Admin Adaptive MFA
Learn more about how to protect the Fusion Admin Console and Admin Accounts using Adaptive Multi-factor Authentication.
You can use the same Adaptive Multi-factor Authentication options available to protect customer accounts to protect your Fusion Admin Accounts.
You can use the following capabilities to protect your Fusion Admin Console:
Choose which MFA methods to use and in what order.
Choose which MFA methods to use and configure their security settings
Used in conjunction with Multi-Factor Authentication, the Fusion Admin Console can remember the device that you're using as an additional security check.

Follow these steps to configure Admin Adaptive MFA.

1) Log into the Fusion admin console using an admin account.
2) Click Configuration, and then Admin Adaptive MFA from the main menu. The Admin Adaptive MFA page will be displayed as shown below.
Click to Enlarge
3) Next, you can configure the following aspects of Admin Adaptive MFA. Any changes you make will apply immediately to any Fusion admin's that log in to this instance.

1) Login Workflow

Strivacity Fusion provides several login workflows for you to choose from to protect your Fusion Admin Console.
Login Workflow
Journey Description
Username → MFA → Password
This requires the Fusion admin to provide the username as the identifier, then an MFA method (as defined within the Multi-factor Authentication section of the policy) and then the Password.
This workflow uses the MFA method to prevent an attacker from locking out the admin account by exceeding the permitted number of password attempts.
Username → Password → MFA
This requires the Fusion admin to provide the username as the identifier, and then they will be required to provide their password, followed by the MFA method (as defined within the Multi-factor Authentication section of the policy).
Passwordless (Username → MFA)
The passwordless login workflow will not require the Fusion admin to provide a password at all. The username is still used as the identifier, however, instead of using a password this will only require an MFA method to be used. While it can be argued that using MFA and not using a password is just using a single factor, it removes the attack vector of the secret (the password) being stolen (and used) by an attacker entirely.
Username → Password (single factor only)
Not recommended! Please do not protect your Fusion instance using just a username and password!

2) Multi-factor Authentication

Setting
Description
Enable Passcode by Text Message
Once you enable this Multi-Factor Authentication option any admins will be given the option to enroll this method and use it for authentication. Passcodes by text message are one-time use only and have lifetimes attached to them (see below).
Passcode by Text Message: Passcode Length
This is the length of the passcode that will be sent to the admin by text message (SMS). The default, minimum and recommended length is 6 characters (numbers). The maximum length is 8 characters (numbers).
Passcode by Text Message: Passcode Lifetime
This is the lifetime period that Fusion will still accept the passcode and typically means that your admins have this amount of time to use it before it expires. Once the lifetime has been exceeded the passcode will be invalidated by Fusion and the customer will need to restart the log in process.
Enable Passcode by Email
Once you enable this Multi-Factor Authentication option any admins will be given the option to enroll this method and use it for authentication. Passcodes by email are one-time use only and have lifetimes attached to them (see below).
Passcode by Email: Passcode Length
This is the length of the passcode that will be sent to the customer by email (SMTP). The default, minimum and recommended length is 6 characters (numbers). The maximum length is 8 characters (numbers).
Passcode by Email: Passcode Lifetime
This is the lifetime period that Fusion will still accept the passcode and typically means that your customers have this amount of time to use it before it expires. Once the lifetime has been exceeded the passcode will be invalidated by Fusion and the customer will need to restart the log in process.
Enable Magic Link by Text Message
Once you enable this Multi-Factor Authentication option any admins will be given the option to enroll this method and use it for authentication. Magic Links by text message are one-time use only and have lifetimes attached to them (see below).
Magic Link by Text Message: Lifetime
This is the lifetime period that Fusion will still accept the magic link and typically means that your customers have this amount of time to use it before it expires. Once the lifetime has been exceeded the magic link will be invalidated by Fusion and the customer will need to restart the log in process.
Enable Magic Link by Email
Once you enable this Multi-Factor Authentication option any admins will be given the option to enroll this method and use it for authentication. Magic Links by email message are one-time use only and have lifetimes attached to them (see below).
Magic Link by Email: Lifetime
This is the lifetime period that Fusion will still accept the magic link and typically means that your customers have this amount of time to use it before it expires. Once the lifetime has been exceeded the magic link will be invalidated by Fusion and the customer will need to restart the log in process.
Enable Google Authenticator or other Soft Token
Once you enable this Multi-Factor Authentication option, it means that any customers using an application that you've assigned this policy too will be given the option to enroll this method using My Account and use it for authentication.
Google Authenticator/Soft Token: Passcode Length
This is the length of the passcode that will be configured in Google Authenticator or other Soft Token on the customers mobile device.
Google Authenticator/Soft Token: Passcode Offset
This is the time step value or variance that is allowed to accommodate any clock skew between the device on which Google Authenticator or other Soft Token is running and Strivacity Fusion.
Google Authenticator/Soft Token: Interval Time
This specifies the number of codes before or after the current code that Fusion will accept.
Google Authenticator/Soft Token: Label Name
This is the name displayed with Google Authenticator or other Soft Token, and unless a value is specified this will default to the Brand name specified in the Branding Policy for the application that this Adaptive MFA policy is assigned to.

3) Remember My Device

Setting
Description
Enable Remember My Device
This is used in conjunction with Multi-Factor Authentication. After the first login with MFA any future MFA steps will be bypassed until the number of days has elapsed or the device is removed using self-service from the My Account page.
Number of Days To Remember The Device
The number of days that any future MFA steps will be bypassed until the number of days has elapsed or the device is removed from self-service. This is 30 days by default.
Last modified 7d ago