Domain multifactor authentication
Multifactor authentication (MFA) can be used to provide an additional layer of security. With MFA, users are prompted to enter a six-digit code sent by a third-party multifactor authentication app, in addition to their user name and password.
MFA is available for web (HTTP) sessions. It can be configured for local server and domain users (but not for database, LDAP, and Windows users).
MFA can be configured at the global, domain, group, or user level.
If MFA is turned on at one level (for example, the group level) and you want to turn it on at a higher level (for example, the domain level), be sure to enable or enforce it at the higher level before you set the lower level to inherit. If you set the lower level to inherit first, MFA will be disabled for all users at that level.
Enable or enforce MFA
MFA is disabled by default. You can configure MFA to be enabled (available but optional) or enforced (required).
-
In the navigation pane of the Management Console, click the domain name.
-
Click Limits & Settings.
-
Click the Multifactor authentication tab.
-
Under Multifactor Authenticator, click one of the following to turn on MFA:
-
Enabled: Users can choose to log in with MFA, but it is not required.
-
Enforced: Users must enter the six-digit MFA code to log in.
-
-
(Optional) You can change the default company name. Users will see this name in their authenticator app.
-
Click Save.
Disable MFA
When MFA is disabled, users cannot log in with it. If MFA is being used and you disable MFA it, the MFA accounts that users configured are no longer valid. The MFA Status on the User Properties dialog changes back to Not Configured.
If you disable MFA and then enable it again, user accounts are not restored. MFA must be configured again for each user account.
-
In the navigation pane of the Management Console, click Global.
-
Click Limits & Settings.
-
Click the Multifactor authentication tab.
-
Under Multifactor Authenticator, click Disabled.
-
Click Save.