Configuring MFA settings
You can define MFA settings for end users, such as the maximum number of methods that a user can set up for authentication, authentication method selection, as well as account lockout settings. These settings are applied at the environment level.
Steps
-
Go to Authentication > MFA Settings.
-
For MFA status for new users, specify whether MFA should be enabled by default for a user when their account is created.
-
For Maximum allowed methods, select the maximum number of authentication methods that users can set up for their accounts. The default is 5. Users can have multiple authentication methods using the same device. For example, an end user could have SMS, voice, biometrics, and an authenticator app all on a single mobile device.
If you reduce the maximum value, existing methods are not affected. For example, if a user has four authentication methods set up, but you reduce the maximum number to three, the user won’t have to remove an existing authentication method. -
If some of your users will be pairing devices that have phone numbers with extensions, set the Phone numbers with extensions option to Enabled.
-
For Account lockout, enter or edit the following:
-
Account lockout: The maximum number of incorrect MFA authorization actions a user can attempt (such as entering an incorrect OTP or declining a push confirmation on a mobile device) before the account is locked.
This value includes MFA authentication attempts across all configured devices. -
Account lockout duration: The amount of time (in seconds) to keep the account locked after the failure count is exceeded. The account will automatically unlock after the specified time passes.
-
-
Select the type of key to use for pairing of devices: 12-digit numeric key or 16-character alphanumeric key.
-
Click Save.
Next steps
You can unlock or disable a user account on the user details page. Learn more in Enabling or unlocking a user account or device.