You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Assign MFA Types to Password Manager Policies

In EmpowerID, multi-factor authentication (MFA) is a flexible, points-based system that allows you to specify the number and types of factors that users must present when authenticating, as well as the weight or point value associated with each of those factors. When users reach the designated point threshold, they are authenticated and granted access to the system. EmpowerID supports several MFA types out of the box to ease user adoption. These include:

  • DUO Two-Factor Authentication – When this MFA type is required on a Password Manager Policy, users must approve a secondary authentication request that is either pushed to their mobile phones, sent as a one-time passcode, or delivered via a phone call. To use this MFA Type, your organization must have a Duo account registered in EmpowerID. Users must also enroll in Duo and register their mobile phone (recommended), tablet, landline, or U2F token. Additionally, to use Duo Push's one-tap authentication, users must have the Duo Mobile app installed on their mobile phones. If you do not have a Duo account, you can sign up for one by visiting https://signup.duo.com/.

  • EmpowerID Mobile Authenticator – When this MFA Type is required on a Password Manager Policy, users must approve a secondary authentication request pushed to their mobile phones. To use this MFA Type, you must configure EmpowerID for the mobile app.

  • EmpowerID One-Time Password – When this MFA Type is required on a Password Manager Policy, users with the policy must verify their identity by entering the one-time passcode generated by EmpowerID. Options for delivering the passcode include email, SMS, and voice call. To use the SMS and voice call features of this MFA Type, organizations must have a Twilio account registered in EmpowerID.

  • FIDO WebAuthN – When this MFA Type is required on a Password Manager Policy, users will be prompted to insert their security key (Yubikey device) and press the button or the gold disk on the key to continue. If this is the first time the Yubikey device is being used, EmpowerID generates a certificate linking the Yubikey to the person authenticating. Once the certificate is generated, the Yubikey cannot be used by any other person for FIDO U2F authentication.

  • OATH Time-Based One-Time Password – When this MFA type is required on a Password Manager Policy, users must verify their identity by entering a time-based code generated by a client application installed on their mobile devices, such as Google Authenticator or DUO.

  • Yubico OTP – When this MFA Type is required on a Password Manager Policy, users must verify their identity by generating a one-time password via their Yubikey. As Yubico OTP uses YubiCloud for verifying OTPs, you need to get an API key from Yubico and register the key in EmpowerID. Users must also have a Yubikey. If you do not have an API key, you can get one from Yubico by visiting https://upgrade.yubico.com/getapikey/. Please note that you will need a Yubikey to get an API key.



Assign MFA Types

  1. On the navbar, expand Password Management and click Password & Login Policies.

  2. From the Policies tab of the Find Password Manager Policies page, search for the policy you want to apply LoA points and then click the Display Name link for that policy.

     

  3. On the Policy Details page that appears, expand the Multifactor Authentication accordion and then click the Add-Type (+) button to the right of the grid.

     

  4. In the dialog that appears, click the Type drop-down and select one of the MFA Types mentioned above.

     

  5. Set the priority for the type in the Priority field. The lower the number, the higher the priority. Priority is only applicable when the MFA Type is required.

  6. Specify whether the MFA type is required. If required, users with the policy must authenticate using the type. When a policy has more than one MFA Type required, users must authenticate using each type in the order specified by the priority for the type.

  7. Click Save.



Â