MFA Configuration - Cloud Edition

Setting	Description
Enable MFA	If selected, the MFA status of all users of the tenant becomes Enabled. At the time of login, the user is challenged for a Time-based One-time Password (TOTP) if the user has already registered a device for MFA. Emails to register MFA devices are automatically sent to all administrators. After MFA is enabled, users can register MFA devices from user settings.
Enforce MFA	If selected, at the login page, after logging in with first-factor authentication (user name and password), the user is checked for MFA registration. If not registered, the user is required to register for MFA at this point. If already registered, the user is challenged for TOTP. After MFA is enforced, upon initial re-login, the user is prompted to register a device for MFA.
Account Lock Settings	This setting specifies the number of allowed failed login attempts before the user's account is soft locked. For example, if the administrator sets this value to 3, after three failed attempts, the user’s account is locked. Note: When the user's account is locked, an email is sent to notify the user that the account is locked. The administrator can specify the amount of time before the user's account is unlocked. This setting is Security Administration > Password Management.
Authentication Method	The methods of authentication supported by Multi-Factor Authentication (MFA) are: TOTP Duo Note: To use Duo as an authentication method, a Duo customer account is required. FIDO2 SMS Note: Currently supported for U.S. only. If Enable MFA is selected, the Authentication Method is automatically selected as TOTP. If Enable MFA is not selected, the Authentication Method is not selected and remains grayed out.

Enable MFA

If selected, the MFA status of all users of the tenant becomes Enabled. At the time of login, the user is challenged for a Time-based One-time Password (TOTP) if the user has already registered a device for MFA. Emails to register MFA devices are automatically sent to all administrators.

After MFA is enabled, users can register MFA devices from user settings.

Enforce MFA

If selected, at the login page, after logging in with first-factor authentication (user name and password), the user is checked for MFA registration. If not registered, the user is required to register for MFA at this point. If already registered, the user is challenged for TOTP.

After MFA is enforced, upon initial re-login, the user is prompted to register a device for MFA.

Account Lock Settings

This setting specifies the number of allowed failed login attempts before the user's account is soft locked.

For example, if the administrator sets this value to 3, after three failed attempts, the user’s account is locked.

Note: When the user's account is locked, an email is sent to notify the user that the account is locked.

The administrator can specify the amount of time before the user's account is unlocked. This setting is Security Administration > Password Management.

Authentication Method

The methods of authentication supported by Multi-Factor Authentication (MFA) are:

TOTP
Duo
Note: To use Duo as an authentication method, a Duo customer account is required.
FIDO2
SMS
Note: Currently supported for U.S. only.

If Enable MFA is selected, the Authentication Method is automatically selected as TOTP. If Enable MFA is not selected, the Authentication Method is not selected and remains grayed out.