You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Assign MFA Types to Applications

In EmpowerID, multi-factor authentication (MFA) is a versatile, points-based system that allows administrators to determine the number and types of factors users must present during authentication and the weight or point value associated with each factor. When users reach the designated point threshold, they are authenticated and granted access to the system. EmpowerID supports a variety of MFA types out-of-the-box to facilitate user adoption, including:

  1. DUO Two-Factor Authentication – When required by a Password Manager Policy, users must approve a secondary authentication request pushed to their mobile phones, sent as a one-time passcode, or delivered via a phone call. This MFA type requires a Duo account registered in EmpowerID and user enrollment in Duo, registering a mobile phone, tablet, landline, or U2F token. If you do not have a Duo account, you can sign up for one by visiting https://signup.duo.com/ .

  2. EmpowerID Mobile Authenticator – When required by a Password Manager Policy, users must approve a secondary authentication request pushed to their mobile phones. To utilize this MFA type, EmpowerID must be configured EmpowerID for the mobile app.

  3. EmpowerID One-Time Password – When required by a Password Manager Policy, users must verify their identity by entering a one-time passcode generated by EmpowerID, delivered via email, SMS, or voice call. To use SMS and voice calling features, organizations must register a Twilio account in EmpowerID.

  4. FIDO WebAuthN – When required by a Password Manager Policy, users are prompted to insert their security key (e.g., Yubikey device) and press the button or gold disk on the key. EmpowerID generates a certificate linking the Yubikey to the person authenticating upon first use.

  5. OATH Time-Based One-Time Password – When required by a Password Manager Policy, users must verify their identity by entering a time-based code generated by a client application installed on their mobile devices, such as Google Authenticator or DUO.

  6. Yubico OTP – When required by a Password Manager Policy, users must verify their identity by generating a one-time password via their Yubikey. Yubico OTP requires an API key from Yubico and registration in EmpowerID. Users must also possess a Yubikey device.

     

If an MFA Type is added to an application, users are required to authenticate themselves using the specified MFA Type before EmpowerID grants them access to the application.

 

Assign MFA Types

  1. On the navbar, expand Single Sign-On and click Applications.

  2. From the Applications tab of the Find Applications page, search for the application to which you want to apply LoA points and click the Display Name link for that policy.



  3. On the Application Details page that appears, select the SSO tab in the lower pane and expand the Multifactor Authentication accordion.

  4. Click the Add Type (+) button to the right of the grid.

     

  5. In the dialog that appears, click the Type drop-down and select one of the above-mentioned MFA Types.

     

  6. Set the priority for the type in the Priority field. The lower the number, the higher the priority. When more than one MFA Type is assigned to an application, EmpowerID directs users to the MFA Type with the highest priority first and then to the MFA Type with the next highest priority, and so on until the point threshold for the application is met.

  7. Specify whether the MFA type is required. If required, users accessing the application must authenticate using the type. When an application requires more than one MFA Type, users must authenticate using each type in the order specified by the priority for the type.

  8. Click Save.