MFA Configuration

On the MFA Configuration page, you can enable and enforce multi-factor authentication (MFA) for all users in a tenant. MFA improves security by requiring a second authentication factor during sign-in.

Description of settings

  • Enable MFA
    • Activates MFA for all users in the tenant.
    • Users with registered MFA devices are prompted for a time-based one-time Password (TOTP) at login.
    • Administrators automatically receive emails to register MFA devices.
  • Enforce MFA
    • Makes MFA mandatory at sign-in.
    • After specifying user name and password, the system checks MFA registration:
      • If registered: Users are prompted for TOTP.
      • If not registered: Users must register for MFA immediately.
    • Users are prompted to register a device upon their next login after MFA enforcement.
    • Administrators automatically receive emails to register MFA devices.
  • Account Lock Settings
    • Defines the number of failed sign-in attempts before an account is soft locked.
    • The range is 3 to 5 incorrect MFA attempts, for example, if set is 3, the account locks after three failed attempts.
    • When an account is locked, users receive an email notification.
    • Administrators can configure unlock time under Security Administration > Password Management.
  • Authentication Methods
    • TOTP (default when MFA is enabled).
    • SMS (U.S. only)
    • FIDO2
    • SECURID
    • DUO (requires a Duo customer account): Supports one-time codes via Duo Mobile app, push notifications, phone calls, or text messages.

Important notes

  • If Enable MFA is selected, the default authentication method is TOTP.
  • If Enable MFA is not selected, the authentication method is cleared and unavailable.
  • MFA improves security by requiring an additional verification step.
  • Duo integration depends on your license agreement and Duo account setup.
  • SMS-based MFA is limited to U.S. users.