Subscribe to Help Center RSS FeedUse Multi-factor Authentication with ̽»¨´óÉñ to secure user access to your organization’s resources. With ̽»¨´óÉñ, Admins have the option to use ̽»¨´óÉñ Go, ̽»¨´óÉñ Protect (Push MFA), Verification Code (TOTP) MFA, WebAuthn MFA, and Duo Security MFA to strengthen security in their organization.Â
After you set up MFA, configure a Conditional Access Policy to relax or restrict access to resources based on conditions like a user's identity and the network and device they’re on. Learn more in Get Started: Conditional Access Policies.
About ̽»¨´óÉñ Go MFA
What is ̽»¨´óÉñ Go MFA?
Enable secure passwordless authentication, letting users verify their identity using their device authenticator (Apple Touch ID or Windows Hello).
When a user logs in to a resource protected with ̽»¨´óÉñ Go, they need to use their device authenticator to confirm their identity.
Google Chrome and the ̽»¨´óÉñ Go browser extension are required.
Using ̽»¨´óÉñ Go MFA
You can use ̽»¨´óÉñ Go to protect the User Portal and SSO applications. During registration, ̽»¨´óÉñ Go uses 3 authentication factors to confirm a user’s identity. For subsequent verifications, ̽»¨´óÉñ Go always uses two factors, but those factors depend on if biometrics are configured.
Users need to configure biometrics on their device authenticator to be able to utilize them with ̽»¨´óÉñ Go. Otherwise, the device password will be used.
- See Get Started: ̽»¨´óÉñ Go
- Share Use ̽»¨´óÉñ Go with your organization’s users.
About ̽»¨´óÉñ Protect Mobile Push MFA
What is Push MFA?
With Push MFA, users can authenticate with a push notification that’s sent to their mobile device.
When a user logs in to a resource that’s protected by Push MFA, they need to provide their username, password, and approve the login request from a push notification they get on their mobile device.
Push MFA requires users to download the ̽»¨´óÉñ Protect app on their mobile device. Learn more in ̽»¨´óÉñ Protect for Admins.
Using Push MFA
You can use Push MFA to protect the User Portal, SSO applications, Password Reset, Devices (as a second factor), and RADIUS, and LDAP.
̽»¨´óÉñ protects against fraudulent push attempts by blocking more than one notification per resource within a sixty second period, except for RADIUS and LDAP attempts. Admins can turn this off, or increase the limit for maximum concurrent attempts, in MFA Configurations.
Users can try again after the timeout or after the user has approved or denied the request. The blocked event will appear in Directory Insights under the event name push_mfa_attempt_failed; the error message is ‘too many concurrent push requests’.
- See ̽»¨´óÉñ Protect for Admins
- Share ̽»¨´óÉñ Protect for End Users with your organization’s users
About Verification Code (TOTP) MFA
What is Verification Code (TOTP) MFA?
Verification Code (TOTP) MFA uses authentication codes called Time-based One Time Passwords (TOTP). These codes are generated from an authenticator application on a mobile phone or computer. We recommend using ̽»¨´óÉñ Protect for TOTP, but other apps, like Google Authenticator or Yubico Authenticator, can also be used.
When a user logs in to a resource that’s guarded by Verification Code MFA, they must provide their username, password, and a TOTP code generated by the authenticator application on their phone or computer.
Using Verification Code (TOTP) MFA
You can use Verification Code (TOTP) MFA in ̽»¨´óÉñ to protect the User Portal, the Admin Portal, RADIUS, LDAP, and Mac, Linux, and Windows systems. See the following articles for instructions on how to set up Verification Code MFA for these resources:
- Setting Up TOTP MFA for users and admins:
- Enabling TOTP MFA for systems and RADIUS:
- Enabling TOTP MFA for LDAP:
Users can authenticate into their local account without internet access, and TOTP MFA will still be enforced in this situation.
Find out more about some of the authenticator applications you can use with ̽»¨´óÉñ TOTP MFA:
- Use ̽»¨´óÉñ Protect for Verification Code (TOTP) MFA
- Set Up Yubico Authenticator
- Use Google Authenticator with ̽»¨´óÉñ MFA
Share Set up an Authenticator App with your organization’s users.Â
About WebAuthn MFA
What is WebAuthn MFA?
WebAuthn MFA lets users authenticate using security keys like YubiKey and Titan, or with a device authenticator, which is usually a device biometric such as Apple Touch ID or Windows Hello.
When a user logs in to a resource that’s guarded by WebAuthn MFA, they must provide their username, password, and their security key or device authenticator.
On Windows devices, the authenticator being enrolled as a device authenticator must already be enrolled in Windows Hello, otherwise enrollment will fail.
Using WebAuthn MFA
You can use WebAuthn MFA to protect the User Portal, SSO applications, and password resets made from the User Portal.
- See Set Up WebAuthn
- Share Use a Security Key or Device Authenticator with User Accounts with your organization’s users.Â
About Duo Security MFA
What is Duo Security MFA?
Duo Security MFA lets users authenticate using push notifications, phone callbacks, and mobile passcodes provided by Duo. Admins can choose the authentication options users have for Duo Security MFA.
When a user logs in to a resource that’s guarded by Duo Security MFA, they must provide their username, password, and choose an authentication option. Users then provide the factor required authentication method.
Using Duo Security MFA
You can use Duo Security MFA to guard the User Portal, SSO applications, and password resets made from the User Portal.
Duo is ending support for the traditional Duo two-factor authentication prompt on March 30, 2024. ̽»¨´óÉñ supports Duo universal prompt and recommends admins update to that method. Read more here: .
- See Configure Duo Security MFA
- Share Use Duo Security with ̽»¨´óÉñ MFA with your organization’s users.
In this Article
Learn More