Your program's web experience is a public URL, and if your mobile app is published in the App Store and Google Play then anyone can download the apps. The public access makes it easy to reach your program's landing page, where the users either sign in or register. Therefore, controlling access to your content requires carefully considering your authentication configuration. There are two core authentication options - Firstup Sign In or SSO (single sign-on). Firstup Sign In includes both a Username and Email option, and both can have User Verification.
All authentication options are compatible with User Sync.
In the mobile app experience, both Firstup Sign In and SSO can have an added layer of biometric access for reopening the mobile app. Note, biometric does not replace the sign in process, biometric access is in addition to the user sign in.
You can review all of your authentication options at any time with your Firstup contact. Please reach out to your Customer Success Manager to review how our options fit your particular needs.
With both Firstup Sign In and SSO, user sessions are treated the same way. Web experience user sessions automatically expire after 30 days of inactivity and the web users will have to sign in again. Mobile app sessions do not automatically expire. This helps drive user retention and keeps engagement high.
If you have members that should no longer have access to the program, blocking their profile will end their sessions immediately and prevent them from accessing the program again. You can block a member manually at any time via the Users page in Studio. To automate blocking users, please review our deprovisioning API option.
Opening Sign In Options
Only Administrators and Program Managers can see or change the sign in configuration.
Click on the gear icon in the top right and choose Configure Program. Select Sign In Options to see the authentication method for your program.
Firstup Sign In
When your program is configured for Firstup Sign In, your users create an account with Firstup and set a password that is encrypted and stored by Firstup. You can allow users to register with Firstup using either a username or email.
When Username is enabled, users can set a username using any string of characters. There is no confirmation email, but they are required to complete User Verification. This means that you must set up User Verification before you can enable Username.
If you can't see the Username option, please contact Firstup Support.
When Email (Known or Other) is enabled, users can register using an email that meets the allowed domains. You can choose to require User Verification for either (or both) Known and Other Email Domains.
All users that register via email will need to confirm their emails via an email confirmation link that is sent to them before they set their password.
Note: To ensure your employees receive the email confirmation from the Firstup platform, please work with your IT department to allowlist the Firstup email domain and IP address within your company email system. If the email confirmation is caught in a spam filter, your users will not be able to complete registration.
Known Email Domains allows you to specify that users with the listed email domains can register for your program. Other Email Domains allows you to permit users with any other email domain to register.
An example of how to combine Known and Other Email Domains is the following:
- Enable Known Email Domains and set the allowed domains to your company domain, such as elevationendurance.com. Do not enable User Verification for the Known Email Domains.
- Enable Other Email Domains and require User Verification.
The effect of the above combination is that your employees can register without going through User Verification and then users with any other email domain (such as gmail.com, yahoo.com) must complete User Verification before they gain access to private content.
User Verification confirms user identity by personal details such as name, date of birth, employee ID, etc. Exactly what data is used to confirm their identity is determined by you. User Verification only needs to be completed once by each member - once they are fully registered, they will not need to revisit User Verification.
If enabled, Registering users will see User Verification questions at the top of Latest above public (shareable, untargeted) content until they complete the questions. After they complete verification, the user will become Registered and see the private content (non-shareable, targeted).
User verification is always used in conjunction with Username and can be used in conjunction with Known and/or Other Email Domains.
User Verification cannot be configured or managed in Studio and will require transferring the employee data using CSV via SFTP. Want to learn more about this option? Contact your Customer Success Manager for information!
SSO (Single Sign-On)
If you have SSO set up at your organization, it allows a user to sign into multiple different systems with the same ID and password. Firstup can be configured to work with your existing SSO setup, which would mean that the usernames and password are managed by your Identity Provider (IdP).
Employees that register via SSO do not see User Verification questions, but will still be presented with the welcome video and questions.
If you would like to leverage SSO, please review automated Deprovisioning with your Firstup contact. Deprovisioning will be a necessary addition to managing user access via the SSO IdP as deprovisioning will terminate active sign in sessions for separated employees.
To get started with an SSO integration, please reach out to your Customer Success Manager.
Default Sign In Option and Labels
It is possible to have multiple authentication options enabled simultaneously for your program. If both Firstup Sign In (Username and/or Email) and SSO are enabled, then users will see text that allows them to switch between Firstup Sign In and SSO.
When you have multiple authentication options enabled, you can set the Default Sign In Option at the top of the Sign in Options page. All users will land on the default sign in tab first but have the option to toggle to the second option. You can also customize the Login Page Label that appears to users. Type in up to 15 characters (including white spaces) to update the label to fit your organization.
Default Labels vs Customized, both with SSO set as the default sign in option:
Note: With more than one authentication option enabled, it is possible for users to create duplicate accounts. We recommend that you consult with your Customer Success Manager before enabling more than one authentication option at a time.