Policy configuration - Login workflow

On the Multi-Factor Methods tab in a policy, you define the user login experience. You can configure other settings like not requiring a password if the user meets certain conditions or use Window SSO.

For example, you can allow users to login with a user name and approve a login notification they receive on their mobile device. If the user chooses a different MFA method, the user must enter their password.

The following is an overview of how to set this up:

  • For the login workflow, select Username | MFA Method | Password.

  • Move the slider to ON for Allow password suppression.

  • Add a condition to bypass the password entry. In this example, select Multi-Factor Methods > Authentication Apps - Login notification.

    This condition indicates that if the user chooses to receive a login notification from an authentication app, they are not prompted to enter a password. Otherwise, if they choose a different MFA method, they must enter their password.

    login_workflow_001.png

Setting up user login workflow

  1. With a policy open in edit mode, select the Login Workflow tab.

    login_workflow_001.png
  2. Select the Login Workflow experience for users to access a resource attached to this policy.

    Passwordless

    For the end user, this the passwordless workflow login process:

    Step 1: User provides username on the login page.

    Step 2: User is prompted for multi-factor authentication on the next page.

    The recommended authenticators for Passwordless login methods are:

    • FIDO2 security keys (Requires the Prevent licensing package.)

    • Phone as Token (timed passcode from an app, login notification, accept/deny method, select matching character displayed on device)

    • Biometric authentication (using SecureAuth Authenticate app)

    • One-time passcode

    Username & Password | MFA Method

    When you add a new policy, this is the default login workflow selection. For the end user, this is the workflow login process:

    Step 1: User provides username and password on the login page.

    Step 2: User is prompted for multi-factor authentication on the next page.

    Username | MFA Method | Password

    Includes Allow password suppression option with any of these conditions:

    • Device Recognition

    • Group

    • Multi-factor Methods

    • User

    Option 1: Do not use password suppression

    For the end user, this is the workflow login process:

    Step 1: User provides username on the login page.

    Step 2: User is prompted for multi-factor authentication on the next page.

    Step 3: User provides password on the next page.

    Option 2: Use password suppression

    For the end user, this is the workflow login process:

    Step 1: User provides username on the login page.

    Step 2: User is prompted for multi-factor authentication on the next page.

    Step 3: User provides a password on the next page, unless they meet the defined condition and do not need to provide a password.

    For example, the condition might be that they use a login notification from an authentication app.

    (Valid Persistent Token) | MFA Method

    For the end user, this is the workflow login process:

    Step 1: User provides valid persistent token (in lieu of a username) on the login page. A persistent token could be a fingerprint.

    Step 2: User is prompted for multi-factor authentication on the next page.

    (Valid Persistent Token) | MFA Method | Password

    Includes Allow password suppression option with any of these conditions:

    • Device Recognition

    • Group

    • Multi-factor Methods

    • User

    For the end user, this is the workflow login process:

    Step 1: User provides valid persistent token (in lieu of a username) on the login page. A persistent token could be a fingerprint.

    Step 2: User is prompted for multi-factor authentication on the next page.

    Step 3: User provides a password on the next page, unless they meet the defined condition and do not need to provide a password.

    For example, the condition might be that they use a login notification from an authentication app.

    Windows SSO | MFA Method

    This option is available only in cloud deployments.

    For the end user, this is the workflow login process:

    Step 1: Windows SSO recognizes the username in the browser and proceeds to the next step.

    Step 2: User is prompted for multi-factor authentication on the next page.

    Otherwise, if Windows SSO is not recognized at login, it prompts the user for their username and password, then authenticates per policy rules.

    You must have Allow Windows SSO integration turned on in the Identity Platform data store settings for Active Directory to use this workflow configuration.

  3. Next, define the multi-factor method options users can choose to authenticate into a resource.

    If you don't see an MFA method enabled on this tab, go to Multi-Factor Methods on the left side of the Identity Platform to enable it.

    For documentation purposes, all multi-factor methods for a policy are described next.

    FIDO2 (WebAuthn)

    Select to allow a user to register and use a FIDO2 authenticator to authenticate access:

    • FIDO2 Devices – user receives notification prompt from their registered FIDO2 security key (for example, security key or built-in authenticator in their mobile phone)

    60564807.png

    YubiKey (non-FIDO2)

    Select to allow a user with a YubiKey to authenticate access:

    • Yubico OTP – use YubiKey to generate an encrypted one-time passcode (OTP)

    • OATH HOTP – use YubiKey to generate an encrypted six- eight-, or nine-character one-time (OTP) event-based passcode using OATH-HOTP. This means a new one-time passcode is generated for each event.

    60564808.png

    Authentication Apps

    Select to allow a user with an authentication app like SecureAuth Authenticate to authenticate access:

    • Timed passcode from app – user receives soft token generated by SecureAuth Authenticate app

    • Login notification – user receives push notification from SecureAuth Authenticate app

      • Accept Method – choose one of the following:

        • User selects accept or deny

        • User selects matching character displayed on device

    • Biometric identification – user can use biometric identification like facial recognition and fingerprint by means of the Authenticate app

    • One-time passcode – user receives push notification from SecureAuth Authenticate app with one-time passcode

    60564809.png

    Text Message

    Select to allow a user to receive SMS / text message to a mobile number associated with their profile, to authenticate access:

    • User receives a Login confirmation link

    • User receives a One-time passcode

    60564810.png

    Email

    Select to allow a user to receive an authentication email to an email address associated with their profile, to authenticate access:

    • User receives a Login confirmation link

    • User receives a One-time passcode

    60564811.png

    Voice Phone Call

    Select to allow a user to receive a voice phone call to a phone number associated with their profile, to authenticate access:

    • User receives a One-time passcode

    60564812.png

    PIN

    Select to allow a user to receive a PIN (personal identification number) associated with their profile, to authenticate access:

    • User receives a request to enter a PIN

    60564814.png

    Security Questions

    Select to send security questions to a user to verify who they are, to authenticate access:

    • User receives Security questions to which they must answer correctly

    60564813.png

    Symantec VIP

    Select to allow a user with a Symantec Validation and ID (VIP) token to authenticate access:

    60564815.png
  4. Click Save.