Opt-in Multi-Factor Authentication
Starting in version 6.6 of the Curity Identity Server it is possible to configure Multi-Factor Authentication (MFA) in a self-service manner. This means that it is up to each user when to use MFA, rather than needing to force this behavior on all users at once.
The Approaches to MFA article explains that Opt-in MFA should not be used when access to data is critical. Instead it is something that end users can decide to adopt at different times, to improve their own security.
This short demo video shows how to configure the Opt-in MFA action and how it can be used by users to configure their own second factors.
Opt-in MFA is an Authentication Action that can be added to an authenticator, as in the below example, where it has been added to an HTML Form Authenticator called
In this example the main credential is a password, and a second factor must be provided, by either responding to an SMS message to prove ownership of a registered mobile device, or using an external WebAuthn authenticator such as a key fob:
A time to live can be provided, so that users are only prompted for the second factor occasionally, rather than every time they sign in. Users can also be allowed to authenticate using recovery codes, as a backup option, if that feature is enabled.
When the user first signs in they are prompted to use MFA, but can choose the
Skip option and proceed with only a single factor if they prefer:
If a second factor is selected and successfully verified, then the user is given a set of recovery codes, if that option is enabled. This ensures that the user can continue to sign in if the device used for the second factor is lost.
The second factor is then recorded in the configured Account Manager, then verified on subsequent logins, to ensure that the same value is provided again.
When required it is possible to make the use of a second factor mandatory, by setting the
Opt Out TTL value to zero. The above
Skip option is then no longer shown, though the user is still able to choose which type of second factor to use.
The factors used can evolve, and whenever the user signs in the options can be adjusted according to personal preference. This enables different users to use a different second factor, based on what they prefer from a user experience viewpoint:
Opt-in MFA is a way for end users to increase their own security when working with non-critical assets. Multiple factors do not necessarily have to be supplied every time the user authenticates, and the experience does not have to be the same for every user. Opt-in MFA can also include the use of recovery codes as a backup option.