ºÚÁϺ£½Ç91Èë¿Ú

FAQ for Admins: ºÚÁϺ£½Ç91Èë¿Ú Protect

Your users can download the ºÚÁϺ£½Ç91Èë¿Ú Protect® mobile app to secure their accounts using Multi-Factor Authentication (MFA). The app can be downloaded from the  or the . Once your users have downloaded the app and successfully enrolled their devices, they can authenticate using Push MFA or Verification (TOTP) Code MFA.

This KB article will answer common questions and offer suggestions to troubleshoot any issues that may arise during your team’s use of ºÚÁϺ£½Ç91Èë¿Ú Protect.

Frequent Questions and Answers

What software package is ºÚÁϺ£½Ç91Èë¿Ú Protect included in?

ºÚÁϺ£½Ç91Èë¿Ú Protect is available in all ºÚÁϺ£½Ç91Èë¿Ú tiers.

Where can my users download ºÚÁϺ£½Ç91Èë¿Ú Protect?

ºÚÁϺ£½Ç91Èë¿Ú Protect can be downloaded from the  or the .

Are there any countries where ºÚÁϺ£½Ç91Èë¿Ú Protect can’t be downloaded?

The ºÚÁϺ£½Ç91Èë¿Ú Protect mobile app may not be available in restricted countries such as Iran, Cuba, Syria, Sudan, North Korea, Russia, Belarus, and the Crimean region. Google Playstore is blocked in China, so users will not be able to download ºÚÁϺ£½Ç91Èë¿Ú Protect on Android devices there. Even when downloaded elsewhere, ºÚÁϺ£½Ç91Èë¿Ú Protect push won't work when traveling to certain countries.

Can my users enroll multiple devices at once?

No. Currently, users can only enroll one device at a time with ºÚÁϺ£½Ç91Èë¿Ú Protect. If they get a new device, they should enroll the new device before wiping the old, or log in using another factor to enroll the new device. If those steps are missed they will need to contact admin for enrollment on the new device.

If my users enroll in Push MFA, are they automatically enrolled in Verification Code MFA?

No. Your users need to enroll in each type of MFA separately.

Can my users transfer Push MFA enrollment to another device?

No, enrollments cannot be transferred. Users must unenroll the old device before enrolling the new device through the ºÚÁϺ£½Ç91Èë¿Ú User Portal. 

What data does ºÚÁϺ£½Ç91Èë¿Ú Protect collect?

ºÚÁϺ£½Ç91Èë¿Ú Protect will collect certain diagnostic and usage data for troubleshooting issues and continuous app improvements. There is no user information collected.

Users can opt out of diagnostic and usage data collection from the Settings > Privacy screen.

My users are already enrolled in Verification Code MFA through Google Authenticator/Authy/Duo. Can they continue to use that?

Yes. If you decide to use ºÚÁϺ£½Ç91Èë¿Ú Protect for verification code MFA in the future, your users will need to enroll in it using the ºÚÁϺ£½Ç91Èë¿Ú User Portal. Once they do so, their current enrollment will be reset and they will use ºÚÁϺ£½Ç91Èë¿Ú Protect. 

What security practices are employed by the ºÚÁϺ£½Ç91Èë¿Ú Protect app?

ºÚÁϺ£½Ç91Èë¿Ú Protect is highly secure and uses asymmetric key cryptography for security. When a device is enrolled and activated, an asymmetric key pair (public and private key) is generated. The private key is stored securely on the device while the public key is stored on ºÚÁϺ£½Ç91Èë¿Ú’s servers. The push requests and responses are then signed by the key pair making the transactions highly secure.The communication between the mobile app and ºÚÁϺ£½Ç91Èë¿Ú’s servers is encrypted. All communication is sent through https connections using TLS.

How can I protect users against Push Bombing and MFA Fatigue Risks?

Push Bombing is a hacking method of triggering multiple 2FA attempts using push notifications until the user may accept the request accidentally.  MFA Fatigue is the term for when, due to the multiple 2FA requests, a user accepts the fraudulent request out of frustration.

Here are ways to protect your organization against such an attack: 

  • An attacker can initiate a Push MFA request after obtaining a user’s password. Setting a strong password policy and using account lockout policies will reduce password brute force attacks. 
  • Enable biometric on JC Protect for an extra layer of identity protection.
  • Leverage Conditional Access Policies for additional safeguards.
  • Educate users to check application and location information before approving a push request, and to deny any request they suspect is fraudulent.
    • Keep in mind that location information does not have 100% accuracy, especially at the city level. 

Important:

ºÚÁϺ£½Ç91Èë¿Ú protects against fraudulent push attempts by blocking more than one notification per resource within a sixty second period, except for RADIUS and LDAP attempts. Users can try again after the timeout or after the user has approved or denied the request. The blocked event will appear in Directory Insights.

Troubleshooting Issues and Resolutions

See Troubleshoot: ºÚÁϺ£½Ç91Èë¿Ú Protect.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case