User Authentication - Multi-Factor Authentication

Multi-factor authentication protects MOVEit Transfer accounts from unverified users when a user's account password is lost, stolen, or compromised. To verify user identity, MOVEit Transfer gives users private access to a uniquely-generated verification code (made available by email or mobile app). This additional verification step ensures user sign on is genuine.

Allow Multi-Factor Authentication... Enables MFA, organization-wide. (Check this box to reveal the full set of MFA administrator controls)

(MFA Administrator Controls Panel)

Available Methods. View and select verification methods available to users.
Remember this Device. Enable users to bypass MFA from a device that was verified.
Enforce Multi-Factor Authentication. Implement MFA as policy across an entire user class. (For other classes it will be optional.)
Exempt a user. Decouple users from multi-factor authentication requirements altogether.

Best Practices for Applying MFA to Your Organization

Typical administrator tasks for 'roll-out' of multi-factor authentication follow:

1.	Check your site's data requirements.	HIPAA, SOX, PCI, and so on typically require identity verification controls (MFA, for example) for administrator users. Email affected users of the upcoming roll out of the new verification process. If needed for policy compliance, give a time window where the selected users can expect to see a change in their sign on process. If optional only, you can explain the benefits through email using links from the MOVEit Transfer User Guide or the Sign On Help.
2.	Allow Multi-Factor Authentication...	Users can now opt in from MY ACCOUNT page to use designated methods (Available Methods). (At their next sign in, users will be guided through the set up process.)
3.	Add Available Methods.	(Optional setting) Authenticator app by way of a mobile device is the default.
4.	Enable Remember this Device.	(Optional setting) Without this convenience, users will need to verify each time they sign in even after session timeouts.
5.	Enforce Multi-Factor Authentication. (As policy)	(Optional setting) Selected users will be required to set up their account and sign on using MFA at next sign in. Set up screens will guide them through the process. Users using SAML at sign in will not be affected. Individually exempted users will not be affected. (Optional setting) Organize exempted users into groups for tracking purposes.

Note: To learn more about how MOVEit Transfer users interact with multi-factor authentication (at sign-on and in MY ACCOUNT settings) see the MOVEit Transfer User Guide.

How Does MFA Affect My Users?

Multi-factor authentication in MOVEit Transfer is:

Available to registered user classes. (Guest unregistered user classes have no MOVEit Transfer account and only package-level access.)
Optional to all when enabled, unless a MOVEit Transfer system administrator requires it as policy.
Never required for user sessions initiated on the same machine or virtual machine where MOVEit Transfer runs.
Never required for users leveraging SAML.

Tip: Multi-factor authentication adds another step in the MOVEit Transfer user sign-on sequence. Users can eliminate this step by adding the current device to a list of trusted clients by selecting the "Remember this device" option at sign on.