MFA Configuration

The MFA Configuration page has these settings:

Setting Description

Enable MFA

If selected, the MFA status of all users of the tenant becomes Enabled. At the time of login, the user is challenged for a Time-based One-time Password (TOTP) if the user has already registered a device for MFA. Emails to register MFA devices are automatically sent to all administrators.

After MFA is enabled, users can register MFA devices from user settings.

Enforce MFA If selected, at the login page, after logging in with first-factor authentication (user name and password), the user is checked for MFA registration. If not registered, the user is required to register for MFA at this point. If already registered, the user is challenged for TOTP.

After MFA is enforced, upon initial re-login, the user is prompted to register a device for MFA.

Account Lock Settings This setting specifies the number of allowed failed login attempts before the user's account is soft locked.

For example, if the administrator sets this value to 3, after three failed attempts, the user’s account is locked.

Note: When the user's account is locked, an email is sent to notify the user that the account is locked.

The administrator can specify the amount of time before the user's account is unlocked. This setting is Security Administration > Password Management.

Authentication Method The methods of authentication supported by Multi-Factor Authentication (MFA) are:
  • TOTP
  • Duo
    Note: To use Duo as an authentication method, a Duo customer account is required.

If Enable MFA is selected, the Authentication Method is automatically selected as TOTP. If Enable MFA is not selected, the Authentication Method is not selected and remains grayed out.