User Properties: Multifactor authentication
Multifactor authentication (MFA) can be used to provide an additional layer of security. With MFA, users are prompted to enter a six-digit code sent by a third-party multifactor authentication app, in addition to their user name and password.
MFA is available for web (HTTP) sessions. It can be configured for local and database server and domain users (but not for LDAP and Windows users).
MFA can be configured at the global, domain, group, or user level.
If MFA is turned on at one level (for example, the group level) and you want to turn it on at a higher level (for example, the domain level), be sure to enable or enforce it at the higher level before you set the lower level to inherit. If you set the lower level to inherit first, MFA will be disabled for all users at that level.
Access MFA settings in User Properties
-
In the navigation pane of the Management Console, click Global for a global user, or click the domain name for a domain user.
-
Click Users.
-
Select the user and click Edit.
-
Click the Multifactor authentication tab.
Check the status of MFA for a user
MFA Status indicates whether the user has set up the authenticator app and can use MFA:
-
Not Configured: The user has not set up the authenticator app.
-
Active: The user has set up the authenticator app and can log in with MFA.
Enable or enforce MFA for a user
MFA is disabled by default. You can configure MFA to be enabled (available but optional) or enforced (required).
-
Under Multifactor Authenticator, click one of the following:
-
Enabled: Users can choose to log in with MFA, but it is not required.
-
Enforced: Users must enter the six-digit MFA code to log in.
-
-
(Optional) You can change the default company name. Users will see this name in their authenticator app.
-
Click Save.
Disable MFA
When MFA is disabled, the user cannot log in with it. If MFA is being used and you disable MFA it, the MFA account that the user configured is no longer valid. The MFA Status on the User Properties dialog changes back to Not Configured.
If you disable MFA and then enable it again, user accounts are not restored. MFA must be configured again for each user account.
-
Under Multifactor Authenticator, click Disabled.
-
Click Save.
Reset MFA for a user
An administrator can reset MFA for any user. For example, if a user no longer has access to the device with the authenticator app, the user could request a reset. Resetting MFA deletes the user's MFA account, and the user must set it up again.
The Reset MFA button is available if the MFA Status is Active.
To reset the account, click the Reset MFA button. The MFA Status changes back to Not Configured.