PCI DSS compliant MFA

Payment Card Industry Data Security Standard (PCI DSS) compliant mode for MFA

In multi-factor authentication (MFA), each piece of evidence needs to confirmed before the next piece of evidence is provided to the user. In Payment Card Industry Data Security Standard (PCI DSS) compliant mode of MFA, Enterprise Application Access (EAA) complies with the PCI DSS 2018 standard. For example, if an authentication error occurs with an incorrect username, password, or two factor authentication (2FA), the specific failure is not disclosed to the user. This makes it harder for malicious users to use brute-force attack mechanisms to recover usernames and passwords.

Enterprise Application Access supports PCI DSS MFA for ‚ÄčAkamai‚Äč IdP for additional security and works only with TOTP as 2FA. The PCI DSS MFA does not work with Integrated Windows Authentication (IWA) or certificate-based authentication. It must be configured at the identity provider level and not, for example, for each application or each directory.

PCI DSS-compliant MFA should be used for admin users of your organization on one ‚ÄčAkamai‚Äč IdP, since this only gives a single failure message. Enabling this mode to users might increase the support for the organization. But, the IdP MFA policy supports different types of two factor such as SMS, email, TOTP, and Duo, and gives users more user-friendly authentication failure messages for each step of the verification process.

Enable a global PCI DSS compliant MFA for Login Portal users

Configure Payment Card Industry Data Security Standard (PCI-DSS) MFA for ‚ÄčAkamai‚Äč IdP. When you enable PCI DSS-compliant multi-factor authentication (MFA), users who log into the portal are required to use their standard login credentials and a time-based one-time password (TOTP) authentication token every time they log in. If the username, password, and time-based token are correct, the user has access to all of the applications associated with the identity provider (IdP). If any of the credentials are incorrect, the user does not have access to the application and an error message appears. Specific details of which step in the MFA process failed is not provided to the user.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Select your identity provider to open it.

  4. In MFA select IDP Login Requires MFA.

  5. The IdP PCI DSS Complaint checkbox appears. Select it. The MFA factors section shows only the TOTP checkbox.

  6. Select the Authentication Token (TOTP) checkbox.


    If you selected any of the MFA factors like email, SMS, or Duo in previous steps, a dialog appears with a suggestion to deselect those options.

  7. Set MFA Verification Trust Duration. The user is prompted for MFA verification the very first time they use the browser. Then, within the trust duration period, the user is exempt from MFA challenge if they use the same browser. The default is 365 days.

  8. Click Save.

  9. Deploy the identity provider.