Multi-factor authentication is an excellent way to secure a user's account and to prevent unauthorized access from third parties. But in the unfortunate event that a user loses or forgets their authentication factor (usually a one-time-password, or OTP), that user may be locked out and thus require support assistance to regain access to their account.
OneLogin prevents this issue by allowing redundant authentication factors for any user account. Your users can register:
- Authentication factors from multiple providers (OneLogin OTP, Google Authenticator, Duo Security, Symantec VIP Access, and many more)
- Multiple devices for a single provider (currently available for OneLogin OTP, Google Authenticator, and Symantec VIP Access).
This gives users a backup option in case they forget or lose one of their factors, and provides them the convenience of authenticating securely to OneLogin from whatever device they have at hand, whether their personal mobile phone, work mobile, tablet, home computer browser, or hardware device.
Configuring redundant MFA for your users
To enable your users to choose from among multiple MFA providers, you must:
- Add those MFA providers to your OneLogin account (Settings > Authentication Factors).
- Create security policies that require MFA, and enable the MFA providers that you want to make available.
- Add users to the appropriate security policies.
For complete instructions, see Adding Multi-factor Authentication.
Registering MFA devices
If you've assigned your users to security policies that require MFA and allow multiple MFA providers, your users will be able to register multiple devices as secondary authentication factors. Here's how you do it:
Go to your user Profile page by clicking your name or picture in the menu bar and select Profile from the drop-down menu.
On the Profile page, go to the 2-Factor Authentication section and click the + plus button to add a device.
As an end-user, you can add as many devices as you like, from among those that the administrator has enabled for your security policies.
The configuration dialog for each MFA provider is a little different, but in each case, you are required to provide a device ID of some sort and at least one one-time password generated by the authentication factor. The Google Authenticator configuration dialog, for example, asks you to scan a barcode using Google Authenticator on your mobile device and provide a one-time password ("Security Code"):
Each dialog lets you provide a "friendly name" to help you identify the authentication factor when you are logging in. It's especially important to provide a good friendly name when you register multiple devices for a single MFA provider.
Note. If a user is in a security policy that requires MFA and they haven't registered an MFA device, they will be prompted to register one on the login screen when they try to log into OneLogin.
Logging into OneLogin when you have more than one registered MFA device
When you log in, you will be able to choose from among the authentication factors that you have registered.
If your default MFA device shows on the login screen and you want to select a different device, you can click Change to display the drop-down list of available devices.