Navigate to Security > 2FA Management to get started.
Here, you can select which secondary authentication factors are available for users to choose from. We recommend that you offer multiple options, so your end users may choose the option that is best for them.
The following factors are supported:
- WebAuthn (aka security key)
A FIDO/U2F or FIDO2/WebAuthn security key, such as a YubiKey or Titan Security Key. Connects to your device via USB, Bluetooth, NFC, or other protocol to perform a cryptographic exchange. Learn more about supported MFA hardware devices here.
- Push to verify
A push message sent via the HelloID Authenticator app for iOS and Android. A traditional six digit verification code can also be set up using third party apps like Google Authenticator.
- Hardware token authentication (aka classic hardware tokens)
A low-cost OATH TOTP token. Provides one-time passwords for authenticating your end users to HelloID and other supported systems, usually via an LCD screen. Learn how to manage classic hardware tokens here.
A traditional verification code is sent to the user via email.
A traditional verification code is sent to the user via SMS. Learn how to configure SMS here.
The following configuration options are available:
- Manage OATH Tokens (Hardware token authentication)
This link takes you to the OATH Management page, where you can configure users' tokens.
- Configure (SMS)
Allows you to select and configure your SMS provider.
If you disable all factors, you will receive a warning that the end user will be logged in automatically without a second factor, after entering their username and password. This is the same as disabling multi-factor authentication.
Select the Apply button to confirm your changes.
Reset a user's second factors ("Let the user choose their MFA option")
To reset a user's second factors when your Portal Access Rules or Application Access Rules are set to Let the user choose their MFA option, go to Directory > Users and select the user's Reset second factor link.
In the Reset second factor dialog box, select the factor type(s) you want to reset for the user. Note that if the user has enrolled multiple factors of a single type, resetting that type will remove all enrolled factors of that type.
Select the Reset button to confirm.
If the user has no factors remaining after the reset, they will be prompted to re-enroll a factor during their next login. They can also re-enroll additional factors in their end user security overview.
Reset a user's second factors (Fixed MFA type)
To reset a user's second factors when your Portal Access Rules or Application Access Rules are set to a fixed factor type, you will need to use the HelloID API.
To do so, send a PUT: Update user request containing one of the following request bodies.
The user will be prompted to re-enroll a second factor during their next login.