Skip to main content




To get started, Add a portal access rule or Add an application access rule and configure the Two-Factor tab. Then, enable/disable the factor types that will be available to users in Security > 2FA > Management.

The following 2FA factor types are supported:


These settings pertain only to the dynamic 2FA option. See Fixed vs. dynamic 2FA.

  • WebAuthn (aka security key): A FIDO/U2F or FIDO2/WebAuthn security key, such as a YubiKey or Titan Security Key. Connects to your device via USB, Bluetooth, NFC, or other protocol to perform a cryptographic exchange. See Supported 2FA hardware.

  • Push to verify: A push message sent via the HelloID Authenticator app for iOS and Android. A traditional six digit verification code can also be set up using third party apps like Google Authenticator.

  • Hardware token authentication (aka classic hardware tokens): A low-cost OATH TOTP token. Provides one-time passwords for authenticating your end users to HelloID and other supported systems, usually via an LCD screen.

  • Email: A traditional verification code is sent to the user via email.

  • SMS: A traditional verification code is sent to the user via SMS.

After you configure 2FA, users can Enroll in 2FA.

The following configuration options are available:

Remember MFA

Shows a "Remember Me" checkbox to the MFA login flow. This is stored in a cookie and is valid only as long as the user remains logged in. This setting is independent from the Enable Remember Me For End Users setting in Sign-on policies.

Fixed vs. dynamic 2FA

In portal access rules and application access rules, there are two 2FA options: 1) fixed vs. 2) dynamic.

  1. Fixed: The upper pane (What type of two-factor do you want to enable?) enforces a single factor type chosen by the administrator.

  2. Dynamic: The lower pane (Let the user choose their MFA option) lets each user select their own factor type, from among the types you've enabled in Security > 2FA > Management.


Unless you have a specific reason to use the fixed 2FA option, we recommend using the dynamic option.