What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (or “MFA”) is a security mechanism that requires users to provide multiple forms of authentication to verify their identity and gain access to a system or application. This typically takes the form of a user-created username and password, followed by a generated One-Time Passcode (or “OTP”) sent to the user’s email or phone.
Multi-Factor Authentication provides an additional level of security for user accounts beyond a simple password, making it more difficult for a potential attacker to gain access to gain access to a user’s account.
Using Multi-Factor Authentication in Ondexx
In Ondexx, Multi-Factor Authentication is an optional setting that can be enabled by the instance administrators.
When in use, a user is presented with a passcode challenge upon successfully authenticating. They will be required to enter the one-time passcode (valid for 15 minutes) sent to their email before they can proceed. If needed, they can manually resend a new passcode.
After successfully entering the OTP, they can proceed in to Ondexx as normal.
By default, MFA applies to all forms-based authentication users in Ondexx, i.e. those who log in with an Ondexx-specific username and password.
Single Sign-On users are excluded from MFA by default, as SSO is its own form of multi-factor authentication.
Enabling Multi-Factor Authentication
Super Admins can manage MFA settings in Configuration > Application Settings under the Multi-Factor Authentication (MFA) heading.
To turn on Multi-Factor Authentication, set the toggle to Enabled. You can optionally customize the instance’s MFA settings by user domain, allowing users from specific domains to be exempt from MFA, or enforce MFA for only users from specific domains.
By default, MFA only applies to users using forms-based authentication. To enforce MFA for Single Sign-On, click “Enforce Multi-factor Authentication for Single Sign-On users.”
When you have finished making changes, click SAVE at the bottom of the page.
Customizing MFA by User Domain
Multi-Factor Authentication can be customized granularly by user domain, allowing users with specific email address domains to be included or excluded from MFA. The default MFA setting for unlisted domains can also be modified here.
To start customizing your MFA configuration, set Multi-Factor Authentication (MFA) to Enabled, then set “Customize settings by User Domain” to enabled.
Start by determining the default MFA behaviour for user domains that aren’t specifically listed. We recommend setting this as enabled for the most security, as it will ensure any unlisted domains require MFA. If you only want listed domains to use MFA, set this to disabled.
To set custom MFA behaviour for a specific user domain, start by adding the domain to the table. To do this, enter the name of the domain (e.g. “ondexx.com”) and click +. Then, choose if you would like users from this user domain to use MFA or not, and set the toggle to Enabled or Disabled accordingly.