Use this guide to configure the Registration Methods / Multi-Factor Methods tab in the Web Admin for each SecureAuth IdP realm.
This includes Multi-Factor Authentication mechanisms enablement and settings, and ID provisioning.
This tab is named Registration Methods in SecureAuth IdP Version 9.0.0 and has since been renamed Multi-Factor Methods as of Version 9.0.1
1. Create a New Realm for the target resource for which the configuration settings will apply, or open an existing realm for which configurations have already been started
2. Configure the Overview, Data, and Workflow tabs in the Web Admin before configuring the Registration Methods / Multi-Factor Methods tab
If the Authentication Mode selected in the Workflow tab requires Multi-Factor Authentication, at least one registration method must be enabled on this page
Select the tab corresponding to the pertinent version: Version 9.0.0 to 9.0.1 or Version 9.0.2+
1. In the Registration Configuration section, under Phone Settings, enable Phone Field 1 by selecting a delivery method of the registration code to Phone 1 (refer to the Data tab for Profile Property / data store mapping)
Select Disabled from the dropdown if no registration code will be sent to Phone 1
2. Enable Phone Field 2 - Phone Field 4 in the same manner
Select Disabled from the corresponding dropdown if no registration code will be sent to Phone 2, Phone 3, or Phone 4
3. Select Voice from the Phone / SMS Selected dropdown to default the end-user's selection to Voice on the login page
4. Select True from the Phone / SMS Visible dropdown if both Voice and SMS / Text options are shown, even if both are not available for use
5. Set the Default Phone Country Code that will be appended to any user phone numbers in the directory that do not have a country code provided
Leave field empty if there is no default
6. Set the appearance of the end-users' phone numbers by designing a Phone Mask (Regex), e.g. xxx-xx1-2345
SecureAuth IdP automatically displays phone numbers as xxx-xxx-1234
Leave field empty if the out-of-the-box display is acceptable
7. Under Email Settings, enable Email Field 1 by selecting a delivery method of the registration code to Email 1 (refer to the Data tab for Profile Property / data store mapping)
Select Disabled from the dropdown if no registration code will be sent to Email 1
8. Enable Email Field 2 - Email Field 4 in the same manner
Select Disabled from the corresponding dropdown if no registration code will be sent to Email 2, Email 3, or Email 4
9. Under Knowledge Based Settings, select Enabled from the KB Questions dropdown to enable the use of knowledge-based questions for Multi-Factor Authentication
10. Select the method in which the knowledge-based questions will be formatted from the KB Format dropdown
11. Select the Number of Questions that will be displayed on the login page from the dropdown
12. Select True from the KB Conversion dropdown to enable the conversion of knowledge-based questions to certificate-based encryption from Base64 encoding
13. Under Help Desk Settings, select Enabled from the Help Desk 1 dropdown to enable the use of Help Desk 1 for Multi-Factor Authentication
14. Provide the Phone number of the Help Desk that end-users can call for a registration code
15. Provide the Email address of the Help Desk that end-users can message for assistance
16. Select Enabled from the Help Desk 2 dropdown to enable the use of Help Desk 2 for Multi-Factor Authentication
17. Provide the Phone number of the second Help Desk that end-users can call for a registration code
18. Provide the Email address of the second Help Desk that end-users can message for assistance
Refer to Second Help Desk Registration Method Configuration Guide for more information
19. Under PIN Settings, select Enabled from the PIN Field dropdown to enable the use of static PINs for Multi-Factor Authentication
The end-user's Personal Identification Number (PIN) must be contained in the data store and mapped to the SecureAuth IdP PIN Property
20. Select True from the Open PIN dropdown to store the PIN in plain text versus encryption
21. Select True from the One Time Use dropdown to enable a one-time-use PIN that is immediately cleared from the directory after use
This is typically utilized for first-time users in self-service enrollment processes
22. Select True from the Show When Empty dropdown if the One Time Use PIN is displayed as an option on the login page, but is inactive for use
23. Under Time-based Passcodes (OATH), select Enabled from the Time-based Passcodes dropdown to enable the use of mobile, browser, desktop, or third-party OATH OTP soft tokens for Multi-Factor Authentication
24. Select the number of digits of which a Passcode is compromised from the Passcode Length dropdown
25. Set the number of seconds during which a Passcode is displayed in the Passcode Change Interval field
26. Set the number of minutes during which a Passcode is valid to make up for time differences between devices in the Passcode Offset field
The Passcode Length and Passcode Change Interval fields must match the values configured in the Post Authentication tab of the SecureAuth App Enrollment Realm
27. Set the number of minutes during which the account is locked from utilizing Passcodes after too many failed OTP attempts in the Cache Lockout Duration field
28. Under Mobile Login Requests (Push Notifications), select the type of Push Notification(s) to be used in this realm for Multi-Factor Authentication from the Push Notification Field dropdown
- Passcode (OTP): Enable the use of Push Notifications, which are one-time passcodes sent (pushed) directly to an end-user's enrolled mobile device
- Accept / Deny: Enable the use of Push-to-Accept requests, which are login requests sent to the SecureAuth Authenticate App for iOS and Android that require an end-user to Accept or Deny the login request
- Passcode (OTP) + Accept / Deny: Enable the use of Push Notifications and Push-to-Accept requests
29. Select the number of minutes a Push-to-Accept request is valid for response from the Login Request Timeout dropdown (if an Accept / Deny option is selected in step 28)
30. Set the Company Name, which displays on the Push-to-Accept request (optional, and if an Accept / Deny option is selected in step 28)
31. Set the Application Name to the post-authentication target (e.g. Salesforce, Password Reset, etc.), which displays on the Push-to-Accept request (optional, and if an Accept / Deny option is selected in step 28)
32. Limit the number of devices enrolled for Push Notifications / Push-to-Accept requests in the Max Device Count field
Set this to -1 if there is no limit
33. Select Allow to replace from the When exceeding max count dropdown to enable device replacement once the limit has been reached
34. Select Created Time from the Replace in order by dropdown to replace the oldest enrolled device with the new one
Select Last Access Time to replace the least recently used enrolled device with the new one
35. Under Symantec VIP Settings, select Enabled from the Symantec VIP Integration dropdown to initiate the integration of Symantec VIP with SecureAuth IdP
36. Provide the certificate serial number (provided by Symantec) in the Issued Cert SN field
37. Select Enabled from the Symantec VIP Field to enable the use of Symantec VIP tokens for Multi-Factor Authentication
38. Under Advanced Settings, check Missing Phone, Missing Email, Missing KB Answers, and/or Missing PIN from the Inline Initialization menu to enable end-users to update or provide missing information and then be redirected back to the login pages
39. Select Enabled from the Auto-Submit When One Avail dropdown to automatically select the registration method on the login page when only one is available for the user's account
40. Select the number of digits of which the One-time Passwords (OTPs) will be comprised from the OTP Length dropdown
41. Select True from the Lock User to lock an end-user's directory account after so many failed login attempts
42. Under Registration Method Order, drag and drop the enabled registration methods on the list to organize their display on the login page
43. Select True from the Validate Yubikey dropdown to enable the use of Yubikeys for Multi-Factor Authentication
44. Provide the Yubikey Provision Page URL at which end-users can provision their Yubikeys
This would be another SecureAuth IdP realm, configured in the Post Authentication tab
NOTE: In 9.0.1+, the Social Identity configuration section is moved to the Workflow tab
45. Under Facebook, select True from the Enable dropdown to enable the use of Facebook ID for Multi-Factor Authentication
46. Provide the Client ID, which is provided by Facebook
47. Provide the Client Secret, which is provided by Facebook
The Client ID and the Client Secret must match exactly here and on Facebook's side
48. Select where to Store Facebook ID at from the dropdown (e.g. Aux ID 1)
49. Under Google, select True from the Enable dropdown to enable the use of Google ID for Multi-Factor Authentication
50. Provide the Client ID, which is provided by Google
51. Provide the Client Secret, which is provided by Google
The Client ID and the Client Secret must match exactly here and on Google's side
52. Select where to Store Google ID at from the dropdown (e.g. Aux ID 2)
53. Under Windows Live, select True from the Enable dropdown to enable the use of Windows Live ID for Multi-Factor Authentication
54. Provide the Client ID, which is provided by Windows Live
55. Provide the Client Secret, which is provided by Windows Live
The Client ID and the Client Secret must match exactly here and on Windows Live's side
56. Select where to Store Windows Live ID at from the dropdown (e.g. Aux ID 3)
57. Under LinkedIn, select True from the Enable dropdown to enable the use of LinkedIn ID for Multi-Factor Authentication
58. Provide the Client ID, which is provided by LinkedIn
59. Provide the Client Secret, which is provided by LinkedIn
The Client ID and the Client Secret must match exactly here and on LinkedIn's side
60. Select where to Store LinkedIn ID at from the dropdown (e.g. Aux ID 4)
Click Save once the configurations have been completed and before leaving the Registration Methods / Multi-Factor Methods page to avoid losing changes
In SecureAuth IdP 9.0.2+, when the end-user is presented the page of Multi-Factor Authentication methods from which to choose, the Multi-Factor Authentication method that was last selected and used in a successful login attempt persists as the default method for the next login in each device / browser
1. In the Registration Configuration section, under Phone Settings, enable Phone Field 1 by selecting a delivery method of the registration code to Phone 1 (refer to the Data tab for Profile Property / data store mapping)
Select Disabled from the dropdown if no registration code will be sent to Phone 1
2. Enable Phone Field 2 - Phone Field 4 in the same manner
Select Disabled from the corresponding dropdown if no registration code will be sent to Phone 2, Phone 3, or Phone 4
3. Select Voice from the Phone / SMS Selected dropdown to default the end-user's selection to Voice on the login page
4. Select True from the Phone / SMS Visible dropdown if both Voice and SMS / Text options are shown, even if both are not available for use
5. Set the Default Phone Country Code that will be appended to any user phone numbers in the directory that do not have a country code provided
Leave field empty if there is no default
6. Set the appearance of the end-users' phone numbers by designing a Phone Mask (Regex), e.g. xxx-xx1-2345
SecureAuth IdP automatically displays phone numbers as xxx-xxx-1234
Leave field empty if the out-of-the-box display is acceptable
7. In the Phone Number Blocking frame, select types of phone numbers to block from the Block phone numbers from the following sources options
8. Check Enable to Block phone numbers that have recently changed carriers, then select a directory attribute to Store carrier information in
9. Check Enable block/allow list to Block or allow phone numbers by carrier or country, then click Define list of blocked/allowed numbers and carriers
Refer to Phone Number Profiling Service Configuration Guide for more information on configuring Phone Number Blocking settings
10. Under Email Settings, enable Email Field 1 by selecting a delivery method of the registration code to Email 1 (refer to the Data tab for Profile Property / data store mapping)
Select Disabled from the dropdown if no registration code will be sent to Email 1
11. Enable Email Field 2 - Email Field 4 in the same manner
Select Disabled from the corresponding dropdown if no registration code will be sent to Email 2, Email 3, or Email 4
12. Under Knowledge Based Settings, select Enabled from the KB Questions dropdown to enable the use of knowledge-based questions for Multi-Factor Authentication
13. Select the method in which the knowledge-based questions will be formatted from the KB Format dropdown
14. Select the Number of Questions that will be displayed on the login page from the dropdown
15. Select True from the KB Conversion dropdown to enable the conversion of knowledge-based questions to certificate-based encryption from Base64 encoding
16. Under Help Desk Settings, select Enabled from the Help Desk 1 dropdown to enable the use of Help Desk 1 for Multi-Factor Authentication
17. Provide the Phone number of the Help Desk that end-users can call for a registration code
18. Provide the Email address of the Help Desk that end-users can message for assistance
19. Select Enabled from the Help Desk 2 dropdown to enable the use of Help Desk 2 for Multi-Factor Authentication
20. Provide the Phone number of the second Help Desk that end-users can call for a registration code
21. Provide the Email address of the second Help Desk that end-users can message for assistance
Refer to Second Help Desk Registration Method Configuration Guide for more information
22. Under PIN Settings, select Enabled from the PIN Field dropdown to enable the use of static PINs for Multi-Factor Authentication
The end-user's Personal Identification Number (PIN) must be contained in the data store and mapped to the SecureAuth IdP PIN Property
23. Select True from the Open PIN dropdown to store the PIN in plain text versus encryption
24. Select True from the One Time Use dropdown to enable a one-time-use PIN that is immediately cleared from the directory after use
This is typically utilized for first-time users in self-service enrollment processes
25. Select True from the Show When Empty dropdown if the One Time Use PIN is displayed as an option on the login page, but is inactive for use
26. Under Time-based Passcodes (OATH), select Enabled from the Time-based Passcodes dropdown to enable the use of mobile, browser, desktop, or third-party OATH OTP soft tokens for Multi-Factor Authentication
27. Select the number of digits of which a Passcode is compromised from the Passcode Length dropdown
28. Set the number of seconds during which a Passcode is displayed in the Passcode Change Interval field
29. Set the number of minutes during which a Passcode is valid to make up for time differences between devices in the Passcode Offset field
The Passcode Length and Passcode Change Interval fields must match the values configured in the Post Authentication tab of the SecureAuth App Enrollment Realm
30. Set the number of minutes during which the account is locked from utilizing Passcodes after too many failed OTP attempts in the Cache Lockout Duration field
31. Under Mobile Login Requests (Push Notifications), select the type of Push Notification(s) to be used in this realm for Multi-Factor Authentication from the Push Notification Field dropdown
- Passcode (OTP): Enable the use of Push Notifications, which are one-time passcodes sent (pushed) directly to an end-user's enrolled mobile device
- Accept / Deny: Enable the use of Push-to-Accept requests, which are login requests sent to the SecureAuth Authenticate App for iOS and Android that require an end-user to Accept or Deny the login request
- Passcode (OTP) + Accept / Deny: Enable the use of Push Notifications and Push-to-Accept requests
32. Select the number of minutes a Push-to-Accept request is valid for response from the Login Request Timeout dropdown (if an Accept / Deny option is selected in step 31)
33. Set the Company Name, which displays on the Push-to-Accept request (optional, and if an Accept / Deny option is selected in step 31)
34. Set the Application Name to the post-authentication target (e.g. Salesforce, Password Reset, etc.), which displays on the Push-to-Accept request (optional, and if an Accept / Deny option is selected in step 31)
35. Limit the number of devices enrolled for Push Notifications / Push-to-Accept requests in the Max Device Count field
Set this to -1 if there is no limit
36. Select Allow to replace from the When exceeding max count dropdown to enable device replacement once the limit has been reached
37. Select Created Time from the Replace in order by dropdown to replace the oldest enrolled device with the new one
Select Last Access Time to replace the least recently used enrolled device with the new one
38. Under Symantec VIP Settings, select Enabled from the Symantec VIP Integration dropdown to initiate the integration of Symantec VIP with SecureAuth IdP
39. Provide the certificate serial number (provided by Symantec) in the Issued Cert SN field
40. Select Enabled from the Symantec VIP Field to enable the use of Symantec VIP tokens for Multi-Factor Authentication
41. Under Multi-Factor Settings, check Missing Phone, Missing Email, Missing KB Answers, and / or Missing PIN from the Inline Initialization menu to enable end-users to update or provide missing information and then be redirected back to the login pages
42. Select Enabled from the Auto-Submit When One Avail dropdown to automatically select the registration method on the login page when only one is available for the user's account
43. Select the number of digits which the One-time Passwords (OTPs) will be comprised of from the OTP Length dropdown
44. Check Enable multi-factor throttling to limit the number of multi-factor attempts that are allowed within a rolling time period (specified below)
Refer to Multi-Factor Throttling Configuration Guide for more information
45. Under Registration Method Order, drag and drop the enabled registration methods on the list to organize their display on the login page
46. Select True from the Validate Yubikey dropdown to enable the use of Yubikeys for Multi-Factor Authentication
47. Provide the Yubikey Provision Page URL at which end-users can provision their Yubikeys
This would be another SecureAuth IdP realm, configured in the Post Authentication tab
Click Save once the configurations have been completed and before leaving the Multi-Factor Methods page to avoid losing changes