Managing user multi-factor authentication (MFA) enrollments

You can enable, disable, and delete a user's MFA enrollments.

About this task

Multi-factor authentication involves the use of a second factor, typically a system-generated code that the user must provide to prove their identity. Second factor authentication provides more security control on users when they sign on to any application that is developed and integrated with Verify. You can disable or delete an authentication factor when a compromise or device loss occurs.

Table 1. Multi-factor authentication details
Details Descriptions
Factor The multi-factor authentication enrollment such as
  • Email one-time password (OTP)
  • IBM Verify (confirmation of user's physical presence on the device)
  • SMS OTP (text message)
  • Time-based one-time password (TOTP).
Device The method of access that was used for the MFA enrollment such as
  • An email address for OTP
  • The name of the device for IBM Verify
  • A phone number for SMS OTP.
Device type The type of hardware that the MFA enrollment is installed on. Supported for the IBM Verify factor only.
Device status Indicates whether the device is enabled or disabled.
OS The operating system of the device. Supported for the IBM Verify factor only.
App version The version of the application that is being used for authentication. Supported for the IBM Verify factor only.
Dated added The time stamp when the enrollment was added.
Last used The time stamp when the authentication factor was last used.

Procedure

  1. Select Directory > User & groups.
    Ensure that the Users tab is the active tab.
  2. If the user is not displayed on the page, use the search function to find the user.
  3. Hover over the user and select the User details icon when it appears.
  4. On the user's page, select the MFA settings tab.
    The MFA settings information is displayed. You can sort the details by any of the headings. See Table 1.
  5. To manage an MFA setting, select a factor row and select the menu icon menu when it appears.
    You can enable, disable, test, or delete an MFA enrollment factor. Typically, testing is performed for troubleshooting. If you select to test an MFA enrollment factor, an authentication code is sent and a message is displayed that indicates whether the test was successful.
    Note: You can test Email OTP, IBM Verify, and SMS OTP authentication factors only. You can't test a TOTP authentication factor.
    If you decide to delete a factor, you must confirm the operation by selecting Delete in the confirmation prompt.