Multi-factor authentication (MFA) is an access control method where multiple, separate pieces of evidence are required for identification before access is granted. Typically at least two of the following categories must be satisfied for MFA: knowledge (something they know), possession (something they have), and inherence (something they are). Using two different components to confirm identity is known as two-factor authentication (2FA).

You can create and apply MFA policies for administrative users (admins) of the Enterprise Application Access (EAA) in EAA Management Portal as well as for non-admin users of the applications.

The MFA policy with MFA factors configured in the identity provider is a global setting. It is inherited by all applications and directories associated with the IdP (by default). The global IdP MFA settings can be overridden for each application. The application MFA settings is inherited by the directory MFA settings (by default). The application MFA settings can be overridden for each directory. If you enabled generating recovery codes in the identity provider, then that can be used as an alternative to 2FA for the users, after the organization validates the authenticity of the user.

If you enable MFA to access EAA applications and SMS is the registered MFA scheme, SMS message is sent at the time of registration and when you receive onetime password (OTP) code for authentication.

• Example of the registration SMS:

Phone verification code from <Company name>: <OTP code> This SMS may incur charges from your telephone operator.

• Example of the SMS sent as OTP for authentication:

Access code from <Company name>: <OTP code> This SMS may incur charges from your telephone operator.

Enable or disable multi-factor authentication for each application

Enable or disable multi-factor authentication (MFA) per application. Apply disable bypass MFA criteria per application. This procedure is useful when you need global MFA for an identity provider (IdP) but you need to exclude an application from using the MFA policy of the IdP. Or, you do not have a global MFA policy, but you want to add a custom MFA policy for only one application. Or, if you've set bypass MFA criteria in the IdP, and you want to override it for an important application even if the user is with the corporate network, using a managed device, or using IWA, you can set the disable bypass MFA criteria. Then, the user is prompted for MFA required for accessing that application.

1. Log in to EAA Management Portal.

2. In the EAA Management Portal navigation menu, select Applications.

3. Select your application to open it.

4. In Settings > AUTHENTICATION > MFA Settings IDP select on of the following:

   • Enable. You might want to require users to use MFA for just this application, although the IdP might not have MFA.

   • Disable. You might want to not require users to use MFA for just this application, although other applications keep the MFA settings of the IdP.

   • Use IdP MFA Setting (Default). You might want to keep the same MFA settings as set in the IdP and not change it.

   • Force MFA. If you want your users to be prompted for MFA every time they login to the application.

   • Disable Bypass MFA criteria. Select this option if you want to disable the evaluation of bypass MFA criteria you set in the IdP. Then, the user is prompted for MFA for this application even if any of the criteria is met.

   📘

   Select this option, only if you have set any Bypass MFA criteria in the identity provider.

5. Click Save.

6. Click Save & exit.

Enable a global multifactor authentication policy for Login Portal users

Configure a global MFA policy for all users accessing all applications associated with this identity provider. You can enable multifactor authentication (MFA) for non-admin application users. This requires users who log into the portal to use their standard login credentials and at least one other MFA verification factor, such as email, SMS, or a time-based one-time password (TOTP) authentication token every time they log in. The MFA policy is configured in EAA through the identity provider (IdP) settings and may be set for all users, known as a global MFA policy. It is inherited for all applications and directories associated with this identity provider.

If you configured the IdP login portal to support a different primary language other than English, then the MFA is received in that language.

1. Log in to EAA Management Portal.

2. In the EAA Management Portal navigation menu, select Identity > Identity providers.

3. On the identity provider card, click Configure Identity Provider, and select MULTIFACTOR.

4. Enable IdP MFA Policy and the MFA factors to apply (like email, SMS, TOTP, or Duo).

5. Click Save & exit, or Save and go to Advanced Settings.

6. Deploy the IdP.

Enable or disable multi-factor authentication for each directory or a certain group

Enable or disable multi-factor authentication (MFA) for each directory on an application or for some groups within the directory. By default, the directory inherits the MFA settings from the application. You can override this in the directory MFA settings.

If you have two active directories (ADs) assigned to the IdP of an application, for example, one is AD San Francisco and the other is AD New York, use this procedure to select just one directory to have MFA for the application.

Or, you can have MFA for users who are members of certain groups within the directory. Then MFA is prompted for users in those groups. All other users in other groups in that directory are not asked for MFA.

1. Log in to EAA Management Portal.

2. In the EAA Management Portal navigation menu, select Applications.

3. Select your application to open it.

4. In Settings > AUTHENTICATION > Directory MFA Settings select one of the following MFA configuration options:

   • Enable. If you want all users in this directory to be prompted for MFA before accessing this application.

   • Disable. If you want all users in this directory to not be prompted for MFA before accessing this application. All other applications under the IdP keep the same MFA settings.

   • Use Application Setting (default). The MFA settings of the application will be applied to this directory.

   • Enable for specific Groups. Use this option if you want users belonging to specific groups in the directory to have MFA.

5. Click Assign Directory and enable the selected MFA Settings for specific groups. Filter and select users and click Associate. Use this option if you want users belonging to specific groups in the directory to use MFA.
   To apply MFA to all groups, select the checkbox next to Search field and click Associate. To make changes or deselect all click the same checkbox.

6. Click Save.

7. Click Save and exit.

Bypass MFA

Bypass MFA for users when they are within the corporate network or on a managed device. MFA is optional but strongly recommended for organizations. Under certain conditions, organizations may choose to bypass the default multi-factor authentication behavior. ​Akamai​ provides customers with configuration options that allows an administrator to bypass its MFA capabilities in the following circumstances:

• When the user is accessing the application from a corporate network, using a specific on-premise subnet IP.

• When the user is using a managed device with a valid client certificate. (see limitations in Configure bypass MFA criteria for an Akamai identity provider)

• When the user is inside a corporate network, using a specific on-premises subnet IP with a managed device that has a valid client certificate.

Use bypass MFA only if you understand the risks and agree to assume responsibility for them.

Bypass MFA only applies to MFA factors like SMS, Email, TOTP, DUO and does not apply to certificate-based authentication of IdP. Bypass MFA cannot be used with PCI DSS MFA.

The workflow is the following:

1. If you've configured an MFA policy in Akamai identity provider (IdP), then also add one or multiple bypass MFA criteria in the IdP. By default, the bypass MFA criteria applies to all applications using this IdP.

2. Use the identity provider as the authentication source for the application you want to bypass MFA. Assign the directory the user belongs to this identity provider.

3. When the user accesses the application or the identity provider, and the bypass criteria is met, MFA is not prompted for the user. If any of the bypass MFA criteria is not met, the user is prompted for MFA.

📘

You can disable the evaluation of bypass MFA criteria on an application basis, in which case MFA applies for the application.

Configure bypass MFA criteria for an ​Akamai​ identity provider

You can bypass the use of MFA for any ​Akamai​ identity provider, for different predefined criteria like when the user is within the corporate network or on a managed device or combinations of both. Then, the user is not prompted for the MFA.

1. Log in to EAA Management Portal.

2. In the EAA Management Portal navigation menu, select Identity > Identity providers.

3. On the identity provider card, click Configure Identity Provider, and select MULTIFACTOR.

4. In MULTIFACTOR > Bypass MFA criteria, click Add Criteria, to add criteria on when to not prompt the user for MFA.
   Enterprise Application Access supports up to two criteria, On Corporate Network and Device is managed. Select eitheror bothof these criteria and configure accordingly.

5. In On Corporate Network select Corporate Gateway Check.
   This option checks if the request is coming from the outbound web gateway. If you want this check to be done, click Configure and set the on premise subnets field in the Advanced Settings of the IdP.

6. In Device is managed select Certificate validation check if the device used by the user has a client certificate installed on the laptop that can be validated by a trusted root CA. To setup certificate validation, Configure.
   General settings opens.

7. Configure mandatory Certificate Validation Settings in the IdP:

   1. Select Certificate validation.

   2. In Enforcement. Select one of the following:

   • Required (default). The IdP requires the client to present a valid client certificate for authentication that has been issued by a trusted root CA and can be validated by the root CA. If no certificate is presented the user sees an 400 HTTP error in the browser.

   • Optional. It is optional for the client to present a valid client certificate for authentication that has been issued by a trusted root CA. If a valid client certificate is presented, the user logs in. Otherwise, form-based login is used as the fall-back mechanism.

   • Required off network, Disabled on network. You cannot use this option with bypass MFA criteria - Device is managed option. You get an error message.

8. In CA certificate issuer select the Root CA that you want to use to validate the client certificate. You should have uploaded a certificate for Enterprise Application Access under System > Certificates.

9. In Certificate Identity Attribute select the attribute in the certificate that is used to identify the user.

10. Enable Certificate identity is username for bypass MFA to work.
    It allows the username identity to be picked from the certificate.

    📘

    Bypass MFA feature is not supported when "Certificate Identity is Username" is not selected and Device is Managed is the Bypass MFA criteria. User is prompted for MFA.

    📘

    Bypass MFA feature is not supported when "Certificate Identity is Username" is not selected, and Device is Managed and On Corporate Network are together used as the Bypass MFA criteria. User is prompted for MFA.

    These additional Certificate Validation Settings in the IdP are optional:

    • Certificate validation method. None (Default). Can be left as default. If you select OCSP, the Select OCSP field appears. Create an OCSP and select it from the list.

    • Certificate onboard URL (optional). Users are redirected to this URL if no certificate is provided.

11. Click Save & exit or Save and go to Deployment.

12. Deploy the identity provider.

Customize the organization name in email and SMS MFA token notifications

As part of multi-factor authentication (MFA), authentication tokens are sent to users either through email or SMS on behalf of the organization. By default, the name of the organization included in these token messages is obtained from the customer's account name setup in Control Center. However, you can customize the name of the organization that appears in the subject of the email token notification or in the body of the SMS token message.

The email notification is sent to the user from the administrator email configured in Set up an EAA admin help desk email address.

1. Log in to EAA Management Portal.

2. In the EAA Management Portal navigation menu, select Identity > Identity providers.

3. On the identity provider card, click Configure Identity Provider, and select MULTIFACTOR.

4. Enable IdP MFA Policy.

5. In Organization name enter the name of the organization that should appear in the subject of the email token notification or in the body of the SMS token message.

6. Select Email, SMS, and any other MFA factors.

7. Click Save & exit or Save and go to Advanced Settings.

8. Deploy the identity provider.

Payment Card Industry Data Security Standard (PCI DSS) compliant mode for MFA

Provides a brief introduction to PCI DSS MFA.

In multi-factor authentication (MFA), each piece of evidence needs to confirmed before the next piece of evidence is provided to the user. In Payment Card Industry Data Security Standard (PCI DSS) compliant mode of MFA, Enterprise Application Access (EAA) complies with the PCI DSS 2018 standard. For example, if an authentication error occurs with an incorrect username, password, or two factor authentication (2FA), the specific failure is not disclosed to the user. This makes it harder for malicious users to use brute-force attack mechanisms to recover usernames and passwords.

Enterprise Application Access supports PCI DSS MFA for ​Akamai​ IdP for additional security and works only with TOTP as 2FA. The PCI DSS MFA does not work with Integrated Windows Authentication (IWA) or certificate-based authentication. It must be configured at the identity provider level and not, for example, for each application or each directory.

PCI DSS-compliant MFA should be used for admin users of your organization on one ​Akamai​ IdP, since this only gives a single failure message. Enabling this mode to users might increase the support for the organization. But, the IdP MFA policy supports different types of two factor such as SMS, email, TOTP, and Duo, and gives users more user-friendly authentication failure messages for each step of the verification process.

Enable a global PCI DSS compliant MFA for Login Portal users

Configure Payment Card Industry Data Security Standard (PCI-DSS) MFA for ​Akamai​ IdP. When you enable PCI DSS-compliant multi-factor authentication (MFA), users who log into the portal are required to use their standard login credentials and a time-based one-time password (TOTP) authentication token every time they log in. If the username, password, and time-based token are correct, the user has access to all of the applications associated with the identity provider (IdP). If any of the credentials are incorrect, the user does not have access to the application and an error message appears. Specific details of which step in the MFA process failed is not provided to the user.

1. Log in to EAA Management Portal.

2. In the EAA Management Portal navigation menu, select Identity > Identity providers.

3. In the identity provider card, click Configure Identity Provider, and select MULTIFACTOR.

4. Enable IdP MFA Policy. Do not select any of the MFA factors.

5. The IdP PCI DSS Complaint checkbox appears. Select it. The MFA factors section shows only the TOTP checkbox.

6. Select the Authentication Token (TOTP) checkbox.

   📘

   If you selected any of the MFA factors like email, SMS, or Duo in previous steps, a dialog appears with a suggestion to deselect those options.

7. Click Save & exit or Save and go to Advanced Settings.

8. Deploy the identity provider.