|Multi-factor authentication (MFA), also sometimes called two-factor authentication or 2FA, adds an extra layer of security to user accounts, drastically reducing the chances that bad actors can steal sensitive information. This guide gives a brief overview of how MFA works and walks you through the process of enabling authentication factors and assigning them to your users.|
This feature requires a OneLogin plan that supports Multi-Factor Authentication (MFA). Speak to your account representative or see Plans & Pricing for details.
As you might guess from the name, MFA uses multiple different factors to authenticate users instead of just one. In a typical single-factor authentication (SFA) scenario, the user signs in with a password, which acts as their one security factor. Most MFA scenarios require both the user's password and at least one other authentication method. There are three types of authentication factors:
MFA uses at least two of these to confirm the user's identity. For example, after entering their username and password credentials [something they know] as the first factor, your user might use a one-time password (OTP) application like OneLogin Protect [something they have], to generate a code that they can enter as the second factor.
Requiring both of these factors before they can log in creates a strong barrier against unauthorized access – in the example above, even if someone finds out your user's password, they still can't get into the account without also having access to that user's phone with OneLogin Protect installed on it. Another advantage of MFA is that it allows for redundant factors that will provide your users with alternative ways to prove their identity even if someone loses access to one of their factors.
|Not sure about the best choices for your org's security? Consider setting up SmartFactor Authentication, a machine learning algorithm that calculates risk to determine whether a login attempt should require MFA. It can be a powerful way to provide both convenience for your users and increased security for your organization.|
Log in to your OneLogin account as an administrator and go to Security > Authentication Factors.
Click New Auth Factor.
Select your desired factor and click Choose.
Give the factor a name in the User description field, configure your desired settings, and click Save. The specific settings available will vary by factor, but you can find more detail in the app-specific OneLogin articles or partner documentation.
While you can leave the User description with its default name, it's a good idea to give your factor a unique description if you're configuring multiple instances of the same factor. Some factors also allow you to upload a custom icon if you want to further help your users differentiate between multiple instances.
The factor now appears in your Authentication Factors and can be assigned to your users.
Because OneLogin allows near-complete control over user access to all of your company apps, it's important to plan out your authentication process carefully. You can configure user settings individually or with a mapping, but the best way to maximize security and ease of access is to set up MFA with user groups and policies.
Security policies can be highly customizable, allowing you to create the best authentication processes to meet your org's needs, or even to support multiple users with different needs. Users in the office might prefer a hardware factor like YubiKey because of its ease of use, for example, while users who travel could instead use OneLogin Protect because it's conveniently on their phone.
Create a user policy for each kind of security process you want to apply and assign each one its relevant authentication factor(s). A policy can have as many different authentication factors as you want.
Only the auth factors that you've enabled will appear here. If you don't see the factor you want to use, verify that it's listed in Security > Authentication Factors.
Apply any desired exceptions for your MFA policies. For example, you can allow users to bypass MFA if they're signing in from a trusted device or specific IP address.
If you want to only allow users to sign in from certain IP addresses regardless of their authentication factors, you can set this up in the IP Addresses tab of your User Policy.
Create a user group for each of these policies and assign your users to their relevant groups.
But what if a user loses access to a factor they need, and doesn't have a redundant factor available?
|You can generate a Temporary token for your user by selecting their name from the Users menu and going to Authentication. This creates an OTP that you can set to expire within a certain timeframe or after a single use, allowing the user to regain access to their account and update their authentication methods.||