Multi-factor authentication

Multi-factor authentication (MFA) is an access control method where multiple, separate pieces of evidence are required for identification before access is granted. Typically at least two of the following categories must be satisfied for MFA: knowledge (something they know), possession (something they have), and inherence (something they are). Using two different components to confirm identity is known as two-factor authentication (2FA).

You can create and apply MFA policies for administrative users (admins) of the Enterprise Application Access (EAA) in Enterprise Center as well as for non-admin users of the applications.

The MFA policy with MFA factors configured in the identity provider is a global setting. It is inherited by all applications and directories associated with the IdP (by default). The global IdP MFA settings can be overridden for each application. The application MFA settings is inherited by the directory MFA settings (by default). The application MFA settings can be overridden for each directory or a group within a directory. If you enabled generating recovery codes in the identity provider, then that can be used as an alternative to 2FA for the users, after the organization validates the authenticity of the user.

If you enable MFA to access EAA applications and SMS is the registered MFA scheme, SMS message is sent at the time of registration and when you receive onetime password (OTP) code for authentication.

  • Example of the registration SMS:
Phone verification code from <Company name>: <OTP code> This SMS may incur charges from your telephone operator.
  • Example of the SMS sent as OTP for authentication:
Access code from <Company name>: <OTP code> This SMS may incur charges from your telephone operator.

Enable a global multifactor authentication policy for Login Portal users

Configure a global MFA policy for all users accessing all applications associated with this identity provider. You can enable multifactor authentication (MFA) for non-admin application users. This requires users who log into the portal to use their standard login credentials and at least one other MFA verification factor, such as email, SMS, or a time-based one-time password (TOTP) authentication token every time they log in. The MFA policy is configured in EAA through the identity provider (IdP) settings and may be set for all users, known as a global MFA policy. It is inherited for all applications and directories associated with this identity provider.

If you configured the IdP login portal to support a different primary language other than English, then the MFA is received in that language.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Select your identity provider to open it.

  4. In Settings > MFA enable IdP MFA Policy and the MFA factors to apply (like email, SMS, TOTP, or Duo).

  5. Click Save.

  6. Deploy the identity provider.

Enable or disable multi-factor authentication for each application

Enable or disable multi-factor authentication (MFA) per application. Apply disable bypass MFA criteria per application. This procedure is useful when you need global MFA for an identity provider (IdP) but you need to exclude an application from using the MFA policy of the IdP. Or, you do not have a global MFA policy, but you want to add a custom MFA policy for only one application. Or, if you've set bypass MFA criteria in the IdP, and you want to override it for an important application even if the user is with the corporate network, using a managed device, or using IWA, you can set the disable bypass MFA criteria. Then, the user is prompted for MFA required for accessing that application.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

  3. Select your application to open it.

  4. In Authentication > MFA Settings IDP section displays settings that you configured when you enabled MFA for your identity provider.
    In Application Override select one of the choices:

    • Enable. You might want to require users to use MFA for just this application, although the IdP might not have MFA.

    • Disable. You might want to not require users to use MFA for just this application, although other applications keep the MFA settings of the IdP.

    • Use IdP MFA Setting (Default). You might want to keep the same MFA settings as set in the IdP and not change it.

    • Force MFA. If you want your users to be prompted for MFA every time they login to the application.

    • Disable Bypass MFA criteria. Select this option if you want to disable the evaluation of bypass MFA criteria you set in the IdP. Then, the user is prompted for MFA for this application even if any of the criteria is met.

    πŸ“˜

    Select this option, only if you have set any Bypass MFA criteria in the identity provider.

mfa application overridemfa application override

  1. Click Save.

  2. Deploy the application.

Enable or disable multi-factor authentication for each directory or a certain group

Enable or disable multi-factor authentication (MFA) for each directory on an application or for some groups within the directory. By default, the directory inherits the MFA settings from the application. You can override this in the directory MFA settings.

If you have two active directories (ADs) assigned to the IdP of an application, for example, one is AD San Francisco and the other is AD New York, use this procedure to select just one directory to have MFA for the application.

Or, you can have MFA for users who are members of certain groups within the directory. Then MFA is prompted for users in those groups. All other users in other groups in that directory are not asked for MFA.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

  3. Select your application to open it.

  4. Select Authentication > MFA Settings.
    The MFA Settings section contains the configured IdP and application data.

  5. Click Select Directory to override MFA and select the directory that you want to configure. Click Associate.

  6. For the selected directory, you can select one of the MFA configuration options:

    • Enable. If you want all users in this directory to be prompted for MFA before accessing this application.

    • Disable. If you want all users in this directory to not be prompted for MFA before accessing this application. All other applications under the IdP keep the same MFA settings.

  7. Click Assign Directory and enable the selected MFA Settings for specific groups. Filter and select users and click Associate. Use this option if you want users belonging to specific groups in the directory to use MFA.

  8. Click Save.

mfa directory overridemfa directory override

When you’re enabling MFA for a specific group, you can filter for the groups you want using the entering few characters of the groups name. Select the groups and click Save. To apply MFA to all groups, select the checkbox next to Search field and click Associate. To make changes or deselect all click the same checkbox.

For example, you have 11 groups in this directory. The admin has allowed MFA for only the RDP and Engineers groups. The other users will not be prompted for MFA although they belong to the same directory.

mfa directory override dir associatemfa directory override dir associate

  1. Click Save.

  2. Deploy the application.


Did this page help you?