Admin Adaptive MFA

Learn more about how to protect the Fusion Admin Console and Admin Accounts using Adaptive Multi-factor Authentication.

You can use the same Adaptive Multi-factor Authentication options available to protect customer accounts to protect your Fusion Admin Accounts.

You can use the following capabilities to protect your Fusion Admin Console:

Choose which MFA methods to use and in what order.

Choose which MFA methods to use and configure their security settings

Used in conjunction with Multi-Factor Authentication, the Fusion Admin Console can remember the device that you're using as an additional security check.

Follow these steps to configure Admin Adaptive MFA.

1) Log into the Fusion admin console using an admin account.

2) Click Configuration, and then Admin Adaptive MFA from the main menu. The Admin Adaptive MFA page will be displayed as shown below.

Click to Enlarge

3) Next, you can configure the following aspects of Admin Adaptive MFA. Any changes you make will apply immediately to any Fusion admin's that log in to this instance.

1) Login Workflow

Strivacity Fusion provides several login workflows for you to choose from to protect your Fusion Admin Console.

Login Workflow

Journey Description

Username → MFA → Password

This requires the Fusion admin to provide the username as the identifier, then an MFA method (as defined within the Multi-factor Authentication section of the policy) and then the Password.

This workflow uses the MFA method to prevent an attacker from locking out the admin account by exceeding the permitted number of password attempts.

Username → Password → MFA

This requires the Fusion admin to provide the username as the identifier, and then they will be required to provide their password, followed by the MFA method (as defined within the Multi-factor Authentication section of the policy).

Passwordless (Username → MFA)

The passwordless login workflow will not require the Fusion admin to provide a password at all. The username is still used as the identifier, however, instead of using a password this will only require an MFA method to be used. While it can be argued that using MFA and not using a password is just using a single factor, it removes the attack vector of the secret (the password) being stolen (and used) by an attacker entirely.

Username → Password (single factor only)

Not recommended! Please do not protect your Fusion instance using just a username and password!

2) Multi-factor Authentication

Setting

Description

Enable Passcode by Text Message

Once you enable this Multi-Factor Authentication option any admins will be given the option to enroll this method and use it for authentication. Passcodes by text message are one-time use only and have lifetimes attached to them (see below).

Passcode by Text Message: Passcode Length

This is the length of the passcode that will be sent to the admin by text message (SMS). The default, minimum and recommended length is 6 characters (numbers). The maximum length is 8 characters (numbers).

Passcode by Text Message: Passcode Lifetime

This is the lifetime period that Fusion will still accept the passcode and typically means that your admins have this amount of time to use it before it expires. Once the lifetime has been exceeded the passcode will be invalidated by Fusion and the customer will need to restart the log in process.

Enable Passcode by Email

Once you enable this Multi-Factor Authentication option any admins will be given the option to enroll this method and use it for authentication. Passcodes by email are one-time use only and have lifetimes attached to them (see below).

Passcode by Email: Passcode Length

This is the length of the passcode that will be sent to the customer by email (SMTP). The default, minimum and recommended length is 6 characters (numbers). The maximum length is 8 characters (numbers).

Passcode by Email: Passcode Lifetime

This is the lifetime period that Fusion will still accept the passcode and typically means that your customers have this amount of time to use it before it expires. Once the lifetime has been exceeded the passcode will be invalidated by Fusion and the customer will need to restart the log in process.

Enable Magic Link by Text Message

Once you enable this Multi-Factor Authentication option any admins will be given the option to enroll this method and use it for authentication. Magic Links by text message are one-time use only and have lifetimes attached to them (see below).

Magic Link by Text Message: Lifetime

This is the lifetime period that Fusion will still accept the magic link and typically means that your customers have this amount of time to use it before it expires. Once the lifetime has been exceeded the magic link will be invalidated by Fusion and the customer will need to restart the log in process.

Enable Magic Link by Email

Once you enable this Multi-Factor Authentication option any admins will be given the option to enroll this method and use it for authentication. Magic Links by email message are one-time use only and have lifetimes attached to them (see below).

Magic Link by Email: Lifetime

This is the lifetime period that Fusion will still accept the magic link and typically means that your customers have this amount of time to use it before it expires. Once the lifetime has been exceeded the magic link will be invalidated by Fusion and the customer will need to restart the log in process.

3) Remember My Device

Setting

Description

Enable Remember My Device

This is used in conjunction with Multi-Factor Authentication. After the first login with MFA any future MFA steps will be bypassed until the number of days has elapsed or the device is removed using self-service from the My Account page.

Number of Days To Remember The Device

The number of days that any future MFA steps will be bypassed until the number of days has elapsed or the device is removed from self-service. This is 30 days by default.