You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Multi-Factor Authentication

Multi-Factor Authentication

Cybercrime is on the rise again and according to 2017 Verizon Data Breach Investigative Report 81% of data breaches were due to weak or stolen credentials. Passwords continue to be the weakest link in an organization’s security strategy. Multi-Factor Authentication has been proven as the only means to ensure that a user is who they say they are but the need for security must be balanced with usability to ensure that a solution gets used and adopted. To rollout MFA successfully, it must be available for all entry points at which the user authenticates such as web, VPN, and mobile app and it must be available in an easy to use format from any of their devices. EmpowerID supports a wide range of friendly options including one-time password, FIDO/Yubikey tokens, 3rd parties such as DUO, as well as the EmpowerID Mobile phone app which allows users to click to approve their logins.

Adaptive MFA

Adaptive MFA eases the adoption of more secure login procedures by ensuring that users aren’t forced to perform MFA on every login but rather only when the circumstances warrant it. The circumstances evaluated include leveraging information about the user’s device, their location on the internal or external network, their geolocation and velocity, the application they are attempting to access, as well as information about the user themselves including their roles and risk score. EmpowerID intelligently analyzes these factors to determine when a user must go through additional steps to ensure the veracity of their identity.

Passwordless Login

The only password an end user won’t forget is no password at all. Since the invention of the password it has been a dream to live in a password free world. EmpowerID eliminates the need for passwords by securely authenticating users via a broad set of supported factors, including FIDO2 keys, virtual and hardware tokens, and mobile authenticators. Passwordless login requirements are intelligently determined by flexible adaptive policies which analyze the context of the login to determine how many and which types of factors are required.

EmpowerID Mobile Authenticator

The EmpowerID Mobile Authenticator is available on major mobile platforms and allows users to perform multi-factor authentication with the click of a button. User adoption is greatly increased by the convenience of adding additional login security by letting users simply respond to a push notification on their smartphone or watch during the login process. The decision is sent through your phone to EmpowerID where it is validated and then the user is logged in. If the user’s mobile device is not connected to the Internet, the user can enter the one-time password displayed on the app in the EmpowerID Portal. As soon as EmpowerID receives a valid one-time password, the user is logged in. The EmpowerID Mobile Authenticator is available in the Apple and, Android app stores and is easy to install and enroll. The first time a user signs into the EmpowerID Portal and selects EmpowerID Mobile Authenticator as their MFA option, they are presented with a QR code which can be scanned by the mobile app to automatically register the device for the user.

Adaptive MFA for VPN

The integrated EmpowerID RADIUS Server provides RADIUS strong authentication to firewalls, network devices and VPN servers within your network infrastructure. EmpowerID verifies user credentials against the Identity Warehouse or against connected directories like Active Directory. User logins from network devices are analyzed using the same context-driven policies as web logins and enforce adaptive multi-factor authentication rules. The EmpowerID LDAP Virtual Directory can be used in the same manner for organizations which prefer LDAP over RADIUS.


Depending on how you configure EmpowerID, you can require users to pass through a number of checkpoints and to submit additional biographic information before gaining access to resources. Checkpoints can include the user's IP address, the selected identity provider and the Password Manager policy assigned to the user.

Getting Started





Passwordless Login

Passwordless Login

Configure EmpowerID for the Mobile App

Configure EmpowerID for the Mobile App

FIDO2 WebAuthn

FIDO2 WebAuthn

Set LoA points on Password Manager policies

Setting LOA Points on Password Policies

Assign MFA Types to Password Manager Policies

Assign MFA Types to Password Policies

Assign Adaptive Authentication Rules to Password Manager Policies

Assign Adaptive Authentication to Password Policies

Set LOA Points on Applications

Set LOA Points on Apps

Assign MFA Types to Applications

Assigning MFA Types to Apps

Set LOA Points Granted by Identity Providers

Set LOA Points Granted by Identity Providers

Edit LOA Point Values for MFA Types

Edit LOA Point Values for MFA Types

Customize the MFA Retry Limit

Customize the MFA Retry Limit

Configure one-time password delivery types

Configure One-Time Password Delivery Types

Configure the EmpowerID RADIUS Server

Configure the RADIUS Server

Integrate DUO Two-Factor Authentication

Integrate DUO Two-Factor Authentication

Integrate Yubico OTP

Integrate Yubico OTP

VASCO Hardware OATH Tokens

VASCO Hardware OATH Tokens