Define login workflow and multi-factor methods settings in a policy

The default and custom policies contain all of the globally enabled multi-factor methods. In each policy, you define the user login workflow experience and choose which multi-factor methods are available to your users.

  1. With a policy open in edit mode, select the Multi-Factor Methods tab.

    mfa_login_001_19_07.png
  2. Select the Login Workflow experience for users to access a resource attached to this policy.

    Username | MFA Method

    For the end user, this is the workflow login process:

    Step 1: User provides username on a page.

    Step 2: User is prompted for multi-factor authentication on a subsequent page.

    Username & Password | MFA Method

    When you add a new policy, this is the default workflow selection. For the end user, this is the workflow login process:

    Step 1: User provides username and password on a page.

    Step 2: User is prompted for multi-factor authentication on a subsequent page.

    Username | MFA Method | Password

    For the end user, this is the workflow login process:

    Step 1: User provides username on a page.

    Step 2: User is prompted for multi-factor authentication on the next page.

    Step 3: User provides password on a subsequent page.

    (Valid Persistent Token) | MFA Method

    For the end user, this is the workflow login process:

    Step 1: User provides valid persistent token (in lieu of a username) on a page.

    Step 2: User is prompted for multi-factor authentication on a subsequent page.

    (Valid Persistent Token) | MFA Method | Password

    For the end user, this is the workflow login process:

    Step 1: User provides valid persistent token (in lieu of a username) on a page.

    Step 2: User is prompted for multi-factor authentication on the next page.

    Step 3: User provides password on a subsequent page.

  3. Next, define the multi-factor method users can choose to authenticate into a resource.

    If a multi-factor method is not displayed, go to the Multi-Factor Methods menu on the left side of the Identity Platform home page to globally enable it. For more information, see Global multi-factor authentication (MFA) methods overview.

    For documentation purposes, all multi-factor methods for a policy are shown.

    YubiKey

    Select whether to allow a user with a YubiKey to authenticate access:

    • Yubico OTP – use YubiKey to generate an encrypted one-time passcode (OTP)

    • OATH HOTP – use YubiKey to generate an encrypted six- eight-, or nine-character one-time (OTP) event-based passcode using OATH-HOTP. This means a new one-time passcode is generated for each event.

    mfa_login_002_19_07.png

    Authentication Apps

    Select whether to allow a user with an authentication app such as SecureAuth Authenticate to authenticate access:

    • Timed passcode from app – user receives soft token generated by SecureAuth Authenticate app

    • Login notification – user receives push notification from SecureAuth Authenticate app

      • Accept Method – choose one of the following:

        • User selects accept or deny

        • User selects matching character displayed on device

    • Biometric identification – user can use biometric identification like facial recognition and fingerprint by means of the Authenticate app

    • One-time passcode – user receives push notification from SecureAuth Authenticate app with one-time passcode

    mfa_login_003_19_07.png

    Text Message

    Select whether to allow a user to receive SMS / text message to a mobile number associated with their profile, to authenticate access:

    • User receives a Login confirmation link

    • User receives a One-time passcode

    mfa_login_004_19_07.png

    Email

    Select whether to allow a user to receive an authentication email to an email address associated with their profile, to authenticate access:

    • User receives a Login confirmation link

    • User receives a One-time passcode

    mfa_login_005_19_07.png

    Voice Phone Call

    Select whether to allow a user to receive a voice phone call to a phone number associated with their profile, to authenticate access:

    • User receives a One-time passcode

    mfa_login_006_19_07.png

    Security Questions

    Select whether to send security questions to a user to verify who they are, to authenticate access:

    • User receives Security questions to which they must answer correctly

    mfa_login_007_19_07.png

    PIN

    Select whether to allow a user to receive a PIN (personal identification number) associated with their profile, to authenticate access:

    • User receives a request to enter a PIN

    mfa_login_008_19_07.png

    Symantec VIP

    Select whether to allow a user with a Symantec Validation and ID (VIP) token to authenticate access:

    mfa_login_009_19_07.png
  4. Click Save.