Using the MFA Plugin for XNAT

Multifactor authentication adds a layer of security to a typical username/password login by also requiring something you have in addition to something you know. With the MFA plugin, XNAT supports two possible MFA methods – Google Authenticator, and your email address. However, we recommend using Google Authenticator, as it is more secure and also can be integrated with password manager applications, making it less dependent on a single device without sacrificing security.

As a user logging into an XNAT that now requires MFA, you should find it to be a relatively painless addition to your login process. Here’s how it works.

Registering a device with Google Authenticator

After logging in with your typical username and password, but before you are fully authenticated, you will be taken to a MFA registration screen.

Registering with an Authentication App

1. Install an authentication app on your mobile device, such as Google Authenticator or Microsoft Authenticator

2. Scan the QR code, or register the MFA method via the 16-digit secret key

3. Within seconds, the MFA method will be registered, and you will see a new site entry in your Authenticator app tied to your login, with 6-digit key that resets every 30 seconds

4. Copy that 6-digit from your app into the “Enter code from Authenticator” input in your XNAT and click “Verify Code” before the code expires.

5. With a successful code validation, you will be fully authenticated and will be taken to the XNAT home page.

6. If you enter a code that has expired, or a code associated with a different authentication method, you’ll get an “Invalid Code” message in XNAT. Try checking your Authenticator app again and be sure you’re entering a valid code with enough time left before it expires.

Registering with a Password Manager

If you want to speed this process up, and you are using a password manager such as 1Password, you may be able to register your MFA method via your password manager.

1. When you see the Google Authenticator QR code, open your password manager and look for a “Scan QR Code” function tied to your saved site login.

2. Within seconds, the six-digit OTP code will appear in your password manager UI.

3. This can be manually copied into the MFA field in XNAT. Even better, on future logins your password manager should be able to auto-detect the existence of the MFA field and auto-fill the MFA code for you.

Handling MFA Failures

If you have lost your MFA device, or are having persistent trouble with your MFA codes, you may be able to fall back to using your email as a MFA method – depending on your XNAT site security settings. Look for the following message on your MFA login screen and click the link.

Requesting a One-Time-Passcode (OTP) via Email

Depending on your XNAT site security, email may not be available as a MFA method, even though it is supported by default in the MFA plugin. See Installing and Administering the MFA Plugin for details.

XNAT also supports using your email as a multifactor account, although we only recommend its usage as a fallback if you lose your MFA device.

If you are using email to receive an OTP code, you will see a screen like this after logging in with your username and password.

Check the email address tied to your account. Within moments, you should receive an email like the following:

Dear {username}

As per your request, a One Time Password (OTP) has been generated and the OTP is 723989
Please use this OTP to complete the login.

Note: OTP will expire in a single attempt, including unsuccessful one. The transaction would have to be re-initiated and a new OTP to be generated.

Copy the 6-digit code from your email and paste it into the OTP code input in XNAT, and click “Verify Code” to continue with your login.