Allowed authentication methods

The following is the list of the secondary authentication methods that you can enable to protect enterprise applications.
The authentication methods and devices that you set up on the ‚ÄčAkamai MFA‚Äč Policies page will impact the authentication options that the users see in their enrollment and authentication prompts.

WebAuthn/FIDO2 security key

Authentication method that uses WebAuthn/FIDO2 hardware security key such as a Yubikey USB token to provide users with cryptographic authentication to protected resources.

See FIDO U2F security key to learn more.

ūüďė

This authentication method is not supported for the Unix PAM and Windows Logon integrations.

Phone security key

Authentication method that leverages the ‚ÄčAkamai MFA‚Äč mobile app installed on the user's smartphone and the ‚ÄčAkamai MFA‚Äč browser plug-in to provide users with the increased security of FIDO2 standards and the frictionless user experience of a standard push.

See security key to learn how users can self-enroll their security keys.

ūüďė

This authentication method is not supported for the Unix PAM and Windows Logon integrations.

Push notification

Authentication method that sends a push request with Allow and Deny action buttons to the user's enrolled mobile device. The users can either tap Allow, which allows them to authenticate, or Deny to block an unauthorized access attempt.

See push notification to learn more.

Push TOTP

This method sends mobile-generated one-time passcodes to the user's account in the ‚ÄčAkamai MFA‚Äč mobile app. The user needs to enter the received passcode into the authentication prompt within a determined period of time. With this method, users can sign in without an internet connection.

See push TOTP to learn more.

Email or SMS OTP

With this authentication method, the ‚ÄčAkamai MFA‚Äč service randomly generates numeric or alphanumeric one-time passcodes that remain valid for a single log-in session. Users receive the verification code via SMS or email and submit it in the ‚ÄčAkamai MFA‚Äč authentication prompt to log in.

ūüďė

Email can be used as a backup authentication method for situations when the user is unable to authenticate with their enrolled mobile device.

See SMS or email OTP to learn more.

Bypass code

It's a user-specific passcode that lets users authenticate when they can't use their enrolled authentication device. The user needs to contact the IT department to request the bypass code and, next, submits the code during the secondary log-in process. Just like email, the bypass code is used as a backup method.

ūüďė

This is a backup authentication method for situations when the user is unable to authenticate with their enrolled mobile device.

See Generate a bypass code and Use the bypass code to learn more.

Clientless push

With this authentication method, the user receives a text message with a link leading to the authentication request. When the user clicks the link, they are redirected to a webpage displaying the login request that lets the user confirm their identity.

See clientless push to learn more.

Phone call

Authentication method that uses telephony APIs to call the user's registered phone number, including landlines, and forward the verification code via voicemail.
Upon receiving a voice message with the verification code, the user confirms their identity by submitting the code in the ‚ÄčAkamai MFA‚Äč authentication prompt.

See phone call to learn more.

Legacy phone

This method lets users enroll a non-smartphone device (including a landline phone) that supports phone calls and SMS authentication methods.

To allow an SMS OTP as an authentication method for a non-smartphone device, you should enable SMS Enabled and Legacy phone.
To allow a Phone call as an authentication method for a non-smartphone device, you should enable Phone call and Legacy phone.

Hardware token

A hardware token is a security device that runs on the algorithm to generate one-time passcodes. Passcodes change constantly at a defined time interval (usually every 30 seconds). To confirm their identity users need to enter the passcodes generated by the hardware token in the ‚ÄčAkamai MFA‚Äč authentication prompt.

See assign a hardware token to a user and manage hardware tokens to learn more.

Third-party authenticators as OTP devices

With this method, you can allow Duo Mobile, Google Authenticator, Microsoft Authenticator, Okta Verify, or any other mobile app that provides TOTP (time-based one-time passcodes) upon scanning a QR code. After the user enrolls the selected app as the third party OTP device in the ‚ÄčAkamai MFA‚Äč service, they can use OTP codes that they receive in their account in the mobile app to authenticate to protected resources.

See Third-party OTP devices to learn more.


Did this page help you?