Multi-factor authentication | FAQs

TJ · ‎26-06-2018

Together with Ping Identity, PEXA has introduced multi-factor authentication (MFA) to provide an extra layer of security when logging in to your account. This new login process introduces a new-look log in screen and requires you to protect your account with both your password and a one-time passcode – either via the PingID app or SMS.

Once implemented, you will only be required to provide a one-time passcode (OTP) once every 12 hours per device. If you subsequently log in to PEXA in that 12-hour period using a different browser or on a different device, you will be asked to enter a new OTP.

This post will continue be updated to include your frequently asked questions.

Important: In R11.0.0, we're going to remove the Actions Cog button from the Participants and Documents screen. This affects the navigation path to select action items on these screens. We will update the help articles soon to reflect these changes.

FAQs

Multi-factor authentication and security

What is multi-factor authentication?

Multi-factor authentication (MFA) is a security measure that requires someone to provide two or more types of evidence to verify their identity when logging in to an account or completing a transaction. Evidence types are categorised into something you know (e.g. password), something you have (e.g. bank card) and something you are (biometrics).

Example

There are two authentication methods at play when you withdraw cash from an ATM - you are required to provide both your card (something you have) and your PIN number (something you know).

When logging in to the PEXA platform, members will be required to provide their user name and password as well as a one-time passcode sent to their mobile phone – either via the PingID app or SMS.

In the same way that a digital certificate token and accompanying PIN are used to verify the identity of a digital signer to authorise a PEXA transaction, the one-time passcode sent to your mobile phone via SMS/PingID app will be used to verify your identity when logging in to PEXA.

How does PEXA’s multi-factor authentication work?

When logging in to the PEXA platform, members will be required to provide their username and password as well as a one-time passcode sent to their mobile phone – either via the PingID app or SMS. View our set-up guides and videos for further information on getting started.

DOES Everyone have to use multi-factor authentication?

PEXA has updated its Security Policy to require all Representative Subscriber users to use multi-factor authentication, unless PEXA grants a waiver from this requirement. Waivers will only be granted where the risk of fraud is deemed to be mitigated following an evaluation of the Subscriber's security framework.

It’s important to note that funds cannot be misdirected unless you physically sign off on the fraudulent account details using your bespoke digital certificate and accompanying password so we encourage all members to check the details you’re signing off on prior to applying your digital certificate and password.

Will a PEXA employee ever call me to ask for my PingID/one-time passcode?

No! A PEXA employee will never call you to ask for your PingID/one-time passcode. If you receive a call of this nature, do not provide these details and report it immediately to security@pexa.com.au. PEXA uses established security questions to verify your identity over the phone.

How can I improve MY own security practices?

We have a dedicated Online Security group on the e-Conveyancing Community for PEXA members interested in keeping up-to-date on the world of cyber-security. Joining the group will give you the opportunity to stay on top of PEXA security updates, receive helpful hints and tips for staying safe online and ask questions to your Community peers and the PEXA security team.

Enabling multi-factor authentication

How do I enable multi-factor authentication?

To enable multi-factor authentication, you can select either the PingID app or SMS authentication. View our set-up guides and videos for further information on getting started.

I don’t have a smartphone - can I still use multi-factor authentication?

Yes. The PingID app authentication method requires a smartphone. However, if you don't have a smartphone, you can use SMS authentication on a mobile phone. View our set-up guide and video for further information on getting started.

I don't have a phone - can I still use Multi-factor authentication?

Contact Support on 1300 084 515 to discuss options.

IS there an alternative to using my personal mobile phone for multi-factor authentication?

Contact Support on 1300 084 515 to discuss options.

WHAT HAPPENS IF I change organisations and have a new PEXA account?

If you have set up the PingID app you will need to unpair your device before repairing to your new PEXA account. To unpair your device, click on the settings cog within the app and select 'unpair device'. You will then need to follow the set-up instructions the first time you log in to your new PEXA account.

If you have set up the SMS authentication method, you will need to call Support on 1300 084 515 to pair your number with your new account.

I’ve just bought a new phone – how do I set up multi-factor authentication on my new phone?

If you have set up the PingID app you will need to unpair your device before repairing to your new PEXA account. To unpair your device, click on the settings cog within the app and select 'unpair device'. You will then need to follow the set-up instructions the first time you log in to your new PEXA account.

If you have set up the SMS authentication method, you will need to call Support on 1300 084 515 to pair your number with your new account.

PingID app authentication on Smartphone

HOW DO I DOWNLOAD THE PINGID APP?: You can access the PingID app from your smartphone's app store. For android users this is the Play Store and for iPhone users this is the App Store.
DOES IT COST TO DOWNLOAD THE PINGID APP?: No. The PingID app is free to download.
I CAN’T DOWNLOAD THE PINGID APP – NOW WHAT DO I DO?: If you can't download the PingID app, you can use SMS authentication as an alternative. If you land on the Finish Pairing PingID screen but do not have the app, click 'Start Over' to return to the set-up screen.
I’VE FORGOTTEN MY APPLE ID. HOW DO I DOWNLOAD THE APP?: Follow these steps to find your Apple ID: https://support.apple.com/en-au/ht201354
DO I NEED TO ENABLE TOUCH ID?: No. Touch ID is not required for PEXA's multi-factor authentication methods.
WHY DO I HAVE TO ENABLE PUSH NOTIFICATIONS, CAMERA AND LOCATION?: Whilst not mandatory, these collectively provide the most secure level of authentication.
CAN I DOWNLOAD THE APP ONTO MY TABLET?: We recommend that you download the PingID app onto your smartphone. If you use a tablet to access PEXA, you will need to use multi-factor authentication via your smartphone to log in.
IF I UNPAIR MY DEVICE, DOES THAT DISABLE MY MULTI-FACTOR AUTHENTICATION?: Yes, unpairing your device will disable multi-factor authentication. You will not be able to sign in your PEXA Workspaces without setting up multi-factor authentication again.
WHAT DOES 'UNPAIR' MY DEVICE MEAN?: Unpairing your device via the PingID app means your phone is no longer connected to your PEXA credentials. You will not be able to log in to your PEXA Workspace without pairing your device. Alternatively, you can use SMS authentication.

SMS authentication

Why isn't my phone number accepted when I attempt to set up SMS authentication?

First, check you have selected the correct country flag from the drop-down menu.

Second, your mobile number should be entered in the following format: 04XXXXXXXX (without country code).

Will SMS authentication work if I'm overseas?

If you are overseas and have roaming turned on, you can still receive text messages to the Australian phone number you used to set up multi-factor authentication. It is often free to receive a text message but we advise you to check this with your provider.

If you are unsure whether you will be able to receive text messages whilst abroad, we recommend that you switch to the PingID app authentication method prior to travelling overseas. To do so, you'll first need to call Support on 1300 084 515. Following security checks, a member of the PEXA Support team will disable your SMS authentication. The next time you log on to PEXA, you will be prompted to set up your preferred method of authentication. You can then set up the PingID app.

Accessing PEXA with multi-factor authentication

Do I have to use multi-factor authentication every time I log in to PEXA?: You will only be required to provide multi-factor authentication once every 12 hours per device. If you subsequently log in to PEXA in that 12-hour period using a different browser or on a different device, you will be asked to provide multi-factor authentication again.
I’ve lost my phone/my phone isn’t working. How do I access PEXA?: Call Support on 1300 084 515 and, following security checks, a member of the PEXA Support team will temporarily disable your multi-factor authentication so that you can log in to PEXA using your username and password. Remember: funds cannot be misdirected unless a digital certificate holder physically signs off on the fraudulent account details using their bespoke digital certificate and accompanying password.
I've received an One-time passcode via SMS but didn't request it – what should I do?: If you receive a one-time passcode that you are not expecting you should contact security@pexa.com.au immediately.
My phone was stolen – what do I do?: Call Support on 1300 084 515. Following security checks, a member of the PEXA Support team will disable multi-factor authentication on your stolen phone. You will temporarily be able to log in to PEXA using your username and password. You will need to set up multi-factor authentication on your new device.
I had to reset my PEXA password – will my multi-factor authentication still work?: Yes, multi-factor authentication will still be required following a password reset. No further set-up is required.
WHAT HAPPENS IF there is an issue with the multi-factor authentication software?: In the unlikely event that you are unable to sign into the platform, PEXA will issue communications to members informing of next steps.
Will I need to use multi-factor authentication to change my password?: No. You will be able to reset your password without PingID or SMS authentication. After changing your password, you will need to use multi-factor authentication to log into PEXA.

Changing multi-factor authentication settings

How do I switch from SMS authentication to using the PingID APP?

Call Support on 1300 084 515. Following security checks, a member of the PEXA Support team will disable your SMS authentication. The next time you log on to PEXA, you will be prompted to set up your preferred method of authentication.

How do I disable multi-factor authentication?

If you have the PingID app you can disable multi-factor authentication from your phone by unpairing it. To unpair the phone, log into the PingID app, select the settings cog in the top right-hand corner, select "Unpair device" and select "yes".

If you have SMS authentication call Support on 1300 084 515. Following security checks, a member of the PEXA Support team will disable your SMS authentication.

Important: PEXA has updated its Security Policy to require all Representative Subscriber users to have multi-factor authentication unless PEXA grants a waiver from this requirement. Users will not be able to access their PEXA accounts without multi-factor authentication enabled.

can I see which PEXA users in my organisation have enabled multi-factor authentication?

It is not currently possible for a Subscriber Manager/Administrator to view which of the users within their organisation has enabled multi-factor authentication. Contact Support on 1300 084 515 or support@pexa.com.au if you require this information.

Support and troubleshooting

Who can I speak to for support?: If your question is not answered in the above FAQs, reply to this post and we will respond as soon as possible. Alternatively, you can contact your PEXA Direct Specialist/Account Manager or call Support on 1300 084 515.

Damonallens · ‎12-07-2018

Will roll out require any software to be installed by subscribers? (that is not an easy or quick process at our firm)

EmilyBilling · ‎12-07-2018

Hi @Damonallens - you won't need to install anything on your desktop. For multi-factor authentication, each PEXA user will need to either provide a mobile phone number to set up SMS or download an app to your mobile phone.

TheDoctor · ‎12-07-2018

Please don't laugh, but, not all of our users have a mobile phone.

DMc · ‎08-08-2018

Will PingID be required across ALL devices?

Seems disabled on my mobile browser ATM... pondering|

Unless that is a feature of using PingID with mobile authentication!?!

TJ · ‎08-08-2018

Hmm not sure what you mean @DMc - MFA isn't my area but if you've downloaded the app, wouldn't you be using the app rather than your mobile's web browser?
Or are you talking about the initial pairing of your device? If you're attempting to do that without first downloading the app, it won't work - not sure if that's what you're running into though?
Last resort, there's always SMS. If you can't download the PingID app, you can use SMS authentication as an alternative.

Or.... are you talking about accessing PEXA via your mobile browser? I have a feeling this is a different URL, not currently in the MFA pilot - I'll check in with the team to confirm if this is the case though.

DMc · ‎08-08-2018

Just talking about logging into PEXA to check my workspaces from my mobile device browser. Doesn't seem to need the MFA, step...

Not keen on using PingID as an app on my mobile as previously mentioned, since it has many negative reviews, a low trust factor, and requires high-level privilege access etc...

Perhaps the PingID is able to detect browser access from a PingID SMS registered mobile device..?

But it still asks for SMS code on first access from API enabled PC and also Desktop browser.

Just wondering (by extrapolation) if I hotspot to my mobile to my PC will it save me from the annoyance factor?

Can't wait for BankVault Safewindow or similar PEXA security compatibility

"How do you know if your browser has been hacked? You don’t.

Even with 2 factor authentication, hackers can target your weakest link; your computer.

SafeWindow is like having a new computer every time you use your browser. It works by creating a temporary invisible secure browser that is anonymous and untraceable."

TJ · ‎08-08-2018

Ooo, Safewindow sounds like a cool piece of security tech, not something I've heard of though.

Are you able to do a double check of the URL you're accessing via mobile? Is it the MFA pilot url?

I checked in with the team -if you're accessing the MFA pilot url then you should still be getting the MFA prompting, so no, no loop holes

DMc · ‎08-08-2018

Hi @TJ

AFAIK I have not changed my default login URL.

Both the API login and desktop browser still ask for PingID code to authenticate (on their first daily login-use),

Merely thought it strange that the mobile (first login of the day), did not... not complaining, merely assumed that PingID recognised browser access from the registered SMS mobile, but thought it best to check?!

TJ · ‎08-08-2018

Aha!, that'd be it then.

You have to navigate to the MFA pilot url from your mobile too. I'll pm you the link. Good to check in though - that'd be a pretty big loophole if it didn't prompt for mobile browsers.

LynMac · ‎17-08-2018

Question - can you use a desktop PingID and a mobile PingID at the same time or is it only one or the other.

EmilyBilling · ‎17-08-2018

Hi @LynMac, you may only use one authentication method. Either the PingID App or SMS on mobile phone, or where it is not possible to use your mobile phone for multi-factor authentication, the PingID application on your desktop.

LynMac · ‎17-08-2018

Thank you Emily, just trying to work out if I leave my phone at home, rather than having to go and get it, if i could just use the desktop PingID app for that day.

EmilyBilling · ‎17-08-2018

@LynMac if you do happen to leave your phone at home, and are unable to go get it please call Support on 1300 084 515 and press 3 and, following security checks, a member of the PEXA Support team will temporarily disable your multi-factor authentication so that you can log in to PEXA using your username and password.

DMc · ‎08-11-2019

Are we going to be able to contact the PEXA support team by conversation/chat within a workspace/dashboard?

As you may appreciate the phone queues are getting longer.

Would also like to be able to converse/chat with Registry Office and State revenue Support teams also within workspace/dashboard.

EmilyBilling · ‎17-08-2018

Hi @DMc, not at this current time.

For MFA related queries we have a dedicated support line. If needed please call Support on 1300 084 515 and press 3.

Thanks

Emily

DMc · ‎05-02-2019

Has anyone been able to use PingID app (in android) in split screen mode? Is there a setting I need to tweak?

Other Authenticator Apps like Google and Microsoft, Do support this mode...