Manage adaptive MFA

This topic provides an overview of how to secure access with adaptive MFA and describes how to review whether users in a selected role have configured the relevant authentication mechanisms.

You can specify which authentication mechanisms users must provide to access the service (authentication profiles), as well as if and when multi-factor authentication is required (authentication rules). For example, you can create a rule to require that users provide a password and text message confirmation code if they are coming from an IP address that is outside of your corporate IP range. To specify this requirement, you need to create a rule and associate it with an authentication profile.

Before you configure MFA for anything, first decide what authentication mechanism you want to use, then make sure your users have that mechanism configured for their user account.

A built-in report is available to view whether users have setup the necessary information for multi-factor authentication challenges. For example, if you plan to use SMS confirmation codes as an authentication factor, you need to make sure all users impacted by the authentication policy have a mobile number associated with their account, otherwise they might be locked out.

Additional licenses might be required for access to all authentication mechanisms. Contact your account representative for more information.

To verify whether users have configured required MFA challenges

  1. From the Reports page in the Identity Administration portal, navigate to Builtin Reports > Security, and open User MFA challenge setup status.

    The Required Parameters window appears.

  2. Select the role that will be impacted by your Authentication Policy.

    For performance reasons, run this report on roles with approximately 1,000 users or less.

    The report opens, showing whether your users have configured the required information for authentication factors that could result in lockout if the required information is absent. For example, a user with no associated mobile phone will have false in the Sms column.

  3. Review the report and follow up with users missing required information.

In this section: