Advanced Settings
The Advanced Settings in the MFA module contain important settings that grant you added control over the MFA process.
General Settings
- Enable backup verification codes for MFA recovery: Use this setting to enable users to utilize backup verification codes in case of MFA verification failure while gaining access to the Identity360 portal, enterprise applications, Windows machines, and other actions, including remote desktop access and UAC prompts
- Require CAPTCHA on MFA pages where user input is required: Enable this setting to display a CAPTCHA on the pages where users are prompted for MFA during each identity verification attempt or after a certain number of unsuccessful attempts, which you can specify.
Note:
- Users will still be required to perform MFA verification if they log in through a different browser.
- This option will not be available for partially enrolled users. It will only be displayed to fully enrolled users who have completed MFA verification across all the factors they have registered for.
Email Settings
- Allow users to add a secondary email address to their account: Use this option to enable users to provide a secondary email address. In case the primary email address encounters issues receiving the TOTP email during the verification process, users can choose to use their secondary email address.
- Force users to register a secondary email address for MFA: Use this setting to configure whether registering with a secondary email address is mandatory or optional for users.
- Allow or Block email address enrollment from the following domains: Use this option to allow or block specific email domains for the secondary email addresses that users provide during enrollment. If you choose Block, users will be able to add email addresses from any domain except the listed domain(s). Choosing Allow will ensure that users can only add email addresses from the listed domains to receive the verification codes. You can select Allow and leave this field empty to permit email addresses from any domain.
- Allow users to choose the email address on which to receive the OTP during verification: Enable this option to allow users to select whether the OTP email should be sent to their primary or secondary email address that they provided during the enrollment process. If this option is disabled, the OTP email will be sent to the user's primary email address.
- Prompt users to enter their email address: Choose this setting to allow users to input their preferred email address, whether it is their primary or secondary email, during the MFA verification process. Enabling this option will enhance security by ensuring that even masked email addresses are not listed, preventing unwanted exposure of users' email addresses.
- Allow users to choose from a list of their masked email addresses: Allow users to choose from a list of their masked email addresses: Select this option to list masked versions of all the email addresses provided by users during the enrollment process. This enables them to pick the specific email address where the OTP email should be sent.
MFA Settings
MFA for Identity360 & enterprise applications
- Users must complete MFA within the specified time: Enable this option to establish a timeframe within which users must perform MFA to prove their identity.
- Allow users to trust browser for the specified time to skip MFA: Enable this option to allow users to trust their browser for a set number of hours or days. MFA will not be prompted every time users log in through the trusted browser.
- Keep the "Trust this browser" option selected by default: Enable this option to make the Trust this browser check box selected when users login through MFA.
- Deny login for users who have not enrolled for all the required MFA factors: Enable this option to prevent login for users who have not enrolled in all the required MFA factors.
MFA for Windows machines
- Enable MFA for Interactive Login: Turn on this option to mandate MFA for interactive or GUI-based logins on Windows machines.
- Enable MFA for User Account Control: Enable this setting to make MFA mandatory for all the User Account Control (UAC) credential prompts that are triggered while uninstalling apps or modifying Windows Registries and other such actions where users must confirm their identity before proceeding with their intended action.
- Enable MFA for Machine Unlock: Activate this setting to prompt MFA before the user unlocks their Windows machine.
- Enable MFA for Remote Desktop access during: MFA can be configured for machines that are remotely accessed by users through RDP. This setting will secure the RDP connections to machines, and it can be set up in two ways.
- RDP Server Authentication: Enable this setting to prompt MFA on the login screen of the remote Windows system, in which the IDSecurity Agent is installed, upon establishing the remote desktop connection.
- RDP Client Authentication: Enable this setting and mandate MFA when trying to initiate a Remote Desktop connection via the Windows Remote Desktop application (mstsc.exe) from machines on which the IDSecurity Agent agent is installed.
- Users must complete the MFA process for machine login within the specified time: Enable this option to establish a timeframe within which users must perform MFA to prove their identity.
- Allow users to trust their machines for the specified time to skip MFA: Enable this setting to allow users to trust their machines for a set number of hours or days to skip the MFA process. MFA will not be prompted every time users log in through the trusted machine.
Note: Disabling this setting or updating the time will clear the trust of all the previously configured machines, and MFA will be prompted in the next attempt.
- Keep the 'Trust this machine' option selected by default: Use this setting to have the Trust this machine check box selected by default during MFA.
- Deny machine login for partially enrolled users: If this setting is enabled, access to machines will be restricted for partially enrolled users. Disable this setting to allow partially enrolled users to access their machines after forcing them to enroll in all the required authenticators.
- Skip MFA verification when the device is offline: Enable this option to skip performing MFA when the Windows machine cannot properly establish a connection to the Identity360 server.
Note: Changes made to this setting will take effect on machines with installed agents only after the next MFA attempt.