Policy configuration - Login workflow
On the Multi-Factor Methods tab in a policy, you define the user login experience. You can configure other settings like not requiring a password if the user meets certain conditions, use Window SSO, allow the use of a QR scan to login.
For example, you can allow users to login with a user name and approve a login notification they receive on their mobile device. If the user chooses a different MFA method, the user must enter their password.
The following is an overview of how to set this up:
For the login workflow, select Username | MFA Method | Password.
Move the slider to ON for Allow password suppression.
Add a condition to bypass the password entry. In this example, select Multi-Factor Methods > Authentication Apps - Login notification.
This condition indicates that if the user chooses to receive a login notification from an authentication app, they are not prompted to enter a password. Otherwise, if they choose a different MFA method, they must enter their password.
Setting up user login workflow
With a policy open in edit mode, select the Login Workflow tab.
Select the Login Workflow experience for users to access a resource attached to this policy.
Login workflow experience
Description
Passwordless
Includes Enable QR Login option to show a QR code on the login page. Requires Authenticate app version 23.03 or later.
For the end user, this the passwordless workflow login process:
Step 1: User provides username on the login page.
Step 2: User is prompted for multi-factor authentication on the next page.
The recommended authenticators for Passwordless login methods are:
FIDO2 security keys (Requires the Prevent licensing package.)
Phone as Token (timed passcode from an app, login notification, accept/deny method, select matching character displayed on device)
Biometric authentication (using SecureAuth Authenticate app)
One-time passcode
Scan QR code (using SecureAuth Authenticate app)
Username & Password | MFA Method
Includes Enable QR Login option to show a QR code on the login page. Requires Authenticate app version 23.03 or later.
When you add a new policy, this is the default login workflow selection. For the end user, this is the workflow login process:
Step 1: User provides username and password on the login page.
Step 2: User is prompted for multi-factor authentication on the next page.
Username | MFA Method | Password
Includes the following options:
Enable QR Login to show QR code on the login page. Requires Authenticate app version 23.03 or later.
Allow password suppression with any of these conditions:
Device Recognition
Group
Multi-factor Methods
User
Option 1: Do not use password suppression
For the end user, this is the workflow login process:
Step 1: User provides username on the login page.
Step 2: User is prompted for multi-factor authentication on the next page.
Step 3: User provides password on the next page.
Option 2: Use password suppression
For the end user, this is the workflow login process:
Step 1: User provides username on the login page.
Step 2: User is prompted for multi-factor authentication on the next page.
Step 3: User provides a password on the next page, unless they meet the defined condition and do not need to provide a password.
For example, the condition might be that they use a login notification from an authentication app.
(Valid Persistent Token) | MFA Method
For the end user, this is the workflow login process:
Step 1: User provides valid persistent token (in lieu of a username) on the login page. A persistent token could be a fingerprint.
Step 2: User is prompted for multi-factor authentication on the next page.
(Valid Persistent Token) | MFA Method | Password
Includes Allow password suppression option with any of these conditions:
Device Recognition
Group
Multi-factor Methods
User
For the end user, this is the workflow login process:
Step 1: User provides valid persistent token (in lieu of a username) on the login page. A persistent token could be a fingerprint.
Step 2: User is prompted for multi-factor authentication on the next page.
Step 3: User provides a password on the next page, unless they meet the defined condition and do not need to provide a password.
For example, the condition might be that they use a login notification from an authentication app.
Windows SSO | MFA Method
This option is available only in cloud deployments.
For the end user, this is the workflow login process:
Step 1: Windows SSO recognizes the username in the browser and proceeds to the next step.
Step 2: User is prompted for multi-factor authentication on the next page.
Otherwise, if Windows SSO is not recognized at login, it prompts the user for their username and password, then authenticates per policy rules.
You must have Allow Windows SSO integration turned on in the Identity Platform data store settings for Active Directory or Azure AD to use this workflow configuration.
Next, define the multi-factor method options users can choose to authenticate into a resource.
If you don't see an MFA method enabled on this tab, go to Multi-Factor Methods on the left side of the Identity Platform to enable it.
For documentation purposes, all multi-factor methods for a policy are described next.
FIDO2 (WebAuthn)
Select to allow a user to register and use a FIDO2 authenticator to authenticate access:
FIDO2 Devices – user receives notification prompt from their registered FIDO2 security key (for example, security key or built-in authenticator in their mobile phone)
YubiKey (non-FIDO2)
Select to allow a user with a YubiKey to authenticate access:
Yubico OTP – use YubiKey to generate an encrypted one-time passcode (OTP)
OATH HOTP – use YubiKey to generate an encrypted six- eight-, or nine-character one-time (OTP) event-based passcode using OATH-HOTP. This means a new one-time passcode is generated for each event.
Authentication Apps
Select to allow a user with an authentication app like SecureAuth Authenticate to authenticate access:
Timed passcode from app – user receives soft token generated by SecureAuth Authenticate app
Login notification – user receives push notification from SecureAuth Authenticate app
Accept Method – choose one of the following:
User selects accept or deny
User selects matching character displayed on device
Biometric identification – user can use biometric identification like facial recognition and fingerprint by means of the Authenticate app
One-time passcode – user receives push notification from SecureAuth Authenticate app with one-time passcode
Text Message
Select to allow a user to receive SMS / text message to a mobile number associated with their profile, to authenticate access:
User receives a Login confirmation link
User receives a One-time passcode
Email
Select to allow a user to receive an authentication email to an email address associated with their profile, to authenticate access:
User receives a Login confirmation link
User receives a One-time passcode
Voice Phone Call
Select to allow a user to receive a voice phone call to a phone number associated with their profile, to authenticate access:
User receives a One-time passcode
PIN
Select to allow a user to receive a PIN (personal identification number) associated with their profile, to authenticate access:
User receives a request to enter a PIN
Security Questions
Select to send security questions to a user to verify who they are, to authenticate access:
User receives Security questions to which they must answer correctly
Symantec VIP
Select to allow a user with a Symantec Validation and ID (VIP) token to authenticate access:
Click Save.