Require users to set up MFA factors

This topic describes how to require your users to set up a minimum number of authentication factors for MFA. For example, if you have enabled four factors, you can require your users to set up two of them before they can continue to the User Portal. This makes MFA configuration more flexible, as users can choose which authentication factors are most convenient for them, as long as they meet the required number of authentication factors.

  • If this is a user's first login, they have to set up the MFA factors after logging in but before gaining access to the User Portal.

  • If the user previously set up the required number of MFA factors, they are not prompted to do it again.

Requiring users to set up MFA factors is different from requiring MFA to access particular systems or applications. That is set as an MFA login requirement, while this procedure is only to require users to set up a minimum number of MFA factors.

To require users to set up a minimum number of MFA factors

  1. Log in to the Identity Administration portal.
  2. Click Core Services > Policies.
  3. Select the relevant policy set or create a new one.
  4. Click User Security Policies > User Account Settings.

  5. Enable the desired MFA factors for users impacted by the policy.

    For example:

    • Permit device enrollment (an enrolled device is used for the mobile authenticator factor)
    • mobile phone number
    • FIDO2

    • OATH OTP

      This requires allowing OATH OTP integration. Refer to Enable OATH OTP for more information.

      If you require users to configure OATH OTP without allowing the integration, users can't configure the required number of factors and can't continue. Depending on the Policy Assignment, requiring OATH OTP without allowin gthe integration could lockout system administrators.

    • Security question

    Remember to select the option to prompt users to configure the associated MFA factor.

  6. Click the drop-down menu next to Number of authentication factors user is required to configure upon login and select the number of factors you want to require.

    If you leave this setting unset ( -- ), setting up each enabled MFA factor will be optional.

    The following image shows policy settings with four MFA factors enabled, with a requirement for users to set up at least two of them.

  7. Click Save.