Multi-factor authentication (also MFA, 2FA or two-factor authentication, strong authentication) adds an extra layer of security to your users' accounts, drastically reducing the chances of sensitive information being stolen.
Looking for information about Adaptive Authentication? See Adaptive Authentication.
There are three types of authentication factors:
- Something you know – username, password, age, birthplace, pet's name etc
- Something you have – a phone, card, fob or token
- Something you are – a biometric such as a fingerprint, iris, voice pattern
Multi-factor authentication uses two or more of these to confirm a user's identity. A typical scenario involves the use of a one-time password (OTP) application on a device like a smartphone to generate a code that is entered along with a user's credentials to log in. This combines the code from the phone (something you have) with a password (something you know) to create a strong barrier against unauthorized access.
OneLogin supports many multi-factor authentication providers.
|OneLogin Protect for iOS||One-time password with push|
|OneLogin Protect for Android||One-time password with push|
|OneLogin OTP for Windows Phones||One-time password|
|OneLogin OTP for Windows Desktop||One-time password|
|OneLogin OTP SMS||One-time password||via SMS message|
|OneLogin Security Questions||Security questions|
|Duo Security||One-time password with push|
|FireID Security||One-time password|
|Google Authenticator||One-time password|
|PKI Browser Certificate||Authentication certificate|
|RSA SecurID||Hardware/Software One-time password|
|SafeNet Authentication||Authentication token|
|Swivel Pinsafe||One-time password|
|Symantec VIP Access||Hardware/Software One-time password|
|VASCO DIGIPASS||One-time password|
|VASCO IDENTIKEY||On-premise server authentication|
|Yubico Yubikey||Hardware One-time password|
Note. Did you know that OneLogin Desktop functions as a second authentication factor? OneLogin Desktop uses a certificate to establish trust with your OneLogin account, making the certificate the additional authentication factor. Even if you've registered one of the above authentication factors with your OneLogin account, you won't be prompted for it when you log in to OneLogin.
OneLogin's support for multiple authentication factors means that your users can use redundant factors. If you lose a factor, you can still get into your OneLogin account using another.
It also means that you can support users with differing needs. Someone who works from an office all day might prefer a hardware factor like YubiKey because of its ease of use, while someone who travels may prefer OneLogin Protect because it is always on their phone.
Best practices: planning your custom authentication process
Because OneLogin allows you near complete control over user access to all of your company apps, it is important to plan out your desired authentication process carefully. To maximize security and ease of access, OneLogin recommends that you set up multi-factor authorization through user groups and policies. The following tasks are required to set up a fully functional multi-factor authentication process:
Put users into groups
Create a policy for each group
Assign authorization factors to each policy
A policy can have as many authorization factors as you want.
Which authentication process is right for us?
This section focuses on how to determine authentication factors in a multi-factor authentication. Use the following list of scenarios to determine how to set up your authentication process:
Users can access their OneLogin apps only from the office or other specific locations as designated by IP addresses: See Restricting user access to logins from specific IP addresses.
Users can access their OneLogin apps only from the office (or other specific IP addresses) and they should be required to use multi-factor authentication: See Restricting user access to logins from specific IP addresses and Enabling Authentication Factors.
Users can access their OneLogin apps from any IP address, but they must use a multi-factor authentication process for some or all IP addresses: See Enabling Authentication Factors. Do not follow the steps in Restricting user access to logins from specific IP addresses.
You have already set up multi-factor authentication, but now you want to change it so that users are no longer required to use MFA when they are in the office: See How can I disable the OTP requirement for logins in the office?
You want to forget about all of the nuances of the above bullet points, and let machine learning calculate the risk of each login attempt and determine when a user is challenged for a second authentication factor. See Adaptive Authentication.
Restricting user access to logins from specific IP addresses
Regardless of how many (if any) factors you want to use for authentication, you can set up your authentication policies to limit OneLogin logins to the office or other designated IP addresses.
Note. These instructions are NOT for setting up authentication to require MFA for some IP addresses and bypass it for others. For those instructions, see Enabling Authentication Factors.
To restrict users on a particular policy to accessing their OneLogin apps only from designated IP addresses, do this:
Go to Settings > Policies.
Click the policy that you want to restrict.
Go to the IP Addresses tab.
To whitelist specific IP addresses, enter them in the Allowed IP addresses field. If you enter more than one IP address, separate them by spaces.
18.104.22.168 22.214.171.124 126.96.36.199
When users (on the policy you selected) log in from any IP addresses OTHER THAN those that you list here in Allowed IP addresses, they will NOT be able to successfully log in or access their apps.
When users log in from one of the IP addresses you list here in Allowed IP addresses and you have not set up multi-factor authentication, they will be able to log in using only their passwords.
If you want to have multi-factor authentication even when users are in the office or on other allowed IP addresses, you should enter the allowed IP addresses as indicated above, then follow the steps in the next section, Enabling Authentication Factors.
If you want users to be able to access company apps from any IP address but require multi-factor authentication, then do not enter anything in the Allowed IP addresses field. Simply follow the steps in the next section, Enabling Authentication Factors.
Enable Authentication Factors
This guide will walk you through creating multi-factor authentication based on your particular security needs and preferences. You can set up multi-factor authentication whether your users can access their OneLogin apps only in the office or from anywhere. Once you have determined where (which IP addresses) users can access their apps from, you can (and should) set up multi-factor authentication to authenticate users whenever they log in from acceptable IP addresses.
The chart below shows the steps you must take to set up multi-factor authentication through OneLogin. Below the chart, you will find specific instructions for each step in setting up multi-factor authorization.
Add your authentication factor
In order to use multi-factor authentication with OneLogin, you must enable one or more authentication factors for your OneLogin account.
Log into your OneLogin account as an administrator.
Go to Settings > Authentication Factors.
On the Authentication & Security page, click New Auth Factor.
Select an authentication provider.
OneLogin provides a number of authentication factors, including OneLogin Protect, OneLogin OTP for Windows, OneLogin OTP SMS, and OneLogin Security Questions.
Enter your client account information.
Some providers only require a user description which will appear on the OneLogin login page. Others require additional information. See the authentication factor-specific article in the Help Center for more information.
The authentication factor is listed on the Authentication & Security page.
Add the authentication factor to a user security policy.
Go to Settings > Policies.
Select a user policy or click New User Policy.
Go to the MFA tab to enable OTP Auth Required.
Select an authentication factor.
(Optional) Add any whitelisted IP addresses. The policy will not be applied to anyone logging in from a listed address.
Note: This serves a totally different purpose from the Approved IP addresses field on the IP Addresses tab. Whitelisting an IP address on the MFA tab causes the multi-factor authentication policy you are creating to be bypassed when users log in from a listed IP address. However, entering addresses in the Allowed IP addresses on the IP Addresses tab causes users to be restricted to logging in only from the addresses listed in the Allowed IP Addresses field, regardless of any multi-factor authorization methods such as OneLogin One Time Password.
Select which users will require OTP:
- Administrator Only: Will only apply to Super Users and Account Owner
- Configured Users Only: Will only apply to end users who have already manually added and configured an authentication factor
- All Users: Will apply to all users. Users will be prompted to set up an authentication factor during their first login attempt.
Define when OTP will be required.
Choose between At every login, or only on Unknown browsers. If you select Unknown browsers, you can set the Security cookie expiration to the number of days until a browser becomes "unknown" again.
Assign MFA security policies to Groups
The ideal way of associating users with MFA security policies is through groups.
- Go to Users > Groups.
- Click New Group.
- Name your group, and then select your policy from the dropdown menu.
- Click Save.
Now you can add users to this group individually or through mappings.
Assign MFA security policies to individual users
You can also associate MFA requirements on a user-by-user basis.
- Go to Users > All Users.
- Select a user.
- Select the Authentication tab.
- Under the User Security Policy dropdown, select your MFA policy.
- Click Save User.
The user is now associated with the MFA policy. Ensure that your users have the corresponding MFA application installed on their device. When the user logs in, they will be required to register their device.
Any user assigned to a security policy that requires multiple authentication factors will be prompted to provide that authentication along with their username and password.
If the user has not registered their device with OneLogin before logging in, they will be prompted to register it upon first logging into their account.
What happens if the MFA factor or device is lost?
In the case of critical OTP device failure (losing the device, breakage, etc.) please contact your organization's OneLogin administrator. They can provide you with a temporary OTP token to get back into your account and reset your OTP settings.
You can avoid user lockout from missing or failed OTP devices by configuring redundant factors. See Redundant MFA Factors.
How can I disable the MFA requirement for logins in the office?
If you have added an MFA method as a required authentication factor in your security policy settings, it will, by default, always be applied to the users in the groups to which the policy was assigned. If you do not want a policy to be applied in a certain location, such as the office, you must whitelist the IP addresses in your account security policy settings. This will cause the policy to be bypassed when users attempt to log in from the IP addresses you list.
To disable MFA in the office:
Go to Settings > Policies.
Click the name of the policy you want to disable for office logins.
Go to the MFA tab.
In the field OTP bypassed for the following IP address, enter the IP addresses that should not require OTP for login.
Enter office IP addresses and any other IP addresses that should not require users to provide a second authentication factor. In the example above, when users log in from the IP addresses 188.8.131.52 and 184.108.40.206-220.127.116.11, the MFA factor will be bypassed.
Using Adaptive Authentication to determine when to require MFA
Adaptive Authentication uses a machine learning algorithm that calculates risk to determine whether a login requires MFA. It can be a powerful way to provide both convenience for your users and increased security for your organization. For more information, see Adaptive Authentication.