In EmpowerID multi-factor authentication (MFA) is a flexible, points based system that allows you to specify the number and types of factors that users must present when authenticating, as well as the weight or point value associated with each of those factors. When users reach the designated point threshold, they are authenticated and granted access to the system. In order to ease user adoption, EmpowerID supports a number of MFA types out of the box. These include:
DUO Two-Factor Authentication - When this MFA type is required on a Password Manager Policy, users with the policy must approve a secondary authentication request that is either pushed to their mobile phones, sent as a one-time passcode, or delivered via a phone call. In order to use this MFA Type, your organization must have a Duo account that is registered in EmpowerID. Users must also enroll in Duo and register either their mobile phone (recommended), tablet, landline or U2F token. Additionally, to use Duo Push's one-tap authentication, users must have the Duo Mobile app installed on their mobile phones.
Device Registration - When this MFA Type is required on a Password Manager Policy, users with the policy must register the device they are currently using to access EmpowerID. This process involves the delivery of a one-time passcode via SMS, voice or email to the mobile device or email address specified by the user during authentication. Once successfully registered, the information is stored in a cookie on the specific browser used to access EmpowerID. In this way, each time users attempt to authenticate using either a different browser on the same device, or another device altogether, they must go through the device registration process.
EmpowerID One-Time Password - When this MFA type is required on a Password Manager Policy, users with the policy must verify their identity by entering the one-time passcode generated by EmpowerID. Options for delivering the passcode include email, SMS and voice call. To use the SMS and voice call features of this MFA Type, organizations must have a Twilio account that is registered in EmpowerID.
FIDO Universal 2nd Factor (U2F) - When this MFA Type is required on a Password Manager Policy users with the policy will be prompted to insert their security key (Yubikey device) and press the button or the gold disk on the key to continue. If this is the first time the Yubikey device is being used, EmpowerID generates a certificate linking the Yubikey to the person authenticating. Once the certificate is generated, the Yubikey cannot be used by any other person for FIDO U2F authentication.
OATH Time Based One Time Password - When this MFA type is required on a Password Manager Policy, users with the policy must verify their identity by entering a time-based code generated by a client application installed on their mobile devices, such as Google Authenticator or DUO.
Yubico OTP - When this MFA Type is required on a Password Manager Policy, users with the policy must verify their identity by generating a one-time password via their Yubikey. As Yubico OTP uses YubiCloud for verifying OTPs, you need to get an API key from Yubico and register the key in EmpowerID. Users must also have a Yubikey.
If an MFA Type is added to an application, users must authenticate themselves through the MFA Type before EmpowerID grants access to the application.
To assign MFA Types to Applications
From the Navigation Sidebar, navigate to the Password Manager Policies management page by expanding Admin > Policies and clicking Password Manager Policies.
From the Policies tab of the Password Manager Policies management page, search for the policy to which you want to apply a MFA type and then click the Display Name link for that policy.
From the Policy Details page that appears, expand the Multifactor Authentication accordion and then click the Add Type (+) button to the right of the grid.
In the dialog that appears, do the following:
Select one of the above mentioned MFA Types from the Type drop-down.
Set the priority for the type in the Priority field. The lower the number the higher the priority. When more than one MFA Type is assigned to an application, EmpowerID directs users to the MFA Type with the highest priority first and then to the MFA Type with the next highest priority and so on until the point threshold for the application is met.