How customers manage adaptive MFA

Learn more about how customers can view and manage their Adaptive MFA settings

Overview

Adaptive MFA (Multi-factor Authentication) enhances the security of your portal or web application using a combination of risk analysis techniques and multi-factor authentication.

There are two ways customers can enroll in an MFA method

  • in their self-service account at Security Settings
  • while completing their sign-up or sign-in flow

πŸ“˜

For more details about how to switch on MFA methods for customers to enroll in and how to prompt them to use at least one method or designated methods, review the Multi-factor methods page.

Customers can only access the MFA methods that are enabled in the application's adaptive MFA policy.

MFA management in the self-service account

Customers can manage their MFA methods inside Security Settings:

Every method available for customers to enroll in will show up after clicking on 'Add New Method'.

πŸ“˜

You can adjust the self-service MFA options available to customers as part of the adaptive MFA policy assigned to the application.

You can add or remove MFA options from the customer's self-service account as part of the adaptive MFA policy assigned to the application. / The actual methods that are displayed as available options to customers are controlled by the MFA methods that an administrator has configured within the Adaptive MFA policy that is assigned to an application.

Here's the full list of MFA enrollment options you can make available for your customers:

MFA method enrollment flows

βœ…

MFA enforcement for external identity providers

You can switch on MFA for external logins and registrations. Customers with an external identity will go through the same authentication flow configured in the application's adaptive MFA policy as if they were using local sign-in or sign-up.

Email address

Customers provide an email address and verify it as an authenticator with the passcode they receive:

Click to enlarge

Phone number

Customers provide a phone number and verify it as an authenticator with the passcode they receive:

Click to enlarge

Soft token authenticator app

Customers download a soft token authenticator app to their phone, pair their device using the QR-code, and verify the device with the currently available temporary passcode:

Click to enlarge

Platform biometric authenticators

Customers add the name of their device, then follow the setup instructions of their OS. Customers can remove their enrolled device biometrics anytime by clicking the trash icon and repeating the setup process.

Security keys

Customers add the name of their security key, then follow the instructions of their browser and/or external device. Customers can remove their enrolled security key anytime by clicking the trash icon and repeating the setup process.

Before entering the self-service account

Oftentimes customers are asked to enroll in an authentication method at sign-up or sign-in to secure their accounts immediately. A typical authenticator enrollment during sing-up or sign-in flows looks like this:

πŸ“˜

In this scenario, the customer is enrolling their email address as an authenticator. The enrollment experiences for other MFA methods are similar.

Click to enlarge

Use different email address Customers can add a new authenticator of the same type if the adaptive MFA policy doesn't restrict the use of known email addresses.

Select different method to enroll If a customer changes their mind en route, they can return to the enrollment options with this button. Customers can select a different method 3 times before their session expires.

If an authenticator method is mandatory, other methods will not be listed for customers to enroll in (unless they're also mandatory):