Advanced Settings
The Advanced tab under Configuration > Multi-Factor Authentication contains important settings that you can configure to further control how the MFA process for password reset, ADSelfService Plus logins, and endpoint logins behave.
General
- Hide CAPTCHA: Enable this setting to hide CAPTCHA in second-factor authentication pages.
- Enable MFA Backup Verification Codes: Select this setting to enable the generation of the MFA backup codes that let end-users prove their identity when their MFA device or authenticator is unavailable.
About backup codes
These one-time use backup codes allow users to prove their identities in case their MFA device is not reachable or they are unable to use their enrolled MFA methods of authentication. Once the Enable MFA Backup Verification Codes setting is enabled, the backup codes can be generated and end-users can enter them to authenticate themselves during machine or VPN logon, ADSelfService Plus portal login, or self-service actions. Backup codes can be generated in two ways:
- By the user: Users can generate backup codes in the ADSelfService Plus end-user portal. A total of five codes are generated every time the option is used. Each code cannot be used more than once.
- By the admin: Admins can also generate backup codes for users who have enrolled for MFA using the Enrolled Users Report. This comes in handy when users have not generated their own backup codes and cannot use the enrolled MFA methods. Learn more
Note:
- Users can use backup codes during VPN logins only when RADIUS-challenge response-based authentication methods are used for VPN login MFA.
- During VPN MFA, the generated backup code can be entered in the field provided for one-time passcodes at the VPN client.
- When identity verification is performed using backup codes, the Trust this browser and Trust this machine options will not be considered.
Reset/Unlock MFA
- Password Reset/Unlock Account idle time limit: Enabling this setting will set a time limit for how long a user can take to finish identity verification. For instance, if you set this to 5 minutes, users have to enter their SMS verification code or approve the push notification within 5 minutes. The idle time limit resets with every verification attempt or with actions such as choosing authenticators.
- Deny users from performing password reset/account unlock when partially enrolled: When this option is selected, end-users who've only partially completed the enrollment process (say, enrolled for 2 out of 4 authentication methods) will not be allowed to reset their passwords or unlock their accounts until they complete the enrollment process.
- Force enrollment post successful MFA for authenticators selected for other endpoints: Enabling this setting ensures users enroll with all the authenticators required not only for reset password and account unlock, but also logins to other endpoints like machines, VPNs, OWA, and applications. Enrollment is also enforced for authenticators set as mandatory in the MFA Enrollment tab.
Endpoint MFA
Machine Login MFA
- Machine Login MFA process can be idle for __ mins: Enabling this setting will set a time limit for users to complete the multi-factor authentication (MFA) process for logging into their machines.
- Skip MFA when the ADSelfService Plus server is down or unreachable: This option ensures users aren't left stranded on their machine login screens during the MFA process when the ADSelfService Plus server is down or unreachable. However, this also means renouncing the advanced security layer of MFA, which is not recommended. To avoid such circumstances, deploy offline MFA. This setting is not applicable when:
- Offline MFA is configured, and the user is enrolled with offline MFA on their device.
- Machine-based MFA is enforced in the device.
- Keep a machine trusted for ___ days: When this setting is enabled, users who have logged in once using the machine login MFA can skip going through MFA authentication during subsequent logins. Enabling this setting will help users avoid going through the MFA process every time they lock and unlock their machines. The trusted machine's status will be revoked after the specified number of days.
- Keep the Trust this machine option selected by default: By enabling this setting, you can keep the box next to Trust this machine checked on the MFA authentication screen by default.
- __ if the user is not enrolled in MFA: This setting determines the authentication flow for the user when they have not enrolled for any of the authenticators for Machine login MFA. The admin can configure one of the following actions to occur:
- Allow logins: The user will be permitted to bypass MFA and gain access.
- Deny logins: The user will be restricted from access.
- Force enrollment:
- The user will be forced to enroll with the authenticators for online MFA and offline MFA only after successful primary authentication.
- This option can be applied for only Windows and macOS machines. If a user is not enrolled and this option is selected, they're denied access into their Linux machine.
Important:
- Authenticators required for both online and offline MFA will be considered collectively, so if the user isn't enrolled for any of the authenticators required for both online and offline MFA, they will be considered not enrolled. Alternatively, if they are enrolled for at least one authenticator required for either of these login methods, they're considered as partially enrolled.
- This setting applies only for not enrolled users. Partially enrolled users will not be considered as not enrolled, and instead will be forced to enroll for the remaining authenticators after completing MFA using the enrolled authenticators.
- If authenticators that users cannot enroll themselves for such as custom hardware TOTP tokens and AD security questions are selected, they will be denied access even if Force enrollment is selected as only the admin can enroll them.
- When Machine-based MFA is enforced, this setting is overridden and users who haven't enrolled for any of the authenticators will be denied access to the machine, and partially enrolled users will be forced to enroll for the remaining authenticators required.
- Restrict users from performing offline MFA after _ days/attempts: When this setting is enabled, offline MFA is restricted to a certain number of days or attempts and users are mandated to connect back to ADSelfService Plus once this limit is exhausted.
Note:
- It is recommended that a value appropriate to your organizational requirements is set. Setting lower values than required could leave users stranded without access to the machine.
- It is recommended that you enable this setting as any change made to the self-service policy, MFA configuration, advanced settings, and modifications related to Offline MFA enrollment will reflect in the machines for the enrolled users only after they complete MFA when online.
- This limit will be reset when the particular user performs online authentication on the specific machine.
- Force user to enroll their device for offline MFA after successful online authentication: When this setting is enabled, once a user completes online MFA in a machine, It is automatically enrolled for offline MFA without notifying the user. If not enabled, the user can choose to enroll their machine for offline MFA or skip it.
OWA Login MFA
- OWA login MFA process can be idle for __ mins: When this setting is enabled, the user session will expire if the user is idle for the specified time interval.
- Skip MFA when the ADSelfService Plus server is down or unreachable: Enable this option if you want to avoid situations where the users can't access Outlook Web Access (OWA) or Exchange admin center when the ADSelfService Plus server is down or unreachable. However, be aware that enabling this option means renouncing the advanced security layer of MFA when the ADSelfService Plus server is down or unreachable, which is not recommended. To avoid such circumstances, deploy ADSelfService Plus with High Availability or Load Balancing.
- Keep the "Trust this browser" option selected by default: By enabling this setting, you can keep the box next to "Trust this browser" checked on the MFA authentication screen by default.
- Expire trust for a browser after __ days: When this setting is enabled, users who have logged in once using MFA for OWA can skip going through MFA authentication during subsequent logins. Enabling this setting will help users avoid going through the MFA process every time they log in to OWA or the Exchange admin center from the same browser. The trusted browser's status will be revoked after the specified number of days.
VPN Login MFA
- Keep the VPN MFA session valid for __ minutes: Enabling this setting will set a time limit for the second-factor authentication during VPN login. Say, if you set this to 2 minutes, users have to enter the code or approve the notification, as per the authentication method enabled, within 2 minutes.
Note: If your VPN server allow you to configure the RADIUS timeout limit, set it to a value that is greater than the session time limit you configure in this setting.
- Skip MFA when ADSelfService Plus server is down or unreachable: Enable this option if you do not want users to be lefts stranded at the login screen during VPN login when ADSelfService Plus server is down or unreachable.
- Skip MFA when the user is not enrolled for the required authenticators: Enable this option to allow users, who have not enrolled for the authentication methods enabled for VPN login, to skip MFA.
Applications MFA
ADSelfService Plus Login MFA
- Enable Passwordless Login: This setting allows users to access applications and the self-service portal without a password. Please refer to this page for more information.
Note: Please note that the Trust this browser setting will be disabled for the users for whom Passwordless Login is enabled to avoid security loopholes. When Passwordless Login is enforced, the user has to authenticate each time they attempt to access the application.
- Product login MFA process idle time is __: Enabling this setting will set a time limit for users to complete the multi-factor authentication (MFA) process.
- Force enrollment for not enrolled users after successful password verification: When this setting is enabled, users will not be forced to go through MFA when they log in for the first time. Instead they will be asked to go through enrollment after successful password verification.
- Force enrollment post successful MFA for authenticators selected for other endpoints: Enabling this setting ensures users enroll with all the authenticators required not only for ADSelfService Plus logins, but also for MFA during reset password and account unlock, as well as machines, VPN, OWA, and cloud application logins. Enrollment is also enforced for authenticators set as mandatory in the MFA Enrollment tab.
- Keep the 'Trust this browser' option selected by default: When this option is enabled, the "Trust this browser" checkbox will be selected by default in the MFA verification screen.
- Expire trust for a browser after ___ days: When this option is enabled, users will not be asked to go through MFA for the specified days when they log into ADSelfService Plus using trusted devices.
Cloud Applications Login MFA
- Enable Passwordless Login: This setting allows users to access applications and the self-service portal without a password. Please refer to this page for more information.
Note: Please note that the Trust this browser setting will be disabled for the users for whom Passwordless Login is enabled to avoid security loopholes. When Passwordless Login is enforced, the user has to authenticate each time they attempt to access the application.
- SSO-enabled applications login MFA process idle time limit is __ : Enabling this setting will set a time limit for users to finish the MFA process.
- Force enrollment for not enrolled users after successful password verification: When this setting is enabled, users will not be forced to go through MFA when they log in for the first time. Instead, they will be asked to go through enrollment after successful password verification.
- Keep a browser trusted for ___ day(s): When this option is enabled, users will not be asked to go through MFA for the specified number of days when they log in to ADSelfService Plus using trusted browsers.
- Keep the "Trust this browser" option selected by default: When this option is enabled, the "Trust this browser" checkbox will be selected by default in the MFA verification screen.
- Force enrollment post successful MFA for authenticators selected for other endpoints: Enabling this setting ensures users enroll with all the authenticators required not only for cloud application logins, but also for MFA during reset password and account unlock, as well as machines, VPN, OWA and ADSelfService Plus logins. Enrollment is also enforced for authenticators set as mandatory in the MFA Enrollment tab.
Q&A Settings
- Display _ Questions Out Of (Available list of Security Questions) at random. With this option, you can define the number of questions to be displayed to the end user. The questions will be randomly selected by ADSelfService Plus from the available list of security questions configured under Security Question and Answer Settings.
- Display _ AD Security Questions Out Of (Available list of AD Security Questions) at random. Select this option to specify the number of AD Security Questions to be asked during the identity verification process. The questions will be randomly selected by ADSelfService Plus from the available list of security questions configured under AD Security Questions Settings.
- Display Security Questions one by one. Checking this option will display the security questions one by one (i.e., one question per page).
- Display all Security Questions. Selecting this option will display all the security questions on a single page.
- Verify security question(s) answer as case sensitive. Selecting this option force case sensitive for answer provided by users.
- Hide security answer during authentication. Selecting this option will hide security answers by default.
- Prevent a user from providing their username as answer. This will prevent users from using their username as an answer.
- Prevent a user from providing the same answer to multiple questions. This will prevent users from providing the same answer to multiple questions.
- Prevent a user from using any word of the question in their answers. This will prevent users from copying words in the questions as answers.
- Force users to use only English characters (a-z), numbers (0-9), and symbols. This will make sure that users use only alphanumeric characters and symbols in their answers.
- Store security answers using reversible encryption. Selecting this option will store the security answers as plain text in ADSelfService Plus database. The answers can be viewed using the Security Questions and Answers report.
- Store security answers using ___ algorithm. Select this option to encrypt and store the answers to security questions using MD5 or SHA-512 algorithm.
Verification Code Settings
Mail/Mobile Attributes
- Select the attribute you want to view from the Select Type drop-down.
- Click Add Attribute to add a new attribute that contains the users' email addresses or mobile numbers.
Secondary Email/ Mobile Number
Others
- Set verification code length to ___ digits: Use this setting to set the number of digits in the verification code.
- Show 'Select Email ID/Mobile No.' in the mail/mobile dropdown list as default value: Enabling this option will show Select Email ID/Mobile No. as the default value in the email/mobile drop-down during identity verification.
- Partially hide Email ID/Mobile No. on MFA pages: This option will partially hide the email address and mobile number of the user during the identity verification process.
- Skip the "Choose Email Address/Mobile Number" step and auto-trigger the verification code: In some cases, the user might have enrolled in ADSelfService Plus with multiple email addresses or mobile numbers. By default, the product shows the user a drop-down to select the email address or mobile number to send the verification code to. However, when the Choose Email Address/Mobile Number step and auto-trigger the verification code option is checked, this drop-down is not displayed and the code is sent directly to the user's primary email address, which is determined based on:
- Email address or mobile number specified by the end user during self-enrollment, or by the admin during auto-enrollment via CSV or external databases (whichever is the latest).
- Email addresses or mobile numbers linked to the Active Directory user object. Admins can configure the mail or mobile attributes to be used for the policy, using the Advanced section of the MFA settings as shown in the screenshot below. To find it in the product GUI, log in to the product admin portal and go to Configuration > Self-Service > Multi-Factor Authentication (MFA) > Advanced tab > Verification Code > Mail/Mobile Attributes.
- Include admin/manager in CC of the identity verification email sent to users: Use this setting to include the user's manager or admin's email address in the CC line of the verification code email sent to the user. To achieve this,
- Check the box next to this setting.
- Enter the admin's email address in the Email ID field.
- Click Add Manager to include the email address of the user's manager.
Don't see what you're looking for?
-
Visit our community
Post your questions in the forum.
-
Request additional resources
Send us your requirements.
-
Need implementation assistance?
Try onboarding