Multi-factor methods: an overview

Manage your policy's secondary authentication methods here.

Supported mutli-factor methods

Supported multi-factor methods

Multi-factor authentication (MFA) provides an additional layer of security beyond just a (single-factor) username and password-based authentication. You can have your customers take steps to protect their online identities against threats such as unauthorized access, account takeover or hijacking, and fraudulent transactions.

You can configure the following MFA methods in the Admin Console:

Method TypeSecurity PostureEase of AdoptionCoverageUsability
PasswordWeakEasyBroadEasy
Voice Call OTPModerateEasyBroadMedium
SMS OTPModerateMediumBroadMedium
Email OTPModerateMediumBroadMedium
SMS Magic LinksStrongEasyMediumEasy
Email Magic LinksModerateEasyBroadEasy
Google Authenticator or other Soft TokenStrongMediumMediumMedium
FIDO2 Platform Biometric AuthenticatorStrongEasyMediumEasy
FIDO2 Security KeyStrongMediumBroadEasy

Email & phone factors

Email and phone authenticator settings

Email and phone authenticator settings

Passcodes via emailSends a one-time passcode to the customer's confirmed email address.
Magic links via emailSends a one-time expirable link to the customer's confirmed email address.
Passcode via text message or voice callSends a one-time passcode by default, or initiates a voice call per request to the customer's confirmed phone number. Customers can ask for a voice call in their authentication workflow.
Magic links via text messageSends a one-time expirable link to the customer's confirmed phone number.

Factor restriction

You can choose which factors to allow under email and phone method authentication, or allow both available factors per method.

Authenticator restriction checkboxes

Restrict customers to enroll only the email address(es) or phone number(s) as secondary authenticators that are already added to their account as an identifier or personal information.

Parameters

Here, you can set the lifetime of different authenticator tokens delivered via email or phone.

Passcode LengthsSpecifies the character length of the one-time passcodes for both email and phone number-based methods. Recommended minimum length: 6 characters (digits) by default. Maximum length: 8 characters.
Passcode LifetimesSpecifies the character length of the one-time passcodes for both email and phone number-based methods. Recommended minimum length: 6 characters (digits) by default. Maximum length: 8 characters.
Magic Link LifetimeDecides the lifetime of Magic Links for both email and phone-based methods. The lifetime of a Magic Link starts from the time the message has been sent out. Strivacity invalidates the Magic Link once its lifetime has been exceeded. In this case, customers will have to restart the login process.

Google Authenticator or other soft token authenticator apps

Enable the Google Authenticator or other soft token authenticator apps as a secondary authenticator option for your customers. Customers will receive their temporary one-time passcodes via the application.

Soft token authenticator settings

Soft token authenticator settings

Label NameYou can help customers identify which token to look for in their authenticator app by adding a descriptive name.
This way they will spot more easily which temporary token to use for your application.
If there is no Label Name added, the soft token label in the authenticator application will default to the brand name specified in the application's branding policy.

βœ…

See Setup and Manage Customer Notification for further information on how to customize and brand the Adaptive MFA notification email and text messages.

FIDO2 authenticators

You can offer FIDO2-based authentication options for your customers by enabling platform biometric authentication or security key enrollment for your application.

Platform biometric authenticator and security key authenticator settings

Platform biometric authenticator and security key authenticator settings

Platform biometric authenticator

If enabled, you allow customers to enroll the biometric information as an authenticator of the device they are currently using to access your application.

🚧

The customer's enrollment and authentication experience will slightly vary depending on the biometric security system they have installed in their devices.

Security key

If enabled, you allow customers to enroll a roaming authenticator such as a security key (YubiKey, Titan Security Key) or a FIDO-compliant mobile device as an authenticator.

🚧

The customer's enrollment and authentication experience will slightly vary depending on the browser and OS the customer is using.

MFA enrollment configuration

Enable or disable MFA methods, prompt your customers to enroll in an MFA method of their choice, or request them to enroll in multiple authentication methods.

🚧

One multi-factor method always needs to be enabled for your adaptive MFA workflow.

Optional MFA

You can leave it up to customers to decide whether they want to secure their accounts with certain MFA methods or not.

Customers can run into optional MFA methods

  • during registration (always)
  • alongside mandatory methods
  • in the self-service account

πŸ“˜

Customers are allowed to enroll optional MFAs in the same flow while they’re adding mandatory methods. For example, you can allow device-based authentication (optional FIDO2) without pushing it, while you also confirm their email address (mandatory email MFA).

Mandatory and optional MFA enrollment

Mandatory and optional MFA enrollment

Once logged in, customers can manage factors for each enrolled authentication method in their self-service portal:

Self-service portal security settings

Self-service portal security settings

πŸ“˜

Your customer service can assist customers with MFA enrollment (every method except for platform biometric and security key enrollment) from the customer's account in the Admin Console.

Mandatory MFA

You can request customers to enroll in the selected MFA methods at registration or at the next login to enhance the security of their accounts.

You can require multiple MFA methods from your customers at the same time. Customers will enroll in the following order if the method is required: email authentication first, then phone, soft token, device biometrics, and security key lastly.

πŸ“˜

If there are multiple mandatory MFA methods, customers are required to enroll in each method. Customers will only be stepped up to one of the enrolled methods during future logins.

Additional settings

Additional settings

Additional settings

Make at least one optional method mandatory at next login or registration

When selected, your customers will be required to enroll in one of the optional authentication methods before continuing in their registration or login workflow.

πŸ“˜

This option is only available if there are no mandatory methods selected.

Skip MFA selection screen when there is only one method registered

This setting can reduce friction in authentication journeys. When selected, the MFA selection screen will be skipped if customers only have one MFA method enrolled.