This is not the latest version of Identity Director documentation.
View available documentation.

Multifactor Authentication

This feature is available starting with Identity Director 2021.2.

In the Management Portal, at Setup > Multifactor Authentication, you can enable multifactor authentication in your environment.

Enable multifactor authentication

Once you activate this option, all users will be redirected to the enrollment screen the next time they attempt to log into their account, either in the Management Portal or the Web Portal. On the enrollment screen, users can either scan the QR code with the authenticator application on their mobile phone, or manually enter the code into the application. This only needs to be done once and, starting from that point, the authenticator will start generating codes that must be used during each login attempt.

Once you enable multifactor authentication in your environment, all users have to enroll in order to log in. To unenroll a user, click on the Unenroll button at the button of the Multifactor Authentication page and select them from the list of people. Once you confirm and complete this action, the user will have to restart the enrollment process.

If you click on the Reset button, all the enrollments will be removed for all users.

In order for multifactor authentication to work correctly in your environment, you need to make sure the following conditions are met:

  • In IIS, the Load User Profile option is set to True for the application pools that host the following web applications: Management Portal, Web Portal, and Mobile Gateway.

  • For the Management Portal, Web Portal, and Mobile Gateway, you have configured the same encryption key.

  • In your environment, Identity Broker Authentication is disabled. Multifactor authentication does not work on the components for which Identity Broker is active.

Enforce enrollment

Enable this option if you want multifactor authentication to be enforced for all your users.

If the box is not checked, the setting is off and the user will be able to skip the enrollment screen and log on without an authenticator application.

If the setting is on, users must go through the enrollment process and register with an authenticator application, if they had not previously done so.

See also: