Multi-Factor Authentication (MFA): Setup and Troubleshooting

Last updated: January 15, 2026

Multi-Factor Authentication (MFA) adds an additional layer of security to Cyrisma accounts by requiring a second verification step during login.

MFA behavior depends on where users sign in. MFA can be configured at two levels: MSP and instance.

MFA Configuration Scenarios

MSP sign-in

MFA can be enabled in the MSP portal by users with the Administrator role.

To configure MFA in the MSP portal:

  • Sign in to msp.cyrisma.com

  • Navigate to the Organization Details page for the organization

  • Select Update

  • Set the MFA method

Available options include:

  • None

  • MFA using Email Code

  • MFA using Authenticator Code

When an organization’s MFA method is set in msp.cyrisma.com, it applies to all users signing in through msp.cyrisma.com for that organization.

Instance sign-in

Administrators can configure MFA for an individual instance.

Instance access can occur in two ways:

  • Users may sign in directly to the instance at ccxxxxxx.cyrisma.com

  • Users may access the instance from msp.cyrisma.com using single sign-on

To configure MFA at the instance level:

  • Access the instance UI

  • Navigate to Admin > System Config

  • Set the Two-Factor Authentication option

Available options include:

  • Disabled

  • MFA using Email Code

  • MFA using Authenticator Code

The instance-level MFA setting applies only to users who sign in directly to the instance.

Common MFA Issues and Resolutions

Email-based MFA: One-time passcode not received

  • Check spam or junk folders

  • Verify company email filters are not blocking Cyrisma notifications

Authenticator app: Invalid token or code not accepted

This issue is commonly caused by the device generating the MFA code having an incorrect system time.

MFA passcodes are time-based and are generated using a shared MFA secret stored in the authenticator application. If the device clock is not accurately synchronized, even a time difference of 30 seconds can cause the generated passcode to be rejected.

Resolution steps

  • On the device generating the MFA passcode (mobile phone or PC), verify that the system time is set automatically and synchronized with an internet time source.

  • Visit https://time.is on the same device to confirm whether the device time is accurately synced.

  • If the time is not synchronized, enable automatic time synchronization in the device’s operating system settings.

  • Once the device time is corrected, retry the MFA login.

If the issue persists

  • The MFA secret may be out of sync and require a reset.

  • MFA must be reset through the MSP platform.

  • After reset, reconfigure the authenticator application.

When to Contact Support

Contact Cyrisma Support if:

  • MFA issues persist after verifying device time synchronization and reconfiguring the authenticator application

  • The MFA device is lost or unavailable and cannot be recovered