Bentley offers free to use MFA utilizing Ping ID services. Currently, MFA can only be enforced on specific domains. So for example, an account administrator may request that MFA be enabled for all users which contain "example.com" in their username. When the user signs in, they will be pushed through MFA every time they sign in to IMS. To set up MFA, please request it by creating a Licensing and User Administrator service request or dialing one of our support numbers and choosing option 2 followed by 1 for licensing support.
Note: MFA may only be requested by Account Admins. Co-Admins will be redirected to receive approval from their Account Admin.
We offer MFA with multiple different methods of authenticating:
The following methods may be used as a backup authentication method:
If you have in some way lost access to your MFA method, you will need to contact Bentley to help unpair your device. You may do so through a service request, or by calling 1-800-BENTLEY for assistance.
For examples of each method in action as well as details on the MFA methods, please check the Ping ID details.
The Registration Workflow
After providing a valid username and password, you will be prompted with the Ping ID MFA registration:
Hit start and you will be provided with the default and recommended authentication method, the Ping ID authenticator application. You also have the ability to choose another MFA method below:
You will need to validate that the method works for you. For example, if you register your Ping ID authenticator application, you'll be prompted to approve the sign in, and then be signed into IMS. Similar situation for all of the MFA methods.
Interested in utilizing MFA with Bentley? Please submit a service request and Bentley's IMS team will reach out to provide assistance enabling MFA.
Frequently Asked Questions:
Q: Does multi-factor authentication (MFA) work on every login attempt, or only when a user logs in for the first on given computer, or other similar circumstance?
A: Bentley MFA is enforced on every authentication attempt.
Q: Does MFA work in the CONNECTION Client and the CONNECT Center?
A: MFA works in CONNECTION Client, CONNECT Center, and any other Bentley application which utilizes Bentley IMS authentication.
Q: Can I request to have MFA turned on for external users which access my resources?
A: No. At this time, MFA can only be enforced for domains which your organization owns. For example, Bentley can enforce MFA for "Bentley.com", but not "Google.com", since Bentley only owns "Bentley.com".
Q: Can I request MFA for multiple domains?
A: Yes. You may have MFA enforced for any of the domains your organization owns.
Q: Can I change the methods of MFA that are displayed for my users?
A: No. The options displayed are global and cannot be changed for specific sets of users.
Q: How do I unpair an existing device?
A: Your account admin can submit a ticket to our support requesting to have a device unpaired. You can also contact our support line and request to have your device paired after verifying your identity.
Q: Can I turn off MFA easily in the event of a problem?
A: Sure. You may turn off MFA at any point by simply submitting a service request and notating the desired time to have MFA turned off. For urgent issues, please be sure to contact our support line.
Q: Do I need to submit a new request for each domain?
A: No. One request for all of your domains is fine.
Other Language Sources