Navigate to Security > 2FA Management to get started.
Here, you can select which secondary authentication factors are available for users to choose from. We recommend that you offer multiple options, so your end users may choose the option that is best for them.
The following factors are supported:
- WebAuthn (aka security key)
A FIDO/U2F or FIDO2/WebAuthn security key, such as a YubiKey or Titan Security Key. Connects to your device via USB, Bluetooth, NFC, or other protocol to perform a cryptographic exchange. Learn more about supported MFA hardware devices here.
- Push to verify
A push message sent via the HelloID Authenticator app for iOS and Android. A traditional six digit verification code can also be set up using third party apps like Google Authenticator.
- Hardware token authentication (aka classic hardware tokens)
A low-cost OATH TOTP token. Provides one-time passwords for authenticating your end users to HelloID and other supported systems, usually via an LCD screen. Learn how to manage classic hardware tokens here.
A traditional verification code is sent to the user via email.
A traditional verification code is sent to the user via SMS. Learn how to configure SMS here.
The following configuration options are available:
- Manage OATH Tokens (Hardware token authentication)
This link takes you to the OATH Management page, where you can configure users' tokens.
- Configure (SMS)
Allows you to select and configure your SMS provider.
- Remember MFA
Adds a Remember Me checkbox to the MFA screen in the login flow:
When users select this checkbox during login, they will not receive another MFA challenge for the duration specified in the Days to Remember field. This is stored in a cookie and is valid only as long as they remain logged in. If users manually log out, they will receive another MFA challenge. This setting is independent from the Enable remember me for end users setting in Sign On Policies.
If you disable all factors, you will receive a warning that the end user will be logged in automatically without a second factor, after entering their username and password. This is equivalent to disabling multi-factor authentication.
Select the Apply button to confirm your changes.
Reset a user's second factors ("Let the user choose their MFA option")
To reset a user's second factors when your Portal Access Rules or Application Access Rules are set to Let the user choose their MFA option, go to Directory > Users and select the user's Reset second factor link.
In the Reset second factor dialog box, select the factor type(s) you want to reset for the user. Note that if the user has enrolled multiple factors of a single type, resetting that type will remove all enrolled factors of that type.
Select the Reset button to confirm.
If the user has no factors remaining after the reset, they will be prompted to re-enroll a factor during their next login. They can also re-enroll additional factors in their end user security overview.
Reset a user's second factors (Fixed MFA type)
To reset a user's second factors when your Portal Access Rules or Application Access Rules are set to a fixed factor type, you will need to use the HelloID API.
To do so, send a PUT: Update user request containing one of the following request bodies.
The user will be prompted to re-enroll a second factor during their next login.