Requiring Multi-Factor Authentication

Require multi-factor authentication according to risk and the level of access for a specific user class. For example, information system best practices and regulatory compliance typically require the use of these controls for administrator accounts --based on the business value and range of resources they manage.

You can require multi-factor authentication by registered user class. You can also exempt users individually.

• Require multi-factor authentication controls. SETTINGS > Security Policies > User Auth > Multi-Factor Authentication
• Exempt individual users from policy. USERS > username > User Profile - User Settings - User Authentication - Multi-Factor Authentication

Note: It is best practice to notify users of any security policies that alter the sequence of steps or information needed at sign on before you apply these controls.

Require/Enforce MFA on a User Class

This setting enables you to require a specific class of user (Administrators, for example) validate their identity with another means such as mobile authenticator or email. It is an organization-wide setting for each selected user class.

If you enforce Email-only MFA on a user class and a user from that class has no email address associated with his account, enforcing Email-only MFA limits his availability to sign-on until the account has a valid email address.