Skip to content

Configuring Multifactor Authentication

You can configure identity profile settings to require users to use an external mobile authenticator to sign in to Identity Security Cloud. You can also reset multifactor authentication (MFA) for some users.

If you are signing into Identity Security Cloud using an identity provider (IdP) for the first time, you will be asked to register a Time-Based One-Time Password (TOTP) device.

Configuring MFA

  1. Go to Admin > Identity Management > Identity Profiles.

  2. Select the identity profile you want to configure to use MFA.

  3. Under Sign-in Method, select Multifactor Authentication.

The next time users on that source try to sign into Identity Security Cloud, they will be prompted to set up their mobile device with an external authenticator. They will be prompted for a verification code from the authenticator on subsequent logins.

Note

This is different from using two-factor authentication for password updates and authentication.

Resetting MFA

If a user cannot access Identity Security Cloud, you can reset their MFA to allow them to reauthenticate. For example, users might be locked out or have a new device. You can reset MFA for:

  • elevated accounts that require MFA by default
  • user accounts where MFA is enabled on the identity profile

To reset a user's MFA:

  1. Go to Admin > Identity Management > Identities.
  2. Find and select the identity whose MFA you want to reset.

  3. Select Actions > Reset MFA.

    Actions menu for an identity with the Reset MFA option highlighted.

    If the option cannot be selected, the user or identity profile does not have MFA configured.

The next time the user attempts to log in, they will need to set up their multifactor authentication.

Registering a Time-Based One-Time Password (TOTP) Device

Elevated users that sign into Identity Security Cloud using an identity provider (IdP) will be asked to configure an external authenticator immediately after signing in if they have not done so already. Once a device is registered, they will not be prompted to verify the external authenticator on logins through the IdP. Users will only be prompted to use the TOTP device when bypassing the IdP, such as for emergency admin accounts.

Elevated users signing into Identity Security Cloud directly who have not already configured a TOTP device will need to go through an account unlock flow before they can set up an external authenticator. This flow ensures only legitimate users can configure a TOTP device.

Note

Elevated users include any user level with access to the Admin menu.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.