Use Multi-factor Authentication with ºÚÁϺ£½Ç91Èë¿Ú to secure user access to your organization’s resources. With ºÚÁϺ£½Ç91Èë¿Ú, Admins have the option to use ºÚÁϺ£½Ç91Èë¿Ú Go, ºÚÁϺ£½Ç91Èë¿Ú Protect (Push MFA), Verification Code (TOTP) MFA, WebAuthn MFA, and Duo Security MFA to strengthen security in their organization.Â
After you set up MFA, configure a Conditional Access Policy to relax or restrict access to resources based on conditions like a user's identity and the network and device they’re on. Learn more in Get Started: Conditional Access Policies.
About ºÚÁϺ£½Ç91Èë¿Ú Go MFA
What is ºÚÁϺ£½Ç91Èë¿Ú Go MFA?
Enable secure passwordless authentication, letting users verify their identity using their device authenticator (Apple Touch ID or Windows Hello).
When a user logs in to a resource protected with ºÚÁϺ£½Ç91Èë¿Ú Go, they need to use their device authenticator to confirm their identity.
Google Chrome and the ºÚÁϺ£½Ç91Èë¿Ú Go browser extension are required.
Using ºÚÁϺ£½Ç91Èë¿Ú Go MFA
You can use ºÚÁϺ£½Ç91Èë¿Ú Go to protect the User Portal and SSO applications. During registration, ºÚÁϺ£½Ç91Èë¿Ú Go uses 3 authentication factors to confirm a user’s identity. For subsequent verifications, ºÚÁϺ£½Ç91Èë¿Ú Go always uses two factors, but those factors depend on if biometrics are configured.
Users need to configure biometrics on their device authenticator to be able to utilize them with ºÚÁϺ£½Ç91Èë¿Ú Go. Otherwise, the device password will be used.
- See Get Started: ºÚÁϺ£½Ç91Èë¿Ú Go
- Share Use ºÚÁϺ£½Ç91Èë¿Ú Go with your organization’s users.
About ºÚÁϺ£½Ç91Èë¿Ú Protect Mobile Push MFA
What is Push MFA?
With Push MFA, users can authenticate with a push notification that’s sent to their mobile device.
When a user logs in to a resource that’s protected by Push MFA, they need to provide their username, password, and approve the login request from a push notification they get on their mobile device.
Push MFA requires users to download the ºÚÁϺ£½Ç91Èë¿Ú Protect app on their mobile device. Learn more in ºÚÁϺ£½Ç91Èë¿Ú Protect for Admins.
Using Push MFA
You can use Push MFA to protect the User Portal, SSO applications, Password Reset, Devices (as a second factor), and RADIUS, and LDAP.
ºÚÁϺ£½Ç91Èë¿Ú protects against fraudulent push attempts by blocking more than one notification per resource within a sixty second period, except for RADIUS and LDAP attempts. Admins can turn this off, or increase the limit for maximum concurrent attempts, in MFA Configurations.
Users can try again after the timeout or after the user has approved or denied the request. The blocked event will appear in Directory Insights under the event name push_mfa_attempt_failed; the error message is ‘too many concurrent push requests’.
- See ºÚÁϺ£½Ç91Èë¿Ú Protect for Admins
- Share ºÚÁϺ£½Ç91Èë¿Ú Protect for End Users with your organization’s users
About Verification Code (TOTP) MFA
What is Verification Code (TOTP) MFA?
Verification Code (TOTP) MFA uses authentication codes called Time-based One Time Passwords (TOTP). These codes are generated from an authenticator application on a mobile phone or computer. We recommend using ºÚÁϺ£½Ç91Èë¿Ú Protect for TOTP, but other apps, like Google Authenticator or Yubico Authenticator, can also be used.
When a user logs in to a resource that’s guarded by Verification Code MFA, they must provide their username, password, and a TOTP code generated by the authenticator application on their phone or computer.
Using Verification Code (TOTP) MFA
You can use Verification Code (TOTP) MFA in ºÚÁϺ£½Ç91Èë¿Ú to protect the User Portal, the Admin Portal, RADIUS, LDAP, and Mac, Linux, and Windows systems. See the following articles for instructions on how to set up Verification Code MFA for these resources:
- Setting Up TOTP MFA for users and admins:
- Enabling TOTP MFA for systems and RADIUS:
- Enabling TOTP MFA for LDAP:
Users can authenticate into their local account without internet access, and TOTP MFA will still be enforced in this situation.
Find out more about some of the authenticator applications you can use with ºÚÁϺ£½Ç91Èë¿Ú TOTP MFA:
- Use ºÚÁϺ£½Ç91Èë¿Ú Protect for Verification Code (TOTP) MFA
- Set Up Yubico Authenticator
- Use Google Authenticator with ºÚÁϺ£½Ç91Èë¿Ú MFA
Share Set up an Authenticator App with your organization’s users.Â
About WebAuthn MFA
What is WebAuthn MFA?
WebAuthn MFA lets users authenticate using security keys like YubiKey and Titan, or with a device authenticator, which is usually a device biometric such as Apple Touch ID or Windows Hello.
When a user logs in to a resource that’s guarded by WebAuthn MFA, they must provide their username, password, and their security key or device authenticator.
On Windows devices, the authenticator being enrolled as a device authenticator must already be enrolled in Windows Hello, otherwise enrollment will fail.
Using WebAuthn MFA
You can use WebAuthn MFA to protect the User Portal, SSO applications, and password resets made from the User Portal.
- See Set Up WebAuthn
- Share Use a Security Key or Device Authenticator with User Accounts with your organization’s users.Â
About Duo Security MFA
What is Duo Security MFA?
Duo Security MFA lets users authenticate using push notifications, phone callbacks, and mobile passcodes provided by Duo. Admins can choose the authentication options users have for Duo Security MFA.
When a user logs in to a resource that’s guarded by Duo Security MFA, they must provide their username, password, and choose an authentication option. Users then provide the factor required authentication method.
Using Duo Security MFA
You can use Duo Security MFA to guard the User Portal, SSO applications, and password resets made from the User Portal.
Duo is ending support for the traditional Duo two-factor authentication prompt on March 30, 2024. ºÚÁϺ£½Ç91Èë¿Ú supports Duo universal prompt and recommends admins update to that method. Read more here: .
- See Configure Duo Security MFA
- Share Use Duo Security with ºÚÁϺ£½Ç91Èë¿Ú MFA with your organization’s users.