.
4. Choose the verification channel(s) available:
a. Only Mobile App Authenticator
b. Only Email
c. Both Email and Mobile App Authenticators
2FA Set up User Flow
Let's see the navigation flow when users sign up while 2FA is enabled & mandatory in your school. Once a user attempts to sign up they can choose between two potential methods to verify their identity: Mobile App Authenticator and/or Email according to the verification channel(s) you enabled in your school:
a. Only Mobile Authenticator
b. Only Email
c. Both Email and Mobile App Authenticators.
Mobile App Authenticator
Users can choose to receive authentication codes via a Mobile Application.
1. Download the app
The users must have an authenticator app like Google Authenticator or Authy installed on their mobile devices.
2. Scan the QR code
i. The user scans the QR code in-app with their mobile app authenticator to verify a device.
Note: The users can finish the 2FA setup without scanning the QR code. They can enter manually the verification code generated by their app (Google Authenticator or Authy) installed on their mobile devices.
ii. The app produces an OTP (one-time password), that lasts for 30 seconds.
iii. The user adds the correct OTP (one-time password) to the LearnWorlds school screen.
iv. They are presented with one backup code, to use in case e.g. they lose their device
v. The 2FA setup and sign-up are all set.
Users can choose to receive authentication codes via e-mail.
A verification code valid for the next 15 minutes will be sent to the user's email account. The user needs to log into their email account, get the code, and verify it in your LearnWorlds school.
The setup will be completed and from now on the user will be receiving all future verification codes, e.g. each time they attempt to sign in, to the email address they submitted during their 2FA configuration upon sign-up.
In both cases, Mobile Authenticator and/or Email, the users can request a new code to be sent by clicking on the Resend code.
There is a cooling period between the codes that can be triggered. If they enter the wrong code they will receive an error indicating so.
There is also an OTP maximum attempts limit hence if the code is entered 5 times wrong the user needs to request a new challenge to be sent.
Sign in with 2FA
Imagine a user signed up (created an account), set up Mobile and/or Email Authenticator, and signed in successfully. Then they signed out of their account, and want to sign in again.
The 2FA challenge when they sign in goes as follows for both the Mobile and/or Email Authenticator:
i. Users add their correct login credentials.
ii. They are presented with an OTP (one-time password) input.
The Mobile App Authenticator produces an OTP, that lasts for 30 seconds. If they instead select Use backup code in the OTP input screen they will enter the backup code correctly and be presented with the new code.
The Email Authenticator will send a 6-digit code to their email account that will be valid for the next 15 minutes.
iv. They enter the correct OTP in time and sign in successfully.
Optional 2FA
If you make 2FA optional in your school you can inform your users they can enable an additional protective layer of security for their account if they want to, by enabling themselves 2FA.
The users will find on the After Login page a button to go to their Profile page. You can also include the Profile page link in your school's After sign-in/up topbar as well, so users can easily access their Profile page anytime from any page.
While on their Profile page, they can click Edit.
In the next panel, they should go to Account Security → Manage 2FA Settings.
Then they can choose between the two potential methods to verify their account: Mobile Authenticator and/or Email according to the verification channel(s) you have enabled in your school (See steps above).
Change User Email
There can be the case that a user has already activated the 2FA Email verification channel and they later want to change their account's email via their Profile Page.
- If the 2FA email authenticator is mandatory in your school the user after changing their account's email, will be prompted to set up from scratch the 2FA email authenticator for their new email the next time they will sign in using the new email. See above.
- If the 2FA email authenticator is optional in your school the user after changing their account's email, can go to their Profile page and set up from scratch the 2FA email verification channel as discussed above.
Enable/Disable Email & Mobile App Authenticator
Enable both Authentication Channels
If a user has already set up one of the authentication channels, Email or Mobile App Authenticator, and now they want to set up the other authentication channel they will first need to confirm their identity in the already activated authentication channel to then proceed with setting up the other authentication channel which is still disabled.
For example, a user has already set up & activated the Email Authentication channel and they want to set up the Mobile App Authenticator as well. For security reasons enabling the second authentication channel is a protected action by the already-activated authentication channel.
Hence they will first have to verify their identity via the already-activated email authentication channel to move forward and enable the mobile app authentication channel. This goes vice versa as well, a code will be sent in the mobile app authentication (already activated) to enable the email authentication (not activated yet).
Disable an already-activated Authentication Channel
If the user wants to disable one of the two already-activated Email and/or Mobile App Authenticators, they will be prompted to prove that it is indeed them that are attempting to make the change by providing an OTP (one-time password) sent by the respective verification channel.
In the scenario that the user wants to disable the Mobile App Authenticator, they will receive an OTP provided via the respective Mobile App Authenticator to complete the disabling action.
In the scenario that the user wants to disable the Email Authenticator, they will receive an OTP provided via the respective Email Authenticator to complete the disabling action.
- Users cannot disable the 2FA authentication channel(s) Email and/or Mobile App Authenticator if these have been set up as mandatory by the school owner.-If you want to set up an SSO solution in your school you will need to check with your SSO provider if the 2FA feature can co-exist with your SSO configuration.
-The 2FA feature is not supported in Mobile apps.
- Students using social logins will not go through the LearnWorlds 2FA, as the identity provider (e.g. LinkedIn, Facebook, etc.) is responsible for handling the two-factor authentication and taking care of other account security aspects.
- If you had enabled the 2FA, you disable it and later enable it again, the 2FA feature won't "remember" the older setup e.g. user data (emails, phone devices, etc.) hence users will need to pass through the 2FA setup once again.
- As an admin, you can reset a user's 2FA from the User Management page.
Edit/Translate 2FA Authentication Interface Texts
You can edit/translate the Two-factor Authentication interface texts if you go to Settings → Site Language.
One-time Password Email
You can customize the 2FA challenge email notification, by navigating to Communication→ School Emails → Registration Emails.
