Two-Factor authentication for critical administrative actions

Configure two-factor authentication (2FA) to require additional verification before administrators perform critical actions in IBM® MaaS360®.

Two-factor authentication adds an extra security layer to protect critical administrative actions in IBM MaaS360. When you perform a configured critical action, IBM MaaS360 prompts you to verify your identity by entering a one-time passcode instead of your password. This additional verification helps protect sensitive administrative actions if administrator credentials are compromised.

Critical actions
Critical actions are administrative operations that your organization identifies as requiring additional authentication before they can be completed. Once you perform these actions, you cannot undo them. By default, the following actions are configured as critical:
  • Wipe
  • Profile Update
  • Settings Change
Authentication Methods
When you perform a critical action, IBM MaaS360 uses one of two authentication methods:
One-time passcode (OTP) through SMS and email
IBM MaaS360 sends a passcode to your registered email address and phone number through email and SMS.
Time-based one-time password (TOTP)
Administrators use a mobile authenticator app to generate a time-based passcode.

Configuring the authentication method

Configure whether administrators use TOTP or OTP for critical action verification.
  1. From the IBM MaaS360 Portal home page, go to Setup > Settings, and click Administrator Settings.
  2. Go to the Advanced tab and select Configure Strong Authentication.
  3. Select 2-Factor Authentication to use a passcode to authenticate administrators in addition to other credentials.
  4. Select one of the following authentication methods.
    Use Time-based Passcode
    Requires administrators to use a mobile app.
    Send OTP via Email and SMS
    Sends passcodes through email and SMS to the administrator's registered contact information
  5. Click Save.

IBM MaaS360 applies the selected authentication method to all critical actions.

Configuring critical actions

Note: Only administrators with the Global Administrator role or Service Administrator role with global privileges can configure critical action settings.
  1. From the IBM MaaS360 Portal home page, go to Setup > Settings, and click Administrator Settings.
  2. Select Basic and go to Critical Actions Authentication.
  3. Review the default critical actions.
    1. To add more actions, select them from the available list on the left and move them to the right.
    2. To remove actions, select them from the list on the right and move them to the left.
  4. Click Save.
IBM MaaS360 enforces additional authentication whenever an administrator performs a protected action:
  • If TOTP is configured, the administrator enters a code from the authenticator application.
  • If TOTP is not configured, IBM MaaS360 sends an OTP to the administrator's registered email address and phone number.
  • If no actions are configured as critical actions, IBM MaaS360 uses the existing password confirmation process instead of passcode verification.