Configuring Strong and Multifactor Authentication
You can configure strong authentication methods to tailor your organization's IdentityNow security settings.
Configuring Strong Authentication Methods
When SailPoint users need to use strong, or multifactor, authentication, you can control the options available to them. By default, all users can authenticate using either a verification code or by answering security questions. However, if your company has more specific requirements, you can configure them in the Strong Authentication Methods panel.
Notes
-
You might need to define temporary or permanent values for work and personal email addresses and phone numbers for your users.
-
You must set security questions before you can require users to answer questions.
-
Go Admin > Identities > Identity Profiles.
-
Select the identity profile you want to edit.
-
Under Strong Authentication Methods, select the checkboxes next to the authentication methods you want to use, such as providing verification by email or phone, answering security questions, reentering a password, or using a configured third-party integration.
Notes
-
Codes are valid for 10 minutes.
-
Refer to Providing Codes by Phone for information on those settings.
Setting User Prompts
If you configure strong authentication methods that use an alternate phone or email, or if you allow users to authenticate with knowledge-based authentication, IdentityNow prompts users to enter that information when they register or the next time they sign in.
To turn prompts off after the user has registered, clear the checkboxes next to those options in the strong authentication and password reset panels. You must select at least one strong authentication option.
Notes
-
If you are using TOTP, you must still select a strong authentication option, but TOTP will be used instead.
-
Users can change their alternate phone number and email addresses in their Preferences settings, but must confirm the change using the unique link sent in a time-bound email.
Signing in Using Multifactor Authentication
You can require users to use an external mobile authenticator to sign in to IdentityNow. This will provide an additional layer of security for your organization and users.
Note
This is different from using two-factor authentication for password updates and authentication. To configure that, you must have IdentityNow as your service provider and select the option as a sign-in method.
To configure multifactor authentication for identities:
-
Go to Admin > Identities > Identity Profile.
-
Select the identity profile you want to configure to use MFA.
-
Under Sign-in Method, select Multifactor Authentication.
The next time users on that source try to sign into IdentityNow, they will be prompted to set up their mobile device with an external authenticator. They will be prompted for a verification code from the authenticator on subsequent logins. Administrators will not be required to enter additional authentication to access the Admin interface.
Note
This is different from using two-factor authentication for password updates and authentication.
Resetting Multifactor Authentication
A user's MFA can be reset by them in IdentityNow or by an admin from the identity action menu.
- Go to Admin > Identities > Identity List.
- Select the name of the identity you want to reset MFA for.
- Select the Actions icon
.
-
Select Reset MFA and confirm.
The user must set up their mobile authenticator on their next sign in.