Multi-factor authentication

Multi-factor authentication (MFA) is an access control method where multiple, separate pieces of evidence are required for identification before access is granted. Typically at least two of the following categories must be satisfied for MFA: knowledge (something they know), possession (something they have), and inherence (something they are). Using two different components to confirm identity is known as two-factor authentication (2FA).

You can configure MFA by selecting the identity provider on the IdP list page, and clicking on the MFA tab. There are different MFA methods like email, SMS, Authentication token (TOTP), Duo, and Akamai MFA, for receiving authentication tokens by the end-user. For time-based one-time password(TOTP) authenticator, the end-user must set up a third-party app like Google authenticator on their device where they wish to receive second-factor tokens. EAA also allows the end-user to receive recovery codes from the admin if they do not have access to the registered second-factor device after the organization validates the authenticity of the user.

SMS and email messages will have the format <Organization name>:<OTP code>. Organization name is obtained from the value you provide for the Organization Name.

MFA methodsMFA methods

If you enable MFA to access EAA applications and SMS is the registered MFA scheme, SMS message is sent at the time of registration and when you receive onetime password (OTP) code for authentication.

Example of the registration SMS:

Phone verification code from <Organization name>: <OTP code> This SMS may incur charges from your telephone operator.

Example of the SMS sent as OTP for authentication:

Access code from <Organization name>: <OTP code> This SMS may incur charges from your telephone operator.

Inheritance rules for MFA policy between identity provider, applications, directory, and groups.

The MFA policy with MFA factors configured in the identity provider (IdP) is a global setting. It is inherited by all applications and directories associated with the IdP (by default). The global IdP MFA settings can be overridden for each application. The application MFA settings is inherited by the directory MFA settings (by default). The application MFA settings can be overridden for each directory or a group within a directory.

Enable a global multifactor authentication policy for Login Portal users

Configure a global MFA policy for all users accessing all applications associated with this identity provider. You can enable multifactor authentication (MFA) for non-admin application users. This requires users who log into the portal to use their standard login credentials and at least one other MFA verification factor, such as email, SMS, or a time-based one-time password (TOTP) authentication token, DUO, or Akamai MFA every time they log in. The global MFA policy is configured in EAA through the identity provider (IdP) settings and may be set for all users. It is inherited for all applications and directories associated with this identity provider.

If you configured the IdP login portal to support a different primary language other than English, then the MFA is received in that language.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Select your identity provider to open it.

  4. In Settings > MFA enable IdP MFA Policy and the MFA factors to apply like email, SMS, TOTP, Duo, or Akamai MFA. You can select one or more of these MFA methods.

If you select multiple MFA factors, the end-user is prompted to the enrollment options page where they are shown all the MFA methods including Akamai MFA. They can use the onscreen guidance to select the primary method and the backup methods for authentication. See Set up MFA to receive tokens on the end-users device for how end-users can set up multiple MFA methods.

  1. Click Save.

  2. Deploy the identity provider.

Enable or disable multi-factor authentication for each application

Enable or disable multi-factor authentication (MFA) per application. Apply disable bypass MFA criteria per application. This procedure is useful when you need global MFA for an identity provider (IdP) but you need to exclude an application from using the MFA policy of the IdP. Or, you do not have a global MFA policy, but you want to add a custom MFA policy for only one application. Or, if you've set bypass MFA criteria in the IdP, and you want to override it for an important application even if the user is with the corporate network, using a managed device, or using IWA, you can set the disable bypass MFA criteria. Then, the user is prompted for MFA required for accessing that application.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

  3. Select your application to open it.

  4. In Authentication > MFA Settings IDP section displays settings that you configured when you enabled MFA for your identity provider.
    In Application Override select one of the choices:

    • Enable. You might want to require users to use MFA for just this application, although the IdP might not have MFA.

    • Disable. You might want to not require users to use MFA for just this application, although other applications keep the MFA settings of the IdP.

    • Use IdP MFA Setting (Default). You might want to keep the same MFA settings as set in the IdP and not change it.

    • Force MFA. If you want your users to be prompted for MFA every time they login to the application.

    • Disable Bypass MFA criteria. Select this option if you want to disable the evaluation of bypass MFA criteria you set in the IdP. Then, the user is prompted for MFA for this application even if any of the criteria is met.

    ūüďė

    Select this option, only if you have set any Bypass MFA criteria in the identity provider.

mfa application overridemfa application override

  1. Click Save.

  2. Deploy the application.

Enable or disable multi-factor authentication for each directory or a certain group

Enable or disable multi-factor authentication (MFA) for each directory on an application or for some groups within the directory. By default, the directory inherits the MFA settings from the application. You can override this in the directory MFA settings.

If you have two active directories (ADs) assigned to the IdP of an application, for example, one is AD San Francisco and the other is AD New York, use this procedure to select just one directory to have MFA for the application.

Or, you can have MFA for users who are members of certain groups within the directory. Then MFA is prompted for users in those groups. All other users in other groups in that directory are not asked for MFA.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

  3. Select your application to open it.

  4. Select Authentication > MFA Settings.
    The MFA Settings section contains the configured IdP and application data.

  5. Click Select Directory to override MFA and select the directory that you want to configure. Click Associate.

  6. For the selected directory, you can select one of the MFA configuration options:

    • Enable. If you want all users in this directory to be prompted for MFA before accessing this application.

    • Disable. If you want all users in this directory to not be prompted for MFA before accessing this application. All other applications under the IdP keep the same MFA settings.

  7. Click Assign Directory and enable the selected MFA Settings for specific groups. Filter and select users and click Associate. Use this option if you want users belonging to specific groups in the directory to use MFA.

  8. Click Save.

mfa directory overridemfa directory override

When you’re enabling MFA for a specific group, you can filter for the groups you want using the entering few characters of the groups name. Select the groups and click Save. To apply MFA to all groups, select the checkbox next to Search field and click Associate. To make changes or deselect all click the same checkbox.

For example, you have 11 groups in this directory. The admin has allowed MFA for only the RDP and Engineers groups. The other users will not be prompted for MFA although they belong to the same directory.

mfa directory override dir associatemfa directory override dir associate

  1. Click Save.

  2. Deploy the application.