MFA is an easy-to-use and effective authentication model and is a supplement to the username and password authentication model. MFA provides an extra layer of protection by verifying users who initiate console logons. MFA enhances the security of your account.

Overview

If you enable the username-password logon for a CloudSSO user, MFA is automatically enabled. CloudSSO allows you to use MFA devices for authentication.

You can perform the following steps to enable MFA for a CloudSSO user:

  1. Enable MFA for the CloudSSO user as a CloudSSO administrator to verify the user logon.
    You can also enable MFA for all CloudSSO users based on your business requirements. For more information, see Enable MFA for all CloudSSO users or Enable MFA for a CloudSSO user.
  2. The first time the CloudSSO user logs on to the CloudSSO user portal, bind an MFA device for verification.
    For more information, see Bind the first MFA device.

The following sections describe how to enable MFA for all CloudSSO users, enable MFA for a CloudSSO user, and unbind MFA devices. You must perform these operations as a CloudSSO administrator.

Enable MFA for all CloudSSO users

  1. Log on to the CloudSSO console.
  2. In the left-side navigation pane, click Settings.
  3. In the Username-password Logon section, click Edit below Whether to Enable MFA When Logon.
  4. In the Edit MFA Verification Settings dialog box, configure MFA settings. The following options are supported:
    1. Specifies whether to enable MFA.
      • Enable: enables MFA for all CloudSSO users. This is the default value.

        If you select this option, you must bind an MFA device the first time the user logs on to the CloudSSO user portal. For more information, see Bind the first MFA device.

      • Custom Configuration: enables MFA based on the MFA settings of each CloudSSO user.

        For more information about how to enable MFA for a user, see Enable MFA for a CloudSSO user.

      • Required Only for Unusual Logon: MFA is required only in scenarios in which a logon is initiated from a different location or device than the common logon locations or devices.
      • Disable: disables MFA for all users.
    2. Configure the Whether to Enable MFA Upon Unusual Logon parameter if you select Custom Configuration or Required Only for Unusual Logon in the previous step.
      • Allow to SKip Binding MFA: MFA is prompted for CloudSSO users who initiated unusual logons. However, the CloudSSO users are allowed to skip MFA.
      • Must Bind MFA Device: MFA is required for unusual logons.
  5. Click OK.

Enable MFA for a CloudSSO user

If you select Custom Configuration in Enable MFA for all CloudSSO users, you must configure MFA settings for each user as a CloudSSO administrator.

  1. Log on to the CloudSSO console.
  2. In the left-side navigation pane, choose User Management > User.
  3. Click the name of the user for which you want to configure MFA settings.
  4. On the Details tab, find the MFA Settings section and click Edit below Whether to Enable MFA Logon.
  5. In the Edit MFA Verification Settings dialog box, configure MFA settings. The following options are supported:
    • Enable: enables MFA for the user.

      If you select this option, you must bind an MFA device the first time the user logs on to the CloudSSO user portal. For more information, see Bind the first MFA device.

    • Required Only for Unusual Logon: MFA is required only in scenarios in which a logon is initiated from a different location or device than the common logon locations or devices.
    • Disable: disables MFA for the user.
  6. Click OK.

Unbind an MFA device

For users to which MFA devices are bound, a CloudSSO administrator can unbind the MFA devices based on business requirements.

Warning If you unbind MFA devices from CloudSSO users, the MFA devices cannot be used to verify the identities of the CloudSSO users. This reduces account security.
  1. Log on to the CloudSSO console.
  2. In the left-side navigation pane, choose User Management > User.
  3. Click the name of the user from whom you want to unbind an MFA device.
  4. On the Details tab of the user details page that appears, find the MFA device that you want to unbind in the MFA Devices section and click Delete in the Actions column.
  5. In the Delete Virtual MFA Device message, click OK.