Set up Multi-factor Authentication

What do you want to configure multi-factor authentication (MFA) for?

Idaptive portal -- You can specify that users provide more than one authentication mechanism to access the Idaptive user portal. For example, you can specify that users logging in from a certain country provide additional authentication. See MFA for the user portal.

SAML web application access -- You can require users to MFA anytime they access the application from the user portal or only under certain conditions -- they are accessing the application from a specific country for example. See MFA for SAML web application access.

VPN connection -- You can use Idaptive Identity Service with your RADIUS client to provide a second authentication layer. For example, if a VPN concentrator uses RADIUS for authentication, you can configure email as a secondary authentication requirement. See MFA for VPN (Idaptive Connector as a RADIUS server).

MFA Pre-requisites

Before you configure MFA for anything, first decide what authentication mechanism you want to use, then make sure your users have that mechanism configured for their user account.

A built-in report is available to view whether users have setup the necessary information for multi-factor authentication challenges. For example, if you plan to use SMS confirmation codes as an authentication factor, you need to make sure all users impacted by the authentication policy have a mobile number associated with their account, otherwise they might be locked out.

  1. From the Reports page in the Admin Portal, navigate to Builtin Reports > Security, and open User MFA challenge setup status.

    The Required Parameters window appears.

  2. Select the role that will be impacted by your Authentication Policy.

    For performance reasons, run this report on roles with approximately 1,000 users or less.

    The report opens, showing whether your users have configured the required information for authentication factors that could result in lockout if the required information is absent. For example, a user with no associated mobile phone will have false in the Sms column.

  3. Review the report and follow up with users missing required information.