Opt-in Multi-Factor Authentication

Opt-in Multi-Factor Authentication

Starting in version 6.6 of the Curity Identity Server it is possible to configure Multi-Factor Authentication (MFA) in a self-service manner. This means that it is up to each user when to use MFA, rather than needing to force this behavior on all users at once.

When to use Opt-in MFA

The Approaches to MFA article explains that Opt-in MFA should not be used when access to data is critical. Instead it is something that end users can decide to adopt at different times, to improve their own security.

Demo video

This short demo video shows how to configure the Opt-in MFA action and how it can be used by users to configure their own second factors.

Configure Opt-in MFA

Opt-in MFA is an Authentication Action that can be added to an authenticator, as in the below example, where it has been added to an HTML Form Authenticator called Username-Password:

Authenticator

In this example the main credential is a password, and a second factor must be provided, by either responding to an SMS message to prove ownership of a registered mobile device, or using an external WebAuthn authenticator such as a key fob:

Authenticator

A time to live can be provided, so that users are only prompted for the second factor occasionally, rather than every time they sign in. Users can also be allowed to authenticate using recovery codes, as a backup option, if that feature is enabled.

First Time Usage

When the user first signs in they are prompted to use MFA, but can choose the Skip option and proceed with only a single factor if they prefer:

Initial Prompt

If a second factor is selected and successfully verified, then the user is given a set of recovery codes, if that option is enabled. This ensures that the user can continue to sign in if the device used for the second factor is lost.

Recovery Codes

The second factor is then recorded in the configured Account Manager, then verified on subsequent logins, to ensure that the same value is provided again.

Enforcing a Second Factor

When required it is possible to make the use of a second factor mandatory, by setting the Opt Out TTL value to zero. The above Skip option is then no longer shown, though the user is still able to choose which type of second factor to use.

Extending Factors

The factors used can evolve, and whenever the user signs in the options can be adjusted according to personal preference. This enables different users to use a different second factor, based on what they prefer from a user experience viewpoint:

Subsequent Logins

Conclusion

Opt-in MFA is a way for end users to increase their own security when working with non-critical assets. Multiple factors do not necessarily have to be supplied every time the user authenticates, and the experience does not have to be the same for every user. Opt-in MFA can also include the use of recovery codes as a backup option.