Back to Home PageView SDKs on GithubView APIs in PostmanSystem Status
Search…
Las Vegas
Strivacity Fusion: Las Vegas Release
SUPPORT INFORMATION
Raising a Support Case
Security Vulnerability Response
Reporting a Security Issue
Our Service Level Commitment
Getting Started
Overview
Product Components
Pre-Configured Best Practices
Using the Dashboard
Overview
APIs
Using the REST APIs
Postman API Directory
Adaptive APIs
Administrative APIs
Anonymous Visitor and Consent APIs
Authentication APIs
Customer Lifecycle APIs
Customer Self-Service APIs
Setup and Manage
Adaptive Multi-factor Authentication
Claim Dialects
Consent Management
Enterprise Login
Identity Stores
Integrate Your Applications
Lifecycle Event Hooks
Notification Policies
Password Polices
Self-Service
Social Login
Rebranding and Customization
Using Your Own Brand, Logos, and Color Schemes
Using Multiple Custom Domain Names
Customizing Email Templates
Customizing SMS Templates
Rebranding the Admin Console
Managing Accounts and Groups
Overview
Creating an Account
Editing an Account
Delete an Account
Enable/Disable an Account
Creating a Group
Deleting a Group
Managing Group Membership
Configuration
Admin Roles
Admin Adaptive MFA
Admin Branding
Admin Notifications
Admin Users
General
Logging
REST API Access Policies
Integrations
Microsoft Azure AD (B2E)
ID DataWeb - Attribute Exchange Network (AXN)
ServiceNow
Zendesk
Architecture and Deployment
Rate Limiting
Regional Availability
Powered By GitBook
Admin Adaptive MFA
Learn more about how to protect the Fusion Admin Console and Admin Accounts using Adaptive Multi-factor Authentication.
You can use the same Adaptive Multi-factor Authentication options available to protect customer accounts to protect your Fusion Admin Accounts.
You can use the following capabilities to protect your Fusion Admin Console:

​1) Configure the Login Workflow​

Choose which MFA methods to use and in what order.

​2) Multi-factor Authentication​

Choose which MFA methods to use and configure their security settings

​3) Remember My Device​

Used in conjunction with Multi-Factor Authentication, the Fusion Admin Console can remember the device that you're using as an additional security check.

Follow these steps to configure Admin Adaptive MFA.

1) Log into the Fusion admin console using an admin account.
2) Click Configuration, and then Admin Adaptive MFA from the main menu. The Admin Adaptive MFA page will be displayed as shown below.
Click to Enlarge
3) Next, you can configure the following aspects of Admin Adaptive MFA. Any changes you make will apply immediately to any Fusion admin's that log in to this instance.

1) Login Workflow

Strivacity Fusion provides several login workflows for you to choose from to protect your Fusion Admin Console.
Login Workflow
Journey Description
Username → MFA → Password
This requires the Fusion admin to provide the username as the identifier, then an MFA method (as defined within the Multi-factor Authentication section of the policy) and then the Password.
This workflow uses the MFA method to prevent an attacker from locking out the admin account by exceeding the permitted number of password attempts.
Username → Password → MFA
This requires the Fusion admin to provide the username as the identifier, and then they will be required to provide their password, followed by the MFA method (as defined within the Multi-factor Authentication section of the policy).
Passwordless (Username → MFA)
The passwordless login workflow will not require the Fusion admin to provide a password at all. The username is still used as the identifier, however, instead of using a password this will only require an MFA method to be used. While it can be argued that using MFA and not using a password is just using a single factor, it removes the attack vector of the secret (the password) being stolen (and used) by an attacker entirely.
Username → Password (single factor only)
Not recommended! Please do not protect your Fusion instance using just a username and password!

2) Multi-factor Authentication

Setting
Description
Enable Passcode by Text Message
Once you enable this Multi-Factor Authentication option any admins will be given the option to enroll this method and use it for authentication. Passcodes by text message are one-time use only and have lifetimes attached to them (see below).
Passcode by Text Message: Passcode Length
​
This is the length of the passcode that will be sent to the admin by text message (SMS). The default, minimum and recommended length is 6 characters (numbers). The maximum length is 8 characters (numbers).
Passcode by Text Message: Passcode Lifetime
This is the lifetime period that Fusion will still accept the passcode and typically means that your admins have this amount of time to use it before it expires. Once the lifetime has been exceeded the passcode will be invalidated by Fusion and the customer will need to restart the log in process.
Enable Passcode by Email
Once you enable this Multi-Factor Authentication option any admins will be given the option to enroll this method and use it for authentication. Passcodes by email are one-time use only and have lifetimes attached to them (see below).
Passcode by Email: Passcode Length
This is the length of the passcode that will be sent to the customer by email (SMTP). The default, minimum and recommended length is 6 characters (numbers). The maximum length is 8 characters (numbers).
Passcode by Email: Passcode Lifetime
This is the lifetime period that Fusion will still accept the passcode and typically means that your customers have this amount of time to use it before it expires. Once the lifetime has been exceeded the passcode will be invalidated by Fusion and the customer will need to restart the log in process.
Enable Magic Link by Text Message
Once you enable this Multi-Factor Authentication option any admins will be given the option to enroll this method and use it for authentication. Magic Links by text message are one-time use only and have lifetimes attached to them (see below).
Magic Link by Text Message: Lifetime
This is the lifetime period that Fusion will still accept the magic link and typically means that your customers have this amount of time to use it before it expires. Once the lifetime has been exceeded the magic link will be invalidated by Fusion and the customer will need to restart the log in process.
Enable Magic Link by Email
Once you enable this Multi-Factor Authentication option any admins will be given the option to enroll this method and use it for authentication. Magic Links by email message are one-time use only and have lifetimes attached to them (see below).
Magic Link by Email: Lifetime
This is the lifetime period that Fusion will still accept the magic link and typically means that your customers have this amount of time to use it before it expires. Once the lifetime has been exceeded the magic link will be invalidated by Fusion and the customer will need to restart the log in process.
Enable Google Authenticator or other Soft Token
Once you enable this Multi-Factor Authentication option, it means that any customers using an application that you've assigned this policy too will be given the option to enroll this method using My Account and use it for authentication.
Google Authenticator/Soft Token: Passcode Length
This is the length of the passcode that will be configured in Google Authenticator or other Soft Token on the customers mobile device.
Google Authenticator/Soft Token: Passcode Offset
This is the time step value or variance that is allowed to accommodate any clock skew between the device on which Google Authenticator or other Soft Token is running and Strivacity Fusion.
Google Authenticator/Soft Token: Interval Time
This specifies the number of codes before or after the current code that Fusion will accept.
Google Authenticator/Soft Token: Label Name
This is the name displayed with Google Authenticator or other Soft Token, and unless a value is specified this will default to the Brand name specified in the Branding Policy for the application that this Adaptive MFA policy is assigned to.

3) Remember My Device

Setting
Description
Enable Remember My Device
This is used in conjunction with Multi-Factor Authentication. After the first login with MFA any future MFA steps will be bypassed until the number of days has elapsed or the device is removed using self-service from the My Account page.
Number of Days To Remember The Device
The number of days that any future MFA steps will be bypassed until the number of days has elapsed or the device is removed from self-service. This is 30 days by default.
Configuration - Previous
Admin Roles
Next - Configuration
Admin Branding
Last modified 7d ago
Export as PDF
Copy link
Contents
1) Configure the Login Workflow
2) Multi-factor Authentication
3) Remember My Device
Follow these steps to configure Admin Adaptive MFA.
1) Login Workflow
2) Multi-factor Authentication
3) Remember My Device