Advanced Settings

The Advanced tab under Configuration > Multi-Factor Authentication contains important settings that you can configure to further control how the MFA process for password resets, ADSelfService Plus logins, and endpoint logins behave.

General

CAPTCHA Settings

Hide CAPTCHA in: Enable this setting to hide CAPTCHA in second-factor authentication pages.

MFA Recovery

Enable MFA Backup Verification Codes: Select this setting to enable the generation of the MFA backup codes that let end-users prove their identity when their MFA device or authenticator is unavailable.

About backup codes

These one-time use backup codes allow users to prove their identities in case their MFA device is not reachable or they are unable to use their enrolled MFA methods of authentication. Once the Enable MFA Backup Verification Codes setting is enabled, the backup codes can be generated and end-users can enter them to authenticate themselves during machine or VPN logon, ADSelfService Plus portal login, or self-service actions. Backup codes can be generated in two ways:

• By the user: Users can generate backup codes in the ADSelfService Plus end-user portal. A total of five codes are generated every time the option is used. Each code cannot be used more than once.
• By the admin: Admins can also generate backup codes for users who have enrolled for MFA using the Enrolled Users Report. This comes in handy when users have not generated their own backup codes and cannot use the enrolled MFA methods. Learn more

Reset/Unlock MFA

• Restrict the MFA idle time during password resets/account unlocks to <text_box> min Enabling this setting will set a time limit for how long a user can take to finish identity verification. For instance, if you set this to 5 minutes, users have to enter their SMS verification code or approve the push notification within 5 minutes. The idle time limit resets with every verification attempt or with actions such as choosing authenticators.
• Deny users from performing password reset/account unlock when partially enrolled: When this option is selected, end-users who've only partially completed the enrollment process (say, enrolled for 2 out of 4 authentication methods) will not be allowed to reset their passwords or unlock their accounts until they complete the enrollment process.
• Force enrollment post successful MFA for authenticators selected for other endpoints: Enabling this setting ensures users enroll with all the authenticators required not only for reset password and account unlock, but also logins to other endpoints like machines, VPNs, OWA, and applications. Enrollment is also enforced for authenticators set as mandatory in the MFA Enrollment tab.

Endpoint MFA

Machine Login MFA

• Restrict the MFA idle time during machine logins to <text_box> min: Enabling this setting will set a time limit for users to complete the multi-factor authentication (MFA) process for logging into their machines.
• Skip MFA when the ADSelfService Plus server is down or unreachable: This option ensures users aren't left stranded on their machine login screens during the MFA process when the ADSelfService Plus server is down or unreachable. However, this also means renouncing the advanced security layer of MFA, which is not recommended. To avoid such circumstances, deploy offline MFA. This setting is not applicable when:
• Offline MFA is configured, and the user is enrolled with offline MFA on their device.
• Machine-based MFA is enforced in the device.
• Keep a machine trusted for ___ days: When this setting is enabled, users who have logged in once using the machine login MFA can skip going through MFA authentication during subsequent logins. Enabling this setting will help users avoid going through the MFA process every time they lock and unlock their machines. The trusted machine's status will be revoked after the specified number of days.
• Keep the Trust this machine option selected by default: By enabling this setting, you can keep the box next to Trust this machine checked on the MFA authentication screen by default.
• __ if the user is not enrolled in MFA: This setting determines the authentication flow for the user when they have not enrolled for any of the authenticators for Machine login MFA. The admin can configure one of the following actions to occur:
• Allow logins: The user will be permitted to bypass MFA and gain access.
• Deny logins: The user will be restricted from access.
• Force enrollment:
• The user will be forced to enroll with the authenticators for online MFA and offline MFA only after successful primary authentication.
• This option can be applied for only Windows and macOS machines. If a user is not enrolled and this option is selected, they're denied access into their Linux machine.
Important:
• Authenticators required for both online and offline MFA will be considered collectively, so if the user isn't enrolled for any of the authenticators required for both online and offline MFA, they will be considered not enrolled. Alternatively, if they are enrolled for at least one authenticator required for either of these login methods, they're considered as partially enrolled.
• This setting applies only for not enrolled users. Partially enrolled users will not be considered as not enrolled, and instead will be forced to enroll for the remaining authenticators after completing MFA using the enrolled authenticators.
• If authenticators that users cannot enroll themselves for such as custom hardware TOTP tokens and AD security questions are selected, they will be denied access even if Force enrollment is selected as only the admin can enroll them.
• When Machine-based MFA is enforced, this setting is overridden and users who haven't enrolled for any of the authenticators will be denied access to the machine, and partially enrolled users will be forced to enroll for the remaining authenticators required.
• Restrict users from performing offline MFA after _ days/attempts: When this setting is enabled, offline MFA is restricted to a certain number of days or attempts and users are mandated to connect back to ADSelfService Plus once this limit is exhausted.
Note:
Offline MFA requires the Professional Edition of ADSelfService Plus with Endpoint MFA.

• It is recommended that a value appropriate to your organizational requirements is set. Setting lower values than required could leave users stranded without access to the machine.
• It is recommended that you enable this setting as any change made to the self-service policy, MFA configuration, advanced settings, and modifications related to Offline MFA enrollment will reflect in the machines for the enrolled users only after they complete MFA when online.
• This limit will be reset when the particular user performs online authentication on the specific machine.
• Force user to enroll their device for offline MFA after successful online authentication: When this setting is enabled, once a user completes online MFA in a machine, It is automatically enrolled for offline MFA without notifying the user. If not enabled, the user can choose to enroll their machine for offline MFA or skip it.

OWA Login MFA

Note: MFA for OWA logins requires the Professional Edition of ADSelfService Plus with Endpoint MFA.

• Restrict the MFA idle time during OWA logins to <text_field> min: When this setting is enabled, the user session will expire if the user is idle for the specified time interval.
• Skip MFA when the ADSelfService Plus server is down or unreachable: Enable this option if you want to avoid situations where the users can't access Outlook Web Access (OWA) or Exchange admin center when the ADSelfService Plus server is down or unreachable. However, be aware that enabling this option means renouncing the advanced security layer of MFA when the ADSelfService Plus server is down or unreachable, which is not recommended. To avoid such circumstances, deploy ADSelfService Plus with High Availability or Load Balancing.
• Keep the "Trust this browser" option selected by default: By enabling this setting, you can keep the box next to "Trust this browser" checked on the MFA authentication screen by default.
• Expire trust for a browser after __ days: When this setting is enabled, users who have logged in once using MFA for OWA can skip going through MFA authentication during subsequent logins. Enabling this setting will help users avoid going through the MFA process every time they log in to OWA or the Exchange admin center from the same browser. The trusted browser's status will be revoked after the specified number of days.

VPN Login MFA

Note: MFA for VPN logins requires the Professional Edition of ADSelfService Plus with Endpoint MFA.

• Keep the VPN MFA session valid for __ minutes: Enabling this setting will set a time limit for the second-factor authentication during VPN login. Say, if you set this to 2 minutes, users have to enter the code or approve the notification, as per the authentication method enabled, within 2 minutes.

Note: If your VPN server allow you to configure the RADIUS timeout limit, set it to a value that is greater than the session time limit you configure in this setting.

• Skip MFA when the ADSelfService Plus server is down or unreachable: Enable this option if you do not want users to be lefts stranded at the login screen during VPN login when ADSelfService Plus server is down or unreachable.
• Skip MFA when the user is not enrolled for the required authenticators: Enable this option to allow users, who have not enrolled for the authentication methods enabled for VPN login, to skip MFA.
• Send additional attributes as a response to the VPN server after successful MFA: Enable this option if you wish to send additional attributes to the VPN server or other RADIUS endpoints. These attributes will only be sent to the VPN provider after successful MFA and will be utilized by the VPN server to determine the level of access each user should have or other purposes. You will be able to find the full list of supported attributes with the documentation recieved from your VPN vendor.

Note: Please update the NPS extension to version 2.3 or higher to use this feature.

Configuring additional attributes

1. If you try to enable this feature before configuring the attributes, you will be shown a pop-up to configure them. Click OK. You can also click on the Configure Attributes link.
2. You can configure RADIUS' Standard or Vendor-specific attributes and corresponding values to be sent to the VPN providers (other RADIUS endpoints).



3. Enter the Vendor ID by clicking on the Edit [ ] button. The Vendor ID is the unique number that denotes your VPN provider. For example, if using Fortigate, the Vendor ID is 12356.
4. Choose the Type of attribute and enter the Attribute Number, Format and Value in the fields displayed.

For attributes of format string, the values should be in characters and for the attributes of format int, the values should be in integers.

For enum attributes which contain multiple predefined values, provide the desired value in terms of their associated integers. For example, if you wish to use Login as the service-type attribute, enter 1 in the Value field.

In case attributes are in the IPv4 or IPv6 address formats, please provide a valid IP address in the Value field.

For example, your IPv4 address can look like " 10.1.1.1 ", and your IPv6 address can look like " 2001:0db8:85a3::8a2e:0370:7334 ".

5. Click OK after configuring all the attributes you require.
6. Once successfully configured, the Send additional attributes as a response to the VPN server after successful completion of MFA setting will be enabled.

Cloud Applications Login MFA

• Enable Passwordless Login: This setting allows users to access applications and the self-service portal without a password. Please refer to this page for more information.

Note: Passwordless logins to cloud applications require the Professional Edition of ADSelfService Plus with Endpoint MFA.

Please note that 'Trust this browser' setting will be disabled for the users for whom passwordless login is enabled to avoid security loopholes. When passwordless logins are enforced, the user has to authenticate each time they attempt to access the application.

• Restrict the MFA idle time during logins to cloud apps to <text_field> min: Enabling this setting will set a time limit for users to finish the MFA process.
• Force enrollment for not enrolled users after successful password verification: When this setting is enabled, users will not be forced to go through MFA when they log in for the first time. Instead, they will be asked to go through enrollment after successful password verification.
• Force enrollment post successful MFA for authenticators selected for other endpoints: Enabling this setting ensures users enroll with all the authenticators required not only for cloud application logins, but also for MFA during reset password and account unlock, as well as machines, VPN, OWA and ADSelfService Plus logins. Enrollment is also enforced for authenticators set as mandatory in the MFA Enrollment tab.
• Keep the 'Trust this browser' option selected by default: When this option is enabled, the 'Trust this browser' checkbox will be selected by default in the MFA verification screen.
• Expire trust for a browser after ___ day(s): When this option is enabled, users will not be asked to go through MFA for the specified number of days when they log in to ADSelfService Plus using trusted browsers.

Applications MFA

ADSelfService Plus Login MFA

• Enable passwordless logins: This setting allows users to access applications and the self-service portal without a password. Please refer to this page for more information.

Note: Please note that the Trust this browser setting will be disabled for the users for whom passwordless login is enabled to avoid security loopholes. When passwordless login is enforced, the user has to authenticate each time they attempt to access the application.

• Restrict the MFA idle time during ADSelfService Plus portal logins to <text_field> min: Enabling this setting will set a time limit for users to complete the multi-factor authentication (MFA) process.
• Force enrollment for not enrolled users after successful password verification: When this setting is enabled, users will not be forced to go through MFA when they log in for the first time. Instead they will be asked to go through enrollment after successful password verification.
• Force enrollment post successful MFA for authenticators selected for other endpoints: Enabling this setting ensures users enroll with all the authenticators required not only for ADSelfService Plus logins, but also for MFA during reset password and account unlock, as well as machines, VPN, OWA, and cloud application logins. Enrollment is also enforced for authenticators set as mandatory in the MFA Enrollment tab.
• Keep the 'Trust this browser' option selected by default: When this option is enabled, the "Trust this browser" checkbox will be selected by default in the MFA verification screen.
• Expire trust for a browser after ___ days: When this option is enabled, users will not be asked to go through MFA for the specified days when they log into ADSelfService Plus using trusted devices.

Q&A Settings

Question Settings

• Display __ Security Questions out of <no_of_available_questions> at random: With this option, you can define the number of questions to be displayed to the end user. The questions will be randomly selected by ADSelfService Plus from the available list of security questions configured under Security Question and Answer Settings.
• Display __ AD Security Questions out of <no_of_available_questions> at random: Select this option to specify the number of AD Security Questions to be asked during the identity verification process. The questions will be randomly selected by ADSelfService Plus from the available list of security questions configured under AD Security Questions Settings.
• Display the security questions one by one: Checking this option will display the security questions one by one (i.e., one question per page).
• Display all the security questions simultaneously: Selecting this option will display all the security questions on a single page.

Answer Settings

• Verify users' identity with case-sensitive answers to security questions: Selecting this option force case sensitive for answer provided by users.
• Hide security answers during authentication: Selecting this option will hide security answers by default.

Answer Strengtheners (for Security Q&A only)

• Prevent users from providing their usernames as answers: This will prevent users from using their username as an answer.
• Prevent users from providing the same answer to multiple questions: This will prevent users from providing the same answer to multiple questions.
• Prevent users from using any word in the security question in their answers: This will prevent users from copying words in the questions as answers.
• Force users to use only English characters (a-z), numbers (0-9), and symbols: This will make sure that users use only alphanumeric characters and symbols in their answers.
• Store security answers using reversible encryption: Selecting this option will store the security answers as plain text in the ADSelfService Plus database. The answers can be viewed using the Security Questions and Answers report.
• Store security answers using the ___ algorithm Select this option to encrypt and store the answers to security questions using MD5 or SHA-512 algorithm.

Verification Code Settings

Mail/Mobile Attributes

• Select the type of attribute (Mail or Mobile) you want to view from the Select Type drop-down.
• Click Add Attribute to add a new attribute that contains the users' email addresses or mobile numbers.

Secondary Email/ Mobile Number

• Prevent enrolling already enrolled <drop-down>: Use this option to prevent multiple users from enrolling with the same Secondary Email address and/or Mobile Number across the product.
Note:
• The duplicate verification check is performed at the product level if the flag is enabled for the policy, and the user falls under that policy. We do not validate the enrollment value with primary AD email/mobile data. We exclusively handle the duplicate check within the secondary enrollment data.
• The same mobile number can be used for enrollment by two users as long as the mobile number formats are different. They will not be considered duplicate entries. For instance, if a user has already enrolled with the number 000-111-222, another user can enroll with 0001-11-222 as long as that format is allowed. It will not be considered a duplicate entry.



• Allow or Block email addresses from the following domains <domain_dropdown>: Use this option to block or allow particular email domains. If you choose Block, users will be able to add email addresses from any domain apart from the listed domain(s). Choosing Allow will ensure that only trusted email service providers are utilized by the users to receive verification codes. You can leave this field empty to allow any domain after choosing "Allow".
• Allow or Block the following mobile number formats __: Use this option to block or allow particular mobile number formats. If you choose Block, users will be able to add mobile numbers in any format apart from the listed format(s). Choosing Allow will ensure that users enter mobile numbers only in the particular format(s) configured.You can leave this field empty to allow any format after choosing Allow.
Note: If you do not want users to register secondary email address and mobile number, disable these settings:
• Allow or Block email addresses from the following domains __
• Allow or Block the following mobile number formats __
• Choose enforcement: Use this setting to configure whether adding secondary email addresses and mobile numbers are mandatory or optional for the users. The available options are:
• Make this registration optional.
• Force users to register email address.
• Force users to register mobile number.
• Force users to register both email address and mobile number.
• Prevent enrolling already enrolled <drop-down> : Use this option to prevent multiple users from enrolling with the same Secondary Email address and/or Mobile Number across the product.

Others

• Set verification code length to ___ digits: Use this setting to set the number of digits in the verification code.
• Show 'Select Email ID/Mobile No.' as the default value in the mail/mobile drop-down list: Enabling this option will show Select Email ID/Mobile No. as the default value in the email/mobile drop-down during identity verification.
• Partially hide the email ID and mobile number on MFA pages: This option will partially hide the email address and mobile number of the user during the identity verification process.
• Skip the 'Choose Email Address/Mobile Number' step and auto-trigger the verification code: In some cases, the user might have enrolled in ADSelfService Plus with multiple email addresses or mobile numbers. By default, the product shows the user a drop-down to select the email address or mobile number to send the verification code to. However, when the Choose Email Address/Mobile Number step and auto-trigger the verification code option is checked, this drop-down is not displayed and the code is sent directly to the user's primary email address, which is determined based on:
• Email address or mobile number specified by the end user during self-enrollment, or by the admin during auto-enrollment via CSV or external databases (whichever is the latest).
• Email addresses or mobile numbers linked to the Active Directory user object. Admins can configure the mail or mobile attributes to be used for the policy, using the Advanced section of the MFA settings as shown in the screenshot below. To find it in the product GUI, log in to the product admin portal and go to Configuration > Self-Service > Multi-Factor Authentication (MFA) > Advanced tab > Verification Code > Mail/Mobile Attributes.

• CC the admin/manager in the identity verification email sent to users: Use this setting to include the user's manager or admin's email address in the CC line of the verification code email sent to the user. To achieve this,
• Check the box next to this setting.
• Enter the admin's email address in the Email ID field.
• Click Add Manager to include the email address of the user's manager.