Add Multi-Factor Authentication (4266569) (2025)

As you might guess from the name, MFA uses multiple different factors to authenticate users instead of just one. In a typical single-factor authentication (SFA) scenario, the user signs in with a password, which acts as their one security factor. Most MFA scenarios require both the user's passwordandat least one other authentication method. There are three types of authentication factors:

• Something the userknows:a username and password, age, birthplace, pet's name, etc.
• Something the userhas:either a physical object, like a phone, fob, or keycard, or a digital resource, like a token, app, orcertificatefile
• Something the useris:a biometric such as a fingerprint, iris, or voice pattern
• Something the userdoes:the time of day someone typically signs in, the location they sign in from, or similar habits that can highlight unusual or suspicious behavior

MFA uses at least two of these to confirm the user's identity. For example, after entering their username and password credentials [something theyknow] as the first factor, your user might use a one-time password (OTP) application like OneLogin Protect [something theyhave], to generate a code that they can enter as the second factor.

Requiring both of these factors before they can log in creates a strong barrier against unauthorized access – in the example above, even if someone finds out your user's password, they still can't get into the account without also having access to that user's phone with OneLogin Protect installed on it. Another advantage of MFA is that it allows forredundant factorsthat will provide your users with alternative ways to prove their identity even if someone loses access to one of their factors.

1. Log in to your OneLogin account as an administrator and go toSecurity > Authentication Factors.
   

   

2. ClickNew Auth Factor.
   

   

3. Select your desired factor and clickChoose.
   

   

   • OneLogin

   • OneLogin Protect for iOS
   • OneLogin Protect for Android
   • OneLogin SMS
   • OneLogin Security Questions
   • WebAuthn
   • OneLogin Voice
   • Email MFA

   • Partners

   • Duo Security
   • Authenticator
   • Yubico YubiKey
   • Symantec VIP Access
   • RADIUS
   • Trusted IdP

4. Give the factor a name in theUser descriptionfield, configure your desired settings, and clickSave. The specific settings available will vary by factor, but you can find more detail in theapp-specific OneLogin articlesor partner documentation.

   While you can leave theUser descriptionwith its default name, it's a good idea to give your factor a unique description if you're configuring multiple instances of the same factor. Some factors also allow you to upload a custom icon if you want to further help your users differentiate between multiple instances.

5. The factor now appears in yourAuthentication Factorsand can be assigned to your users.

   Bring-Your-Own MFA If you have a OneLogin plan with Advanced Directory, you can configure atrusted identity provider (TIdP)as one of your authentication factors, even if they're not one of the third-party partners listed above! Ask your OneLogin account representative to activate the BYO MFA feature for your tenant, and chooseTrusted IdP as a Factorfor your factor type when adding a new authentication factor. In the settings dialogue, select the TIdP that you want to use from theTrusted IdP namedropdown menu. Your IdP can now be used as an MFA factor alongside any other factors you configure. Note:This feature does not work withjust-in-time (JIT) provisioning. If you don't see the options shown above, verify that: You have an account that supportsAdvanced Directoryand has at least one TIdP configured and enabled. The TIdP you want to use has JIT provisioning disabled. Your account representative has activated theBYO MFAfeature for you. New and upcoming!In April 2023, we will be introducing additional features to the BYO MFA configuration, allowing you to enable contextual app information to be sent to your trusted IdP whenever an MFA request is triggered. Once activated by your account representative, the requestingapplication's IDwill always be sent with the verification URL. For example, a URL that previously would have appeared ashttps://example.com/ext/oidc/v1/verifiers/1234/mfa/v1/idp/auth_callbackwould be updated to includehttps://example.com/ext/oidc/v1/verifiers/1234/mfa/v1/idp/auth_callback&ol_app_id=567890, making it quick and easy to identify which app triggered the MFA request!

Because OneLogin allows near-complete control over user access to all of your company apps, it's important to plan out your authentication process carefully. You can configure user settings individually or with amapping, but the best way to maximize security and ease of access is to set up MFA with usergroupsandpolicies.

Security policies can be highly customizable, allowing you to create the best authentication processes to meet your org's needs, or even to support multiple users with different needs. Users in the office might prefer a hardware factor like YubiKey because of its ease of use, for example, while users who travel could instead use OneLogin Protect because it's conveniently on their phone.

1. Create auser policyfor each kind of security process you want to apply and assign each one its relevant authentication factor(s). A policy can have as many different authentication factors as you want.

   

   Only the auth factors that you've enabled will appear here. If you don't see the factor you want to use, verify that it's listed inSecurity > Authentication Factors.

   Optional

   Apply any desired exceptions for your MFA policies. For example, you can allow users to bypass MFA if they're signing in from atrusted deviceor specific IP address.

   

   If you want toonlyallow users to sign in from certain IP addresses regardless of their authentication factors, you can set this up in theIP Addressestab of your User Policy.

2. Create auser groupfor each of these policies and assign your users to their relevant groups.