Advanced Settings
The Advanced Settings in the MFA module contain important settings that grant you added control over the MFA process.
General Settings
- Allow backup verification OTPs for MFA recovery: Use this setting to enable users to utilize backup verification OTPs in case of MFA verification failure while gaining access to the Identity360 portal, enterprise applications, Windows machines, and other actions, including remote desktop access and UAC prompts.
- Require CAPTCHA on MFA prompt pages: Enable this setting to display a CAPTCHA on the pages where users are prompted for MFA during each identity verification attempt or after a certain number of unsuccessful attempts, which you can specify.
Email Settings
- Allow users to add a secondary email address to their account: Use this option to enable users to provide a secondary email address. In case the primary email address encounters issues receiving the TOTP email during the verification process, users can choose to use their secondary email address.
- Force users to register a secondary email address for MFA: Use this setting to configure whether registering with a secondary email address is mandatory or optional for users.
- Allow or Block email address enrollment from the following domains: Use this option to allow or block specific email domains for the secondary email addresses that users provide during enrollment. If you choose Block, users will be able to add email addresses from any domain except the listed domains. Choosing Allow will ensure that users can only add email addresses from the listed domains to receive the verification OTPs. You can select Allow and leave this field empty to permit email addresses from any domain.
- Allow users to choose the email address on which to receive the OTP during verification: Enable this option to allow users to select whether the OTP email should be sent to their primary or secondary email address that they provided during the enrollment process. If this option is disabled, the OTP email will be sent to the user's primary email address.
- Prompt users to enter their email address: Choose this setting to allow users to input their preferred email address, whether it is their primary or secondary email, during the MFA verification process. Enabling this option will enhance security by ensuring that even masked email addresses are not listed, preventing unwanted exposure of users' email addresses.
- Allow users to choose from a list of their masked email addresses: Allow users to choose from a list of their masked email addresses: Select this option to list masked versions of all the email addresses provided by users during the enrollment process. This enables them to pick the specific email address where the OTP email should be sent.
Note: Users can choose a default email address from their list of registered email addresses to receive OTPs during MFA. Refer to the end-user guide to learn more.
MFA Settings
MFA for Identity360 and enterprise applications
- Users must complete MFA within the specified time: Enable this option to establish a timeframe within which users must perform MFA to prove their identity.
- Allow users to trust browser for the specified time to skip MFA: Enable this option to allow users to trust their browser for a set number of hours or days. MFA will not be prompted every time users log in through the trusted browser.
Note:
- Users will still be required to perform MFA if they log in through a different browser.
- This option will not be available for partially enrolled users. It will only be displayed to fully enrolled users who have completed MFA across all the factors for which they have registered.
- Keep the "Trust this browser" option selected by default: Enable this option to make the Trust this browser check box selected when users login through MFA.
- Deny login for users who have not enrolled for all the required MFA factors: Enable this option to prevent users from logging in if they have not enrolled in all the required MFA factors.
Note:
- If the users have not enrolled in any of the enabled authenticators for MFA protection, they will still be considered partially enrolled in Identity360. This is because every user must have a primary email, and Email Verification is the default authenticator. Click here to learn more about partially enrolled users.
- If this option is disabled, partially enrolled users will authenticate using the factors in which they have enrolled. After completing authentication, they will be forced to enroll in the rest of the mandatory factors and will then be granted access to the Identity360 portal and applications.
MFA for Windows machines
- Enable MFA for Interactive Login: Turn on this option to mandate MFA for interactive or GUI-based logins on Windows machines.
- Enable MFA for User Account Control: Enable this setting to make MFA mandatory for all the User Account Control (UAC) credential prompts that are triggered while uninstalling apps or modifying Windows Registries and other such actions where users must confirm their identity before proceeding with their intended action.
- Enable MFA for Machine Unlock: Activate this setting to prompt MFA before the user unlocks their Windows machine.
- Enable MFA for Remote Desktop access during: MFA can be configured for machines that are remotely accessed by users through RDP. This setting will secure the RDP connections to machines, and it can be set up in two ways.
- RDP Server Authentication: Enable this setting to prompt MFA on the login screen of the remote Windows system, in which the IDSecurity Agent is installed, upon establishing the remote desktop connection.
- RDP Client Authentication: Enable this setting and mandate MFA when trying to initiate a Remote Desktop connection via the Windows Remote Desktop application (mstsc.exe) from machines on which the IDSecurity Agent agent is installed.
- Users must complete the MFA process for machine login within the specified time: Enable this option to establish a timeframe within which users must perform MFA to prove their identity.
- Allow users to trust their machines for the specified time to skip MFA: Enable this setting to allow users to trust their machines for a set number of hours or days to skip the MFA process. MFA will not be prompted every time users log in through the trusted machine.
Note: Disabling this setting or updating the time will clear the trust of all the previously configured machines, and MFA will be prompted in the next attempt.
- Keep the 'Trust this machine' option selected by default: Use this setting to have the Trust this machine check box selected by default during MFA.
- Deny machine login for partially enrolled users: Enable this setting to prevent partially enrolled users from accessing machines. Disable this setting to allow partially enrolled users to access their machines after forcing them to enroll in all the required authenticators.
Note:
- If the users have not enrolled in any of the enabled authenticators for MFA protection, they will still be considered partially enrolled in Identity360. This is because every user must have a primary email, and Email Verification is the default authenticator. Click here to learn more about partially enrolled users.
- If this option is disabled, partially enrolled users will authenticate using the factors in which they have enrolled. After completing authentication, they will be forced to enroll in the rest of the mandatory factors and will then be granted access to the machines.
- Skip MFA verification when the device is offline: Enable this option to skip performing MFA when the Windows machine cannot properly establish a connection to the Identity360 server.
Note: Changes made to this setting will take effect on machines with installed agents only after the next MFA attempt.