Multi-factor authentication (MFA) is an easy-to-use and effective authentication model and is a supplement to the username and password authentication model. MFA provides an extra layer of protection by verifying users who initiate console logons. MFA enhances the security of your account.
Overview
When you enable username-password logon for CloudSSO users, multi-factor authentication (MFA) is enabled by default. CloudSSO uses virtual MFA. The following table describes the steps to enable MFA for CloudSSO users.
Step | Description | Operator | References |
1 | Configure MFA. A CloudSSO administrator can enable global MFA or configure MFA for individual CloudSSO users. | CloudSSO administrator | Enable MFA for all CloudSSO users and Enable MFA for a CloudSSO user |
2 | Bind an MFA device. When a CloudSSO user logs on to the CloudSSO user portal for the first time, they must bind an MFA device and complete MFA verification. | CloudSSO users |
The following sections describe how to enable MFA for all CloudSSO users, enable MFA for a single CloudSSO user, and unbind MFA devices. You must perform these operations as a CloudSSO administrator. For more information, see Bind or unbind MFA devices.
Enable MFA for all CloudSSO users
Log on to the CloudSSO console.
In the left-side navigation pane, click Settings.
On the User Settings tab, in the Username-password Logon section, for Whether to Enable MFA When Logon, click Edit.
In the Edit MFA Verification Settings dialog box, configure the following parameters.
Whether to Enable MFA When Logon
Enable: Requires MFA for all CloudSSO users.
If you select this option, you must bind an MFA device the first time the user logs on to the CloudSSO user portal. For more information, see Bind the first MFA device.
Custom Configuration: enables MFA based on the MFA settings of each CloudSSO user.
For more information, see Enable MFA for a CloudSSO user.
Required Only for Unusual Logon: Enforces MFA only for logons from untrusted environments, such as a new location or device.
Disable: Disables MFA for all users.
If you selected Custom Configuration or Required Only for Unusual Logon, you must also configure the MFA policy for an unusual logon.
Allow to skip binding: During an unusual logon, the user is prompted to bind an MFA device but can skip the process.
Force binding and verification: Requires the user to bind an MFA device and complete verification during an unusual logon.
Click OK.
Enable MFA for a single CloudSSO user
If you select Custom Configuration when you configure MFA for all CloudSSO users, you must configure MFA settings for each user as a CloudSSO administrator. For more information, see Enable MFA for all CloudSSO users.
Log on to the CloudSSO console.
In the left-side navigation pane, choose .
Click the name of the user that you want to manage.
On the Details tab, in the MFA Settings section, for Whether to Enable MFA When Logon, click Edit.
In the Edit MFA Verification Settings dialog box, configure MFA.
Enable: Requires MFA for this user.
If you select this option, you must bind an MFA device the first time the user logs on to the CloudSSO user portal. For more information, see Bind the first MFA device.
Required Only for Unusual Logon: Enforces MFA only for logons from untrusted environments, such as a new location or device.
Disable: Disables MFA for this user.
Click OK.
Unbind an MFA device
Both CloudSSO administrators and users can unbind an MFA device. This section describes how an administrator performs this task.
If you unbind MFA devices from CloudSSO users, the MFA devices cannot be used to verify the identities of the CloudSSO users. This reduces account security.
Log on to the CloudSSO console.
In the left-side navigation pane, choose .
Click the name of the user that you want to manage.
On the Details tab, in the MFA Devices section, find the target MFA device and click Delete in the Actions column.
In the Unbind Virtual MFA Device message, click OK.