How to enable MultiFactor Authentication

If an organization uses SOTI Identity to secure access to its internal systems and applications and wants to ensure that only authorized employees can access sensitive information and perform critical tasks.

In this scenario, SOTI Identity MFA (Multifactor Authentication) can be implemented to provide an additional layer of security during the login process.

This article pertains to SOTI Identity version 2.2 and up.

Multifactor Authentication (MFA) is only available for premium plus and enterprise plus customers.

If the menu for MFA is missing, a support ticket with customer details and Identity tenant should be created to enable MFA for the tenant.

To configure two-factor authentication on SOTI Identity:

1. Select SOTI Identity (Hamburger) Menu > Account Settings > Authentication Factors to access configurations.

2. Select Authentication Factors. The two-factor authentication options are available for configuration.

SOTI Identity admins can configure the following two-factor authentication:

• Authentication by Email
• Google Authenticator
• Microsoft Authenticator
• Duo Security

Proceed to review configuring each two-factor authentication option.

Authentication by Email

Email authentication is applicable only for SOTI Identity local accounts and LDAP Directory users. After configuring this factor, users signing in to SOTI Identity will be required to verify through email authentication. 

The authentication token is sent to the email address configured in SOTI Identity.

1. Turn on Enable Authentication by Email.
2. Enter a Token Expiry Time. This limits how long before an email token in no longer valid and users must generate a new one. The token expiry time can limit from 1 to 5 minutes.
3. Enter a Maximum Attempts limit to block users from excessive failed token entries. If the user fails to enter the token value correctly more than the limit, their SOTI Identity account locks until they reset their passwords.
4. Select Save. 

Google Authenticator 

Google Authenticator is applicable only for SOTI Identity local accounts and LDAP Directory users. After configuring this factor, users signing in to SOTI Identity will be required to verify through Google Authenticator.

1. Turn on Enable Authentication By Google Authenticator.

2. Select Save.

Microsoft Authenticator

Microsoft Authenticator is applicable only for SOTI Identity local accounts and LDAP Directory users. After configuring this factor, users signing in to SOTI Identity will be required to verify through Microsoft Authenticator.

1. Turn on Enable Authentication By Microsoft Authenticator.

2. Select Save.

Duo Security

Duo Security is applicable only for SOTI Identity local accounts and LDAP Directory users. After configuring this factor, users signing in to SOTI Identity will be required to verify through the Duo mobile app.

1. Turn on Enable Duo Security.

2. Enter values for the Integration Key, Secret Key, and API Hostname in their respective fields.

3. Choose a Duo username format:

• • SOTI Identity Email: users logging into SOTI Identity must enter the full email address associated with their account.
  • SOTI Identity Username: users logging into SOTI Identity must enter the exact username associated with their account.

4. Select Save.

Configuring Authentication Policy

Now that you have configured the two-factor authentication. You need to assign it to a group by configuring Policies.

1. Select the SOTI Identity menu > Account Settings > Policies.

2. Select + New Policy > Authentication.

The New Authentication Policy window opens. 

3. Enter a descriptive Name.

4. Select + Add next to Multi-factor Authentication (MFA).  

5. Select a two-factor authenticator to add. Google Authenticator is used as an example.

Note: Whatever you enabled in the Authentication Factors will be available in the MFA list.

6. Select Next.

7. Add conditions you want to configure. 

A brief explanation of each Authentication Condition:

• To exclude users based on their IP address, turn on the IP Address toggle and enter an IP address. You can also block IP addresses within a range. Choose IP Range from the dropdown list and then enter the range limits. Select Add to add more addresses or ranges.

Note: IP addresses must be in IPv4 format. IPv6 is not supported.

• To enforce MFA when user logs in from a different location, turn on the Location toggle. When enabled, SOTI Identity will review the location of the user’s login and compare it with last login location. If the location is different, MFA will be prompted before login.
• To enforce MFA based on a travel velocity calculation, turn on the Velocity toggle. When enabled, SOTI Identity reviews the last login location and time, and compares it to the new login location and time. If it is not physically possible to reach the new login location within the given time period, a MFA is prompted before login.

8. Select Next.

9. Assign the Policy to a group. You can assign the authentication policy to a group in SOTI Identity or the external directory.

10. Select + Add next to User Groups and select your target group to add it. 

11. Select Add.

The two-factor authenticator is applied to the target group. Every a user from that group logs in, they will be required to verify themselves through the chosen authenticator.