MFA Policies

The purpose of this section is to understand setup instructions for OmniDefend MFA policies. OmniDefend MFA policies allow segmented provisioning of MFA methods to particular users and applications only, giving the organization a greater level of granularity over which MFA methods can be used for authentication in different applications. Using this feature, an admin can create a policy, outlining a set of scenarios in which different MFA methods can be used, and provision that policy to relevant applications.

Begin by navigating to the MFA policies tab on the left-hand side panel. There are three options, as shown in the image below:

../../_images/mfa-policies-options.png ../../_images/OD-Square-Shape-Logo-01.png

Default Policy

The default MFA policy is the policy which applies to all applications by default. Anytime an application is opened by an admin in the portal, the policy (in this case default) is viewable like so:

../../_images/default-mfa-policy.png

Left-Click the button to set up the default policy by clicking MFA Policies > My Default Policy. The following page will appear:

../../_images/mfa-policies-landing.png

Note

please note that the bottom portion of the screen is quick access to applications for use in provisioning MFA policies.

As you can see, the admin has configured 3 different Default MFA Policy Rules for this organization. They are visible under the label MFA Rules

Clicking the two labels under Basic Information allows you to edit the Name and Description of the Default Policy.

Adding an MFA Policy Rule

To add a New Rule, click the +Add New Rule button on the right side of the screen. The following page will come up:

../../_images/mfa-policies-new-rule.png

First, click the two buttons under Rule Information to set the Rule Name and the Description like so:

../../_images/mfa-policies-rule-info.png

Next, fill-in specific IP addresses or IP Ranges to whom this MFA policy will apply. Enter in the IP Address, and select a value for the IP range from the dropdown to the right of the IP address field:

../../_images/mfa-policies-ip-ranges.png

Next, select the different platforms which you want this MFA policy to be applicable for. For example, selecting Windows Browsers (Chrome, Edge, etc.) will make the default policy applicable for any user on that platform. The list of platform options is as seen below:

../../_images/mfa-policies-platform-selection.png

The MFA policy Rule is configurable to only be applicable to a certain user or set of users. If a superuser override would be useful to your organization, this would be the right place to set it up. By default, this is set to none, meaning applicable to all users. To provision the MFA rule to a single user or set of users, click the none button hyperlinked in the image below:

../../_images/mfa-rule-none.png

Clicking none will populate a list of users, from which I can select one or more for the MFA Policy rule, as seen in the image below:

../../_images/mfa-policies-select-users.png

Multi-Factor Authentication

Lastly, and perhaps most importantly, select the authentication factors for the MFA Policy Rule. As you can see in the image below, click +Add New Factor to prompt the user for authentication. Adding multiple factors will prompt the user to authenticate with more than one MFA method.

../../_images/mfa-policies-authenticators.png

Tip

The MFA Policy Rule feature allows you to set as many authentication factors as there are authentication methods setup within the organization. Authentication factors will be prompted to user in the order they are set here.

Tip

You can also configure multiple authentication methods within one specific factor, giving the user an option to use one of many authentication methods during the login process.

Clicking +Add New Factor will prompt you with a selection of authentication methods, like so.

Note

this will vary based on the MFA methods provisioned to your organization

../../_images/mfa-policies-authentication-factors.png

Caution

By default, only one single authentication factor is added, with all the mfa methods enabled as login options. Deselecting some options, will enable those options in a second factor of authentication.

If I delesect options for all but Smart Card Authentication and OTP Authentication (as seen in the image below), only those will be enabled in my first factor, and the rest of the options will be available to be configured for the second factor.

../../_images/mfa-policies-smart-card-otp.png

After clicking apply, my authenticators list will look like so:

../../_images/mfa-policies-smart-card-otp-shown.png

And if I click +Add New Factor, all options except Smart Card and OTP will be available to me, and deselected by default, as you can see below:

../../_images/mfa-policies-add-new-factor.png

After selecting, for example PIN Authentication for my second factor and clicking apply, my two factors of authentication will be shown like so:

../../_images/mfa-policies-second-factor-set.png