Advanced

The Advanced Settings in the MFA module contain important settings that grant you added control over the MFA process.

• General
• Email
• SMS
• Authentication

General

• Allow backup verification OTPs for MFA recovery: Use this setting to enable users to utilize backup verification OTPs in case of MFA verification failure while gaining access to the Identity360 portal, enterprise applications, Windows machines, and other actions, including remote desktop access and UAC prompts.
• Require CAPTCHA on MFA prompt pages: Enable this setting to display a CAPTCHA on the pages where users are prompted for MFA during each identity verification attempt or after a certain number of unsuccessful attempts, which you can specify.

Email

• Allow users to add a secondary email address to their account: Use this option to enable users to provide a secondary email address. In case the primary email address encounters issues receiving the code during the verification process, users can choose to use their secondary email address.
• Force users to register a secondary email address for MFA: Use this setting to configure whether registering with a secondary email address is mandatory or optional for users.
• Allow or Block email address enrollment from the following domains: Use this option to allow or block specific email domains for the secondary email addresses that users provide during enrollment. If you choose Block, users will be able to add email addresses from any domain except the listed domains. Choosing Allow will ensure that users can only add email addresses from the listed domains to receive the verification codes. You can select Allow and leave this field empty to permit email addresses from any domain.
• Allow users to choose their preferred email address for receiving the verification code: Enable this option to allow users to select whether the code should be sent to their primary or secondary email address that they provided during the enrollment process. If this option is disabled, the code will be sent to the user's primary email address.
• Prompt users to enter their email address: Choose this setting to allow users to input their preferred email address, whether it is their primary or secondary email, during the MFA verification process. Enabling this option will enhance security by ensuring that even masked email addresses are not listed, preventing unwanted exposure of users' email addresses.
• Allow users to choose from a list of their masked email addresses: Allow users to choose from a list of their masked email addresses: Select this option to list masked versions of all the email addresses provided by users during the enrollment process. This enables them to pick the specific email address where the code should be sent.

Note: Users can choose a default email address from their list of registered email addresses to receive the verification code during MFA. Refer to the end-user guide to learn more.

SMS

• Allow users to add a secondary mobile number to their account: Use this option to enable users to provide secondary mobile numbers. In case the primary mobile number encounters issues receiving the code during the verification process, users can choose to use their secondary mobile number.
  Note: If you choose to disable this option and enforce code verification only via the primary mobile number, please ensure mobile numbers have a valid format, including the dialing code, with proper spacing and special characters like hyphens or parentheses. Here are some examples of correctly formatted numbers: +1 888 791 1189, +1 833-420-0996, +44 (20) 3564 7890, +91 8220869471. If you have any issues with the mobile number format during SMS verification, please reach out to Identity360 support for help.
• Force users to register a secondary mobile number for MFA: When enabled, users will be required to register their secondary number when they log in.
• Allow or block mobile numbers with the selected country codes: Use this option to allow or block specific mobile numbers based on the selected country codes. Choosing Block allows users to add mobile numbers from any country code, except those selected. Choosing Allow will ensure users can only add mobile numbers having the selected country codes to receive verification codes. You can leave this checkbox disabled to allow mobile numbers with any country code.
• Allow users to choose their preferred mobile number for receiving the verification code: Enable this option to allow users to select whether the code should be sent to their primary or secondary mobile number that they provided during the enrollment process. If this option is disabled, the code will be sent automatically to the user's primary mobile number during MFA, requiring no user intervention.
• Prompt users to enter their mobile number: Choose this setting to allow users to input their preferred mobile number, whether it is their primary or secondary number, during the MFA verification process. Enabling this option will enhance security by ensuring that masked mobile numbers are not listed, preventing unwanted exposure of users' mobile numbers.
• Allow users to select from a list of their masked mobile numbers: Allow users to choose from a list of their masked mobile numbers. Select this option to list masked versions of all the mobile numbers provided by users during the enrollment process. This enables them to pick the specific mobile number where the code should be sent.

Authentication

Identity360 and Enterprise Applications

• Users must complete authentication within the specified time: Enable this option to establish a timeframe within which users must perform authentiation to prove their identity.
• Allow users to trust browser for the specified time to skip MFA: Enable this option to allow users to trust their browser for a set number of hours or days. MFA will not be prompted every time users log in through the trusted browser.
Note:
• Users will still be required to perform MFA if they log in through a different browser.
• This option will not be available for partially enrolled users. It will only be displayed to fully enrolled users who have completed MFA across all the factors for which they have registered.
• Keep "Trust this browser" option selected by default: Enable this option to have Trust this browser check box selected by default when users login through MFA.
• Deny Identity360 login for partially enrolled users: Enable this setting to prevent partially enrolled users from accessing Identity360. Disable this setting to allow partially enrolled users to access Identity360 after forcing them to enroll in all the required authenticators.
Note:
• If the users have not enrolled in any of the enabled authenticators for MFA protection, they will still be considered partially enrolled in Identity360. This is because every user must have a primary email, and Email Verification is the default authenticator. Click here to learn more about partially enrolled users.
• If this option is disabled, partially enrolled users will authenticate using the factors in which they have enrolled. After completing authentication, they will be forced to enroll in the rest of the mandatory factors and will then be granted access to the Identity360 portal and applications.

Windows Machines

• Enable MFA for Interactive Login: Turn on this option to mandate MFA for interactive or GUI-based logins on Windows machines.
• Enable MFA for User Account Control: Enable this setting to make MFA mandatory for all the User Account Control (UAC) credential prompts that are triggered while uninstalling apps, modifying Windows Registries, and other actions where users must confirm their identity with administrative credentials before proceeding with their intended action.
• Enable MFA for Machine Unlock: Activate this setting to prompt MFA before the user unlocks their Windows machine.
• Enable MFA for Remote Desktop access: MFA can be configured for machines that are remotely accessed by users through RDP. This setting will secure the RDP connections to machines, and it can be set up in two ways.
  • RDP Server Authentication: Enable this setting to prompt MFA on the login screen of the remote Windows system, on which the IDSecurity Agent is installed, upon establishing the remote desktop connection.
  • RDP Client Authentication: Enable this setting and mandate MFA when trying to initiate a remote desktop connection via the Windows Remote Desktop application (mstsc.exe) from machines on which the IDSecurity Agent agent is installed.
• Users must complete the MFA process for machine login within the specified time: Enable this option to establish a timeframe within which users must perform MFA to prove their identity.
• Allow users to trust their machines for the specified time to skip MFA: Enable this setting to allow users to trust their machines for a set number of hours or days to skip the MFA process. MFA will not be prompted every time users log in through the trusted machine.

Note: Disabling this setting or updating the time will clear the trust of all the previously configured machines, and MFA will be prompted in the next attempt.

• Keep the 'Trust this machine' option selected by default: Use this setting to have the Trust this machine check box selected by default during MFA.
• Deny machine login for partially enrolled users: Enable this setting to prevent partially enrolled users from accessing Windows machines. Disable this setting to allow partially enrolled users to access the machines after forcing them to enroll in all the required authenticators.
Note:
• If the users have not enrolled in any of the enabled authenticators for MFA protection, they will still be considered partially enrolled in Identity360. This is because every user must have a primary email, and Email Verification is the default authenticator. Click here to learn more about partially enrolled users.
• If this option is disabled, partially enrolled users will authenticate using the factors in which they have enrolled. After completing authentication, they will be forced to enroll in the rest of the mandatory factors and will then be granted access to the machines.
• Skip MFA verification when the device is offline: Enable this option to skip performing MFA when the Windows machine cannot properly establish a connection to the Identity360 server.

Note: Changes made to this setting will take effect on machines with installed agents only after the next MFA attempt.

VPN and RADIUS Endpoints

• Users must complete the MFA process for VPN login within the specified time: Enable this option to establish a timeframe within which users must perform MFA to prove their identity.

  Note: If your VPN server allows you to configure the RADIUS timeout limit, set it to a value that is greater than the session time limit you configure in this setting.

• Deny VPN login for partially enrolled users: Enable this setting to prevent partially enrolled users from accessing VPNs. Disable this setting to allow partially enrolled users to access their VPNs after forcing them to enroll in all the required authenticators.
  Note:

  • Partially enrolled users are those who have not completed enrollment in all the required MFA factors. Click here to learn more about partially enrolled users.
  • If this option is disabled while using SecureLink Email Verification, partially enrolled users can access VPN only after verifying their identity with enrolled authenticators and completing enrollment for the remaining authenticators they have not yet enrolled in.
  • If this option is disabled while using VPN Client Verification, MFA will be bypassed for partially enrolled users. However, if passwordless authentication is enabled, access will be denied for partially enrolled users, as no other factors will be available for verification.
• Send additional RADIUS attributes to the VPN server after successful authentication: Enable this option if you wish to send additional attributes to the VPN server or other RADIUS endpoints. These attributes will only be sent to the VPN provider after successful authentication and will be utilized by the VPN server to determine the level of access each user should have or for other purposes. You will be able to find the full list of supported attributes with the documentation received from your VPN vendor.

Configuring additional attributes

1. To configure additional attributes, navigate to Applications > Multi-factor Authentication > MFA for Endpoints > Advanced Settings > Authentication > VPN and RADIUS Endpoints > Configure Attributes.
2. You can configure RADIUS' Standard or Vendor-specific attributes and corresponding values to be sent to the VPN providers (other RADIUS endpoints).
3. Enter the Vendor ID, which is a unique number for your VPN provider.For example, the Vendor ID for Fortigate is 12356. A vendor ID is only required if vendor-specific attributes are configured.
4. Select the attribute Type and enter the Attribute Number, Format, and Value in the corresponding fields.
   • String format: Enter values as characters.
   • Integer format: Enter values as numbers.
   • Enumeration format: For attributes with multiple predefined values, enter the desired value as its associated integer. For example, to use Login as the service-type attribute, enter 1 in the Value field.
   • IPv4 and IPv6 address format: Enter a valid IP address in the Value field. For example, your IPv4 address could be 10.1.1.1, and your IPv6 address could be 2001:0db8:85a3::8a2e:0370:7334.

Previous Topic Next Topic