This site requires JavaScript to be enabled
External Customer KB > General > Adding Multi-Factor Authentication
Adding Multi-Factor Authentication
Article: KB0010426 Published: 09/08/2022 Last modified: 09/08/2022

Multi-factor authentication (MFA), also sometimes called two-factor authentication or 2FA, adds an extra layer of security to user accounts, drastically reducing the chances that bad actors can steal sensitive information.

As you might guess from the name, MFA uses multiple different factors to authenticate users instead of just one. In a typical single-factor authentication (SFA) scenario, the user signs in with a password, which acts as their one security factor. Most MFA scenarios require both the user's password and at least one other authentication method. There are three types of authentication factors:

  • Something the user knows:
    • a username and password, age, birthplace, pet's name, etc.
  • Something the user has:
    • either a physical object, like a phone, fob, or keycard, or a digital resource, like a token, app, or certificate file
  • Something the user is:
    • a biometric such as a fingerprint, iris, or voice pattern
  • Something the user does:
    • the time of day someone typically signs in, the location they sign in from, or similar habits that can highlight unusual or suspicious behavior

MFA uses at least two of these to confirm the user's identity. For example, after entering their username and password credentials (something they know) as the first factor, your user might use a one-time password (OTP) application like OneLogin Protect (something they have), to generate a code that they can enter as the second factor.

Requiring both of these factors before they can log in creates a strong barrier against unauthorized access – in the example above, even if someone finds out your user's password, they still can't get into the account without also having access to that user's phone with OneLogin Protect installed on it. Another advantage of MFA is that it allows for redundant factors that will provide your users with alternative ways to prove their identity even if someone loses access to one of their factors.

Not sure about the best choices for your org's security? Consider setting up SmartFactor Authentication, a machine learning algorithm that calculates risk to determine whether a login attempt should require MFA. It can be a powerful way to provide both convenience for your users and increased security for your organization.

Enabling Authentication Factors

  1. Log in to your OneLogin account as an administrator and go to Security > Authentication Factors.

    OneLogin admin portal - Security > Authentication factors (screenshot)
  2. Click New Auth Factor.

    Authentication factors - New Auth Factor (screenshot)
  3. Select your desired factor and click Choose.

    New Auth Factor - Select Factor (screenshot)
  4. Give the factor a name in the User description field, configure your desired settings, and click Save. The specific settings available will vary by factor, but you can find more detail in the relevant OneLogin articles or partner documentation.

    While you can leave the User description with its default name, it's a good idea to give your factor a unique description if you're configuring multiple instances of the same factor. Some factors also allow you to upload a custom icon if you want to further help your users differentiate between multiple instances.
  5. The factor now appears in your Authentication Factors and can be assigned to your users.


Assigning Authentication Factors to Users

Because OneLogin allows near-complete control over user access to all of your company apps, it's important to plan out your authentication process carefully. You can configure user settings individually or with a mapping, but the best way to maximize security and ease of access is to set up MFA with user groups and policies.

Security policies can be highly customizable, allowing you to create the best authentication processes to meet your org's needs, or even to support multiple users with different needs. Users in the office might prefer a hardware factor like YubiKey because of its ease of use, for example, while users who travel could instead use OneLogin Protect because it's conveniently on their phone.

  1. Create a User Policy for each kind of security process you want to apply and assign each one its relevant authentication factor(s). A policy can have as many different authentication factors as you want.

    OneLogin admin portal - User Policy MFA - One-time passwords (screenshot)
    Only the auth factors that you've enabled will appear here. If you don't see the factor you want to use, verify that it's listed in Security > Authentication Factors.

    Optional

    Apply any desired exceptions for your MFA policies. For example, you can allow users to bypass MFA if they're signing in from a trusted device or specific IP address.

    OneLogin admin portal - User Policy MFA - MFA Bypass (screenshot)
    If you want to only allow users to sign in from certain IP addresses regardless of their authentication factors, you can set this up in the IP Addresses tab of your User Policy.
  2. Create a Group for each of these policies.

    OneLogin admin portal - User Group - Group Security Policy (screenshot)
  3. Assign your users to their relevant groups.

    OneLogin admin portal - User - Authentication (screenshot)

But what if a user loses access to a factor they need, and doesn't have a redundant factor available?

You can generate a Temporary token for your user by selecting their name from the Users menu and going to Authentication. This creates an OTP that you can set to expire within a certain timeframe or after a single use, allowing the user to regain access to their account and update their authentication methods.
User Authentication - Tempoary token

Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo