2FA
To get started, Add a portal access rule or Add an application access rule and configure the Two-Factor tab. Then, enable/disable the factor types that will be available to users in Security > 2FA > Management.
The following 2FA factor types are supported:
Important
These settings pertain only to the dynamic 2FA option. See Fixed vs. dynamic 2FA.
WebAuthn (aka security key): A FIDO/U2F or FIDO2/WebAuthn security key, such as a YubiKey or Titan Security Key. Connects to your device via USB, Bluetooth, NFC, or other protocol to perform a cryptographic exchange. See Supported 2FA hardware.
Push to verify: A push message sent via the HelloID Authenticator app for iOS and Android. A traditional six digit verification code can also be set up using third party apps like Google Authenticator.
Hardware token authentication (aka classic hardware tokens): A low-cost OATH TOTP token. Provides one-time passwords for authenticating your end users to HelloID and other supported systems, usually via an LCD screen.
Email: A traditional verification code is sent to the user via email.
SMS: A traditional verification code is sent to the user via SMS.
After you configure 2FA, users can Enroll in 2FA.
The following configuration options are available:
- Remember MFA
Shows a "Remember Me" checkbox to the MFA login flow. This is stored in a cookie and is valid only as long as the user remains logged in. This setting is independent from the Enable Remember Me For End Users setting in Sign-on policies.
Fixed vs. dynamic 2FA
In portal access rules and application access rules, there are two 2FA options: 1) fixed vs. 2) dynamic.
Fixed: The upper pane (What type of two-factor do you want to enable?) enforces a single factor type chosen by the administrator.
Dynamic: The lower pane (Let the user choose their MFA option) lets each user select their own factor type, from among the types you've enabled in Security > 2FA > Management.
Tip
Unless you have a specific reason to use the fixed 2FA option, we recommend using the dynamic option.