API concepts

This section contains the ​Akamai MFA​API concepts that this API makes available in its URL resources and data:

• User. Specifies a user account for an individual accessing enterprise applications. Each user is identified by the userId. You can add and manage user accounts manually or import them from external directory services. You can also assign a specific user account to only one hardware token, and a set of groups and policies. Users referenced in this API are specific to ​Akamai MFA​. ​Akamai MFA​ administrators can create users manually or import them from an external identity provider.
  See Manage users and devices to learn more.

• User account status. A typical life cycle of a user account in ​Akamai MFA​ contains these stages: UNENROLLED represents user accounts imported from an external directory service that have no enrolled devices. This is a default status for newly created user accounts. PROVISIONING_DISABLED represents user accounts imported from an external directory that are currently suspended by an automatic provisioning service. These users can't use the supported authentication methods to authenticate. ACTIVE represents users who enabled their accounts and activated their authentication devices in ​Akamai MFA​. Active users need to have at least one device enrolled and verify their identity using secondary authentication methods before they can access protected applications. DEVICES_DISABLED represents users who unenrolled their mobile devices or had all their authentication devices deactivated by an administrator. These users can't enroll new devices without an administrator explicitly deleting or re-activating the devices.

• Group. Specifies a collection of user accounts that share the same set of access privileges. Each group is identified by the groupId. You can assign one or multiple groups to a user to manage access privileges to distinct applications on the group level. Groups referenced in this API are specific to ​Akamai MFA​. ​Akamai MFA​ administrators can create groups manually or import them from an external identity provider.
  See Manage groups to learn more.

• Device. A trusted mobile device that is associated with the user account. Each device is identified by the deviceId. The user first enrolls their device in ​Akamai MFA​ and then uses it to confirm their identity and get access to protected applications. Devices referenced in this API are specific to ​Akamai MFA​.

• Device type. A type of the user's authentication device. PUSH indicates any device that supports sending push notifications, for example, tablets and smartphones. PHONE_ONLY indicates a non-smartphone mobile device that supports only text messages and calls. SECURITY_KEY indicates a FIDO2 WebAuthn security key such as a YubiKey or ​Akamai MFA​ phone security key. TOTP indicates a hardware device that generates one-time passcodes. HARDWARE_TOKEN indicates a security device that generates one-time passcodes.

• Disable a device. You can deactivate a user’s device that poses a threat to your data or if it remains inactive. The user whose device is disabled can’t use it to confirm their identity.

• Enable a device. This action lets you activate a device that was previously inactive in the ​Akamai MFA​ service. The user whose device is enabled can use it to confirm their identity and get access to protected applications.

• Enrollment. Describes the way that new user accounts are set up in the service. This API lets you invite new users by sending them enrollment emails.
  See Enroll new users to learn more about all supported enrollment methods.

• Enrollment email. An email containing the enrollment link that is sent to new users to invite them to the ​Akamai MFA​ service. The user clicks the link and follows the on-screen instructions to self-enroll and activate the authentication device.

• Bypass code. A backup authentication method that lets you generate a temporary authentication code for a specific user. With the bypass code, you can enable the user to authenticate when, for example, they want to enroll a new device in the service or their enrolled trusted device was misplaced. Each bypass code is identified by the bypassCodeId.

• Hardware token. One of the authentication second factors supported by ​Akamai MFA​. A hardware token is a security device that generates one-time passcodes used by users to authenticate. To assign a hardware token, you need its serial number. You can assign one hardware token per user. Each hardware token is identified by the deviceId.

• Policy. A policy is a set of rules that defines how ​Akamai MFA​ handles users trying to access protected applications. With policies, you can create access control rules to allow or deny access to an application or multiple applications under certain conditions. You can assign one or multiple policies to a user. Each policy is identified by the policyId. Policies referenced in this API are specific to ​Akamai MFA​.
  See Manage policies to learn more about policies.