Two-Factor authentication for critical administrative actions
Configure two-factor authentication (2FA) to require additional verification before administrators perform critical actions in IBM® MaaS360®.
Two-factor authentication adds an extra security layer to protect critical administrative actions in IBM MaaS360. When you perform a configured critical action, IBM MaaS360 prompts you to verify your identity by entering a one-time passcode instead of your password. This additional verification helps protect sensitive administrative actions if administrator credentials are compromised.
- Critical actions
- Critical actions are administrative operations that your organization identifies as requiring
additional authentication before they can be completed. Once you perform these actions, you cannot
undo them. By default, the following actions are configured as critical:
- Wipe
- Profile Update
- Settings Change
- Authentication Methods
- When you perform a critical action, IBM
MaaS360 uses one of two
authentication methods:
- One-time passcode (OTP) through SMS and email
- IBM MaaS360 sends a passcode to your registered email address and phone number through email and SMS.
- Time-based one-time password (TOTP)
- Administrators use a mobile authenticator app to generate a time-based passcode.
Configuring the authentication method
Configure whether administrators use TOTP or OTP for critical action verification.
- From the IBM MaaS360 Portal home page, go to , and click Administrator Settings.
- Go to the Advanced tab and select Configure Strong Authentication.
- Select 2-Factor Authentication to use a passcode to authenticate administrators in addition to other credentials.
- Select one of the following authentication methods.
- Use Time-based Passcode
- Requires administrators to use a mobile app.
- Send OTP via Email and SMS
- Sends passcodes through email and SMS to the administrator's registered contact information
- Click Save.
IBM MaaS360 applies the selected authentication method to all critical actions.
Configuring critical actions
Note: Only administrators with the Global Administrator role or Service Administrator role with
global privileges can configure critical action settings.
- From the IBM MaaS360 Portal home page, go to , and click Administrator Settings.
- Select Basic and go to Critical Actions Authentication.
- Review the default critical actions.
- To add more actions, select them from the available list on the left and move them to the right.
- To remove actions, select them from the list on the right and move them to the left.
- Click Save.
IBM
MaaS360 enforces
additional authentication whenever an administrator performs a protected action:
- If TOTP is configured, the administrator enters a code from the authenticator application.
- If TOTP is not configured, IBM MaaS360 sends an OTP to the administrator's registered email address and phone number.
- If no actions are configured as critical actions, IBM MaaS360 uses the existing password confirmation process instead of passcode verification.