Introduction
Increase your security posture by enabling multifactor authentication within HelloID. The most basic implementation in HelloID is by controlling portal-level logins. Our example will cover the scenario where the organization considers logins from the local network as safe but want other login options to face additional challenge.
Define the desired behavior
Examine the login option available to the organization. Are there multiple IdP's available? What are the work habits of your users? Is there a reasonable need for access offsite or off hours? Our example scenario will cover three classes of access:
- General use - A "normal" onsite user
- Sensitive access - Users who are onsite that have access to privileged resources
- Offsite - Anyone accessing HelloID from an uncontrolled environment
Implement the policies
Browse to Security > Policies > Portal Access Rules and select "+ Add access rule"
Configure the 'General use' example
| Option | Setting |
| Perform Action | Permit Access |
| When Accessing | Relevant IdP |
| From Network |
Select "IP Restriction for these IP ranges" Enter the public IP address(es) of the organization |
| Rule Name | Enter a name or accept the suggestion |
Note: before enabling this, or any other, access rule, double check the settings and ensure that the administrative accounts will retain access after the application of the rule. Consider creating a "break-the-glass" local account for emergency use.
Configure the Sensitive Access example
Create a new policy with the above settings and these additions
| Option | Setting |
| By People | Select group(s) with sensitive application access |
| Two-Factor | Enable |
Once multifactor is enabled, further configuration is required.
The first block represents administratively-defined settings while the second allows the user to choose their preferred MFA alternative. Learn more about how to configure available MFA options.
Configure Offsite access
This policy is both a blend and an inversion of the previous two. Create a new policy and set the options:
| Option | Setting |
| Perform Action | Permit Access |
| When Accessing | Relevant IdP |
| From Network |
Select "Apply this rule on all IP ranges except" Enter the public IP address(es) of the organization |
| By People |
Leave blank or select an 'All Users' type of group |
| Two Factor |
Enable & configure |
| Rule Name | Enter a name or accept the suggestion |
Summary
We now have three unique portal access policies that improve security and provide accommodations for logins under safer circumstances. With the ability to allow or negate individual conditions, nearly every possible scenario can by implemented to secure your HelloID instance.