Enable multi-factor authentication

The factors you select are required when users attempt to access a website that requires or is enabled for authentication.

To enable MFA in an IdP:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Identity Providers.

  2. To add a new IdP, click the plus sign icon or click the name of the IdP that you want to modify.

  3. If you are adding a new IdP, enter a name, description, and select the provider type.

  4. To enable an MFA policy, toggle IDP MFA Policy.

  5. In the MFA timeout field, enter the number of days that you want an MFA session to last.

  6. In the MFA Factors field, select one or more factors for MFA.

  7. Click Save.

Next steps

  1. Deploy the IdP configuration. For more information, see Deploy configuration changes.

  2. Make sure the IdP is assigned to the policy where you want MFA enabled. For more information, see Require authentication to access a website or web application.

Install a time-based one-time password applications on a mobile device

To use an authentication token, users need to download and install one of these time-based one-time password (TOTP) applications on a mobile device:

Application

Operating System

Link to support documentation

Google Authenticator

Android, iOS, BlackberryOS

https://support.google.com/accounts/answer/1066447

Microsoft Authenticator

Windows Mobile

Not available

ūüďė

Make sure the user's device is not in "Do not disturb" mode. This may prevent the user from receiving authentication text messages or pop-up notifications.

Duo Security two-factor authentication

Duo Security is an MFA provider that confirms the identity of users and the health of their devices before the user gets access. Duo supports push notifications, TOTP, text messages (SMS), voice calls, and emails for two-factor authentication (2FA).

ETP provides remote access, MFA, and integrates with Duo's 2FA services. If you are currently using Duo as a 2FA solution, you can provide some Duo-specific information in ETP to verify identity and access privileges.

Within the Duo application, a Duo administrator can generate a unique set of configuration parameters. These configuration parameters are then entered into the corresponding MFA fields in an IdP configuration.

  • Integration key or ikey: A unique identifier that allows you to retrieve users' API keys based on email and password.

  • Secret key or skey: A unique identifier used for encryption of data.

  • API hostname: Your API hostname used for all API interactions with Duo. For example, api-XXXXXXXX.duosecurity.com

You'll need these keys and hostname when configuring your system to work with Duo.

When configuring Duo in ETP, you also can define the UserID attribute. The Duo user ID attribute determines how the usernames listed in Duo appear. Choose one of these attributes:

  • Email
  • SAM account name
  • User Principal Name
  • Domain/SAM account name

Depending on the directory your organization uses, make sure you consider these points when defining the UserID attribute.

  • When using Open LDAP to authenticate users in the Login Portal, ETP supports only email as the Duo UserID attribute.

  • When using the AD to authenticate users in the Login Portal, ETP supports all Duo UserID attributes.

All communication between the Login Portal and Duo is secured with TLS. ETP validates the server certificate before sending any information or data to the Duo service.

To set up Duo as factor of MFA:

  1. Retrieve information from Duo.

  2. Configure Duo as a factor for MFA in ETP.

Retrieve information from Duo

To retrieve information that's required to set up Duo as a two-factor authentication service in ETP:

  1. Create a Duo admin account.

  2. Follow the on-screen prompts to activate Duo Mobile.

  3. Navigate to the Duo Applications page.

  4. Locate the respective Duo application to protect.

  5. To generate the Integration key, Secret key, and API hostname, click Protect an Application.

Next steps

Enter the Duo Integration key, Secret key, and API hostname into ETP. See Configure Duo as a factor for MFA in ETP.

Configure Duo as a factor for MFA in ETP

Before you begin

Retrieve the required information from Duo. See Retrieve information from Duo.

You can add Duo MFA to any ETP IdP.

To configure DUO as a factor for MFA:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Identity Providers.

  2. Locate the IdP that you want to configure with Duo or add a new IdP. To add an IdP, see Add an identity provider.

  3. In the Settings tab, click Advanced User Authentication.

  4. To enable a global MFA policy, select IdP MFA Policy.

  5. In the MFA Factors area, select Duo. The Duo configuration parameters appear.

  6. Enter the Integration key, Secret key, and API hostname values that you retrieved from Duo.

  7. Select a Duo User ID attribute. Choose one of these attributes:

    • Email
    • SAM account name
    • User Principal Name
    • Domain/SAM account name
  8. Select any other MFA factor that you want to enable.

  9. Click Save.

Next steps

Deploy the IdP. See Deploy configuration changes.

Confirm users can receive MFA notifications

Multi-factor authentication notifications are sent to users by email, text message, or pop-up notifications. If a user has trouble with MFA, they should first:

To confirm users can receive MFA notifications:

  1. Look in their email spam folder. The authentication email may have been sent to spam.

  2. Make sure their mobile phone or device is not set to "Do Not Disturb" mode. This may prevent authentication texts messages or pop-up notifications from going through.

About MFA

Multi-factor authentication is an authentication method that requires more than one piece of information to verify the user’s identity and grant access. Typically, MFA requires that this information or factors of authentication meet at least two of these categories:

  • Knowledge. Something the user knows
  • Possession. Something the user has
  • Inherence. Something the user is

Two-factor authentication requires two of these authentication factors.

As part of an IdP configuration, you can enable and define a global MFA policy. This requires users who log into the portal to use their standard login credentials and at least one other MFA verification factor, such as email, SMS, or a TOTP authentication token every time they log in.

ūüďė

If you have configured the IdP login portal to support a different primary language other than English, then MFA is received in that language.

In the IdP configuration, you can define these settings:

  • MFA Timeout. After a user authenticates with MFA, this setting defines how long the session is valid before MFA is required again. By default, 365 days are configured as the timeout.

  • MFA Factor. Supported factors of authentication. ‚ÄčControl Center‚Äč supports these factors:

    • Email. ETP sends authentication code to the user‚Äôs email address.

    • SMS. ETP sends authentication code to the user through text message.

    • Authentication token or TOTP. Authenticators that are installed on a mobile device. ETP supports Google and Microsoft authenticators. For more information, see Install a time-based one-time password applications on a mobile device.

    • Duo. Duo Security is a MFA provider that confirms the identity of users and the health of their devices before the user gains access. For more information, see Duo Security two-factor authentication.

    • Import email from directory. This setting imports email addresses from the directory associated with the IdP and sends authentication codes to the user‚Äôs email address.


Did this page help you?