Multi-Factor Authentication - an additional security layer for finPOWER Connect Cloud

As we move more of our business systems to a cloud based environment we can no longer depend upon a user being corporeally on the same network as a security factor.   Additional security is paramount to ensure that that users accessing systems via the cloud are who they purport to be.   Prompting a user for additional authentication does take longer, however is does assist to combat cyber criminals imitating or using brute force methods to hack systems. 

finPOWER Connect Cloud now incorporates Multi-Factor Authentication (MFA) which adds an additional layer of security by obliging users to enter an auto-generated password (or code) when they sign in, either generated via an Authenticator app or emailed to their registered email address. 

Web Administration Facilities

Both finPOWER Connect Cloud and Web Services have web-based Administration facilities.


These facilities do not support Multi-Factor Authentication. However, they can, and should in a production environment, be configured to "Allow local access only".


This means that the administration facilities can only be accessed via a browser running on the web server hosting the Web Services or finPOWER Connect Cloud.

WARNING: Version 3.03.04 introduces this option and it is enabled by default.    This means that access to the Web Administration facilities, even for existing installations, will be restricted to a browser running on the web server.

Device Authorisation

Device Authorisation provides a mechanism by which, every time the User accesses finPOWER Connect Cloud from a new device (or web browser), they are sent a code via email that they must then enter to "authorise" that device.


This is a once-only form of Multi-Factor Authentication and has existed in finPOWER Connect Cloud since it was first launched. Users can view and maintain their list of authorised devices from the User menu, Manage Devices form (shown below) and, as of version 3.03.04, administrators can manage this list from the Web Access page of the Users form within finPOWER Connect desktop.


Note:  Device Authorisation can be used in conjunction with the Multi-Factor Authentication functionality.


Multi-Factor Authentication Configuration

The Security page of the finPOWER Connect Cloud Configuration form enables two MFA options:


  1. To exclude Users of particular Roles from having to enter a MFA code.
  2. Allow User to defer re-entry of a MFA code for a number of days on a particular device.

Email Code

Reliant on the User having a email address defined on their finPOWER Connect User record,  the Email Code works the same as  the Device Authorisation,  whereby at the time of signing in, the User is sent a 6-letter code to their registered email address.   To complete the sign-in process the User must enter the code within the validity period of 5 minutes.   

Authenticator App

Reliant on the User having installed an Authenticator App on their mobile device,  at the sign of time of signing in for the first time, the User is prompted to scan a QR code using the app and the camera on their device.   The Authenticator app will generate a 6-digit code that changes every 30 seconds.  The User is required to enter the code to complete the sign-in process. 


After the initial sign-in, the User simply opens their Authenticator app and enters the latest 6-digit code that is displayed for their "finPOWER Connect" account.


Note: This method relies on the Web Server hosting Web services to have an accurate date and time since the codes are time-sensitive.

Multi-Factor Authentication App Providers

Intersoft Systems have tested the below finPOWER Connect against the named Authenticator apps below.   Each app differs slightly and there may be a requirement to sign up to use their services. 

Signing into finPOWER Connect using MFA

The below 4 -step process is based on using the Google Authenticator.  It is not necessary to have a Google Account to use this app.

1.  The User signs in with their normal User Id and Password

2 When clicking the "Sign In" button, the User is prompted to scan a QR code using the App.   The Google Authenticator app starts with "BEGIN SETUP" and then "Scan barcode" (these apps refer to bar codes and QR codes interchangeably):

3.  With the camera turned on, once scanned, the app will display a continuing  regenerating 6-digit code which is then entered into the MFA form in finPOWER Connect Cloud.

4 The User selects the "Finalise Multi-Factor Authentication and Sign In" button to sign in.  Subsequent signing in will require the latest 6-digit code issued.

 finPOWER Connect Cloud affords the option of a User not being prompted for an authentication code for a nominated numbers of days.   This applies to the device that a User signs in from.

Multi-Factor Authentication Management

  • In most instances Users will install Authenticator apps on their mobile devices.  When a User looses access to the Authenticator app, they will be unable to sign in to finPOWER Connect.   However, the Users form within finPOWER Connect desktop has a "Create Emergency Code" button on the Web Access page.  When selected, this generates a 6-letter code that is valid for 2 minutes and can be relayed to the User to allow them to sign in.


  • As  Authenticator Apps  retain "accounts" that are added when initial QR codes are scanned , a User will loose access to finPOWER Connect Cloud if a User's finPOWER Connect "account" within the app is deleted, or their mobile device is reset or lost.     However, the Web Access page on the Users form within finPOWER Connect affords the option to "Reset Multi-Factor Authentication".    When reset, the User is promoted to scan a replacement QR code at sign-in.  The User should action immediately after their MFA is reset.


  • When a password has been changed a User is directed back to the sign-in form.


  • When a session expires due to inactivity, the User is required to enter a new MFA code.  If not using an Authenticator app the User needs to click a button to send an email.  NB:  Emailed codes are only valid for 5 minutes.

External Applications Accessing Web Services

Enabling Multi-Factor Authentication for finPOWER Connect Cloud will mean that any external applications accessing finPOWER Connect Web Services will fail to authenticate.


To remedy this, Multi-Factor Authentication can be disabled via the Web Subscriber record that the external application is using.


WARNING:  If you disable MFA on the Web Subscriber that finPOWER Connect Cloud is configured to use, the sign-in process will fail as this presents as a configuration error.

Multi-Factor Authentication is an uncomplicated, effective tool for strengthening login security,  safeguarding your business and data against security threats.   

 Source:  Author - Paul Hammond of Intersoft Systems Limited "Multi-Factor Authentication in finPOWER Connect Cloud" (Blog), 3 November 2020,

https://Multi-Factor Authentication in finPOWER Connect Cloud

Need further information  and/or assistance to setup and utilise MFA in finPOWER Connect ?

A logo for the global excellence awards

mbsl - Acquisition International Global Excellence Award Winner 2024

By Theresa Clapp January 15, 2025
mbsl are proud to announce that we have been recognized by Acquisition International (AI) in their 2024 Global Excellence Awards program.

finPOWER Connect - 4.01.03 - released 5 December 2024

By Sandra McCorkindale January 15, 2025
finPOWER Connect - 4.01.03 - released 5 December 2024
A computer monitor and a laptop are sitting next to each other on a white background.

finPOWER Connect - 4.01.02 - released 12 September 2024

By Sandra McCorkindale September 16, 2024
finPOWER Connect - 4.01.02 - released 12 September 2024
Share by: