Two-factor authentication (2FA) adds a mandatory verification step after password logon, protecting accounts from unauthorized access even when passwords are compromised. IDaaS EIAM enables 2FA by default.
2FA configuration
Attach two-factor authentication during logon
This feature lets accounts without an attached 2FA method attach one during the logon flow if they meet the attachment conditions.
Attachment conditions
An account can attach a 2FA method during logon only when it meets all enabled conditions. Configure these conditions to control which accounts are eligible.
| Condition | What it means | Recommendation |
|---|---|---|
| Account has no available two-factor authentication method | The account has not attached any of the currently enabled 2FA methods. For example, if SMS verification code is enabled but the account only has an email address — not a phone number — this condition is met. | Enable this condition as the baseline gate |
| Account has no successful logon record | The account has never completed a successful logon to IDaaS EIAM | Enable this condition, or enable it after existing accounts have completed attachment, to reduce the risk of existing accounts being hijacked during the attachment flow |
| Account created less than n days ago | Only accounts created within the specified number of days are eligible to attach | Enable this condition to restrict attachment to genuinely new accounts, reducing the risk of older accounts being compromised |
Attachable methods
Not all enabled 2FA methods are automatically available for attachment. A method can be attached during logon only when it is both enabled as a 2FA method and enabled as an attachable method.
For example: if an instance has SMS verification code and email verification code enabled as 2FA methods, but only SMS verification code is enabled as an attachable method — an account without a phone number or email address can attach a phone number during logon, but cannot attach an email address.