1.0 - Introduction

Multi-factor authentication (MFA) is a commonly used method of online security. It requires a user to firstly input their username and password and secondly input a code generated by a third party app on a device the user has previously designated. This means in order to access a user’s account they must have a username, password and their authentication device available, which increases the security of the account.

MFA can now be enabled for use when logging onto the Innova Web Portal and the Innova Phone App. Additionally, if your Well Seeker Pro server database is hosted within Innova’s infrastructure, MFA can be enabled for use when logging onto a Well Seeker Pro server database.

This document will guide the user through the various use cases, which differ slightly based upon the organization’s user management system (Innova, Okta or Azure AD).

2.0 - Setup

MFA is turned off by default. It is up to an organization’s admins to turn on MFA for their existing users, if they desire to use this security feature. This is done via the User Management page in the Innova Portal.

To access the User Management page, log in to the Innova Web Portal, using credentials that have the Admin permission enabled. Open the main menu and select User Management and then Users.

MFA settings are managed on a user by user basis. Before changing any settings, check the Auth Type column.

• MFA Enabled: Click the button in the MFA Enabled column to toggle MFA on for that user. The user can then follow the steps in Section 3 below to set up MFA on their secondary device. The button will display green when MFA is enabled for the user.

• API User: Toggling the API User function on prevents a user from using MFA, and ensures that they can log in using their username and password only. It also prevents the MFA Enabled option from being toggled on. If MFA was previously enabled for the user, it will automatically be deactivated. The button will display green when API user is enabled.

3.0 - User Login Process

3.1 – MFA not enabled

If MFA has not been enabled then the user will login as usual.

3.2 – MFA enabled

If MFA has been enabled, one of two scenarios will occur:

1. This is the first time a user is logging in after MFA has been enabled, or the MFA authenticator has been reset:

a. The user must register an MFA device. This must be done via the login page for the Innova Web Portal. It cannot be done in the App or Well Seeker.

b. The user inputs their username and password

c. The below screen will appear (for Okta and Azure AD organization users, a similar app specific version will appear)

d. Open an authenticator application on a chosen device, and scan the QR code (see the relevant authenticator app’s documentation for details on how to do this). A row named Innova Drilling & Intervention will be added in to the authenticator app in question, which will generate a six digit code at a pre-determined time interval. Input this six digit code into the six cells displayed below and select SUBMIT MFA

e. If correct the user will be logged in

If a user attempts to login to the Innova Phone App or Well Seeker Pro before registering an MFA device, they will receive a warning message.

2. An MFA device has already been registered:

a. The user inputs their username and password

b. The below screen will appear (for Okta and Azure AD organization users, a similar app specific version will appear)

c. Open the authenticator application on the registered device. Input the six digit code from the row Innova Drilling & Intervention into the six cells displayed below and select SUBMIT MFA.

d. If correct the user will be logged in

The above process will also occur in a comparable order when logging into the Innova Phone App. Where an organizations Well Seeker Pro server database is hosted within Innova’s infrastructure, this will also occur when logging onto the server database in Well Seeker Pro.