Multi-Factor Authentication in Helm CONNECT

Multi-factor authentication (MFA) adds a second layer of security to user logins by requiring a time-based authentication code in addition to a username and password. This article explains how MFA works in Helm CONNECT, and how to configure, manage, and troubleshoot it across your organization.

Overview

With MFA, users must enter a verification code from an authenticator app (such as Google Authenticator or Microsoft Authenticator) to access Helm CONNECT. This helps protect accounts even if login credentials are compromised.

MFA is now supported in Helm CONNECT for:

• Shore-based users who log in with a username and password
• Shore-based users who log in with SAML
• Onboard users using Multi User Sign On

MFA is not supported in Helm CONNECT for:

• Onboard users using shared asset passwords
• Onboard users using LDAP authentication

How MFA Works

Shore Login Methods

• Username + Password: Now supports MFA.
• SAML: MFA is available through your identity provider, if configured. (We recommend that you don't enable both SAML-based MFA and Helm CONNECT MFA, as users may be prompted twice.)

Asset Installation Login Methods

• Multi User Sign On: Now supports MFA.
• Asset Password and LDAP: MFA is not supported.

Users see the same login screen. If MFA is enabled, they’ll be prompted to enter an authentication code after entering their credentials.

Setting Up MFA

You can set up MFA on the My Helm > Profile > Security tab.

To add a device:

1. Open the Security tab.
2. Click Add under Shore or Asset (depending on login type). The Shore section appears if the user has "Can Log In To Shore" enabled on their profile, and the Asset section appears if they have "Can Log In To Asset" enabled.
3. Scan the QR code with an authenticator app.
4. Enter the code from your app.

If successful, the device will be added. If not, retry using a new QR code.

Administrators can also:

• Replace a user's MFA device if required.
• If they have the "Administer other users MFA " permission, administrators can view and manage MFA settings for other users on the Setup > Users > Users tab.

Replacing or Removing Devices

Users can:

• Remove MFA devices (if not required)
• Replace MFA devices (if required by tenant or user settings)

If MFA is required, users will only be allowed to replace their device—not remove it.

Only the Asset section of the Security tab is available on the asset installation. These settings sync to shore during the next data transfer.

Requiring MFA

Admins can require MFA for specific users using the following options in Setup > Users:

• Require MFA for Shore Login
• Require MFA for Asset Login

If either is selected:

• The user must set up an MFA device before accessing other parts of Helm CONNECT.
• If the user doesn’t have access to the Security tab, they’ll see a message instructing them to contact their administrator.

Admins can also contact your account manager or our Support team to:

• Enable or disable MFA tenant-wide
• Enforce MFA for all users in a tenant

Advanced Configuration and Management

Asset installer login

If users configure a new asset installation using a username and password instead of an install token, they will see a field to enter their MFA code. This field appears regardless of whether they have an MFA device. If MFA is enabled, users must enter a valid code to complete the installation.

MFA error messages and troubleshooting

If users enter an invalid MFA code, they'll see a general error asking them to try again. Common reasons for failure include:

• Entering the wrong code
• Entering the code too slowly
• A mismatch between the server time and the authenticator device

Shore MFA codes are valid for 30 seconds. Asset MFA codes are valid for 2.5 minutes to account for disconnected systems. If the clocks are out of sync beyond these limits, login will fail. Users should check the time on both their authenticator and the device they’re logging in from.

Manual entry for hardware tokens

Admins can manually enter a TOTP secret key using the Manually Set TOTP Secret Key button on the user’s page. This is helpful for users with hardware devices that cannot scan QR codes.

Admin lockout prevention

If MFA is required for a user, but the user does not have access to the Security tab, they will be unable to add a device and will be locked out. Before requiring MFA, make sure:

• The user has the "My Helm > Profile > Security" permission
• At least one admin has MFA configured or the ability to configure it for others

Frequently Asked Questions (FAQ)

What if a user is required to use MFA but doesn’t have permission to set it up? They’ll see a warning message and won’t be able to access Helm CONNECT until an admin updates their permissions.

What does the MFA error message mean when logging in? The system shows a generic error if the code is incorrect or if the device and server clocks are out of sync.

How does the MFA code field work in the asset installer? If a user has an MFA device, they must enter a code when using a username and password to configure an install. If they don’t have an MFA device, they can leave the field blank.

How do I know if a user has MFA enabled? Check Setup > Users, run a Users report, or use the FindUsers API.

Can I require MFA for just some users? Yes. Use the Require MFA settings in Setup > Users or configure via API.

Can users reset their password without MFA? No. If a user has MFA enabled, they must provide a valid code to reset their password.

What happens if a user loses their MFA device? An administrator with the "Administer other users MFA" permission can remove or replace their device.

Is MFA supported for API logins? No. API access is not affected by MFA setup.

Can I completely disable Helm CONNECT MFA for my tenant? Yes. Contact your account manager to turn off the MFA feature in your tenant.