The following is a guide on how to enable and use Multi-factor Authentication (MFA) for your Human Research Ethics Application (HREA) account.

How to enable MFA - External Portal Setup

Note: You will also need to download the 'Google Authenticator' or 'Microsoft Authentication' app onto your smartphone or device.

Step 1

Log in to your HREA account. Navigate to Account Settings by clicking the profile avatar icon at the top-right corner of the page.

HREA Online Portal screen shot with menu open in the right-hand corner, showing account name and options to manage profile, access account settings, and sign out.

Step 2

See the Multifactor authentication area on the Account settings page. Click the Enable multifactor authentication button to enable the feature.

Account settings page showing multifactor authentication not yet enabled, with button to enable multifactor authentication.

Step 3

  1. Open the Google or Microsoft Authenticator app on your device. Click the + button to find the Scan a QR code feature. Scan the QR code given on the pop-up on your HREA account screen.
  2. Find the one-time password for the newly added account in your authenticator app.
  3. Enter the one-time password in the field on the pop-up screen (scroll down the pop-up to find the field). Click Enable authenticator.
Pop-up window for enabling multifactor authentication showing QR code and instructions to set up. Highlights the scroll function to the right of the pop-up.Bottom of pop-up window for enabling multifactor authentication showing field to enter one time password and button at the bottom to enable authenticator.

How to enable email MFA

Step 1

To enable email backup MFA, ensure you have enabled MFA first using your authenticator app. You can then enable email backup as a part of the MFA set-up process.

Step 2

Follow the on-screen instructions to register an email address and then confirm using the one-time code sent to your nominated email address.

Pop-up window showing steps to set up email backup for multifactor authentication, including entering an email to receive email verification code, with buttons to enable or skip.Pop-up window for enabling email backup showing field to enter an email address and field to enter verification code.

Step 3

If you skip this step, you can enable email MFA later by navigating to your Account Settings page, clicking on the Enable email backup button, and following the on-screen instructions.

Account settings page showing multifactor authentication enabled and email backup disabled with button to enable email backup.Account settings page showing multifactor authentication enabled and email backup enabled with button to disable email backup

How to log in to your account with MFA

Step 1

Enter your username and password on the HREA homepage.

NHMRC HREA login page with username and password fields and option to log in or access help resources.

Step 2

  1. Open the Google or Microsoft authenticator and find the one-time password.
  2. Enter the one-time password, and then click Submit. The one-time password will expire after a short time.
  3. Remember Device for 30 Days - by enabling this setting on trusted devices, and in line with your organisation’s policy, you will only be prompted to enter the one-time password every 30 days instead of with every log in. This setting is for each device, so can be selectively used on devices that you know are secure.
  4. Tick the box to enable the setting.
Multifactor authentication screen showing field to enter one time password and checkbox option to not be asked again on this device for 30 days.

Step 3

  1. A Licence agreement notice will appear on your screen.
  2. Click Agree.
  3. This will log you into your account.
Licence agreement screen with text about terms and conditions and ‘Agree’ or 'Disagree' buttons.

How to log in to your account with email MFA

Step 1

When MFA is enabled, you are presented with the MFA challenge as a part of the logon process where you can type in your authenticator app’s one-time password.

Step 2

If your mobile authenticator app is not available and email backup has been set up, you can click on the link to send a code to your chosen email address. Once you have received the code, you can type it into the one-time password field and click submit.

Multifactor authentication screen with option to send a login code to a backup email address.Multifactor authentication screen showing message that a verification email has been sent and to check spam or junk folders if not received.