Skip to content

MFA Rules Management

This page shows a list of MFA rules and allows for the creation of new or deletion of existing ones.

An MFA rule defines how the software assigns a specific MFA provider to a user (or group of users) during the login process. The software permits different users and groups to have different MFA providers assigned to them.

Note

To define the configuration of MFA providers, please use the appropriate page for the available providers located in the Configuration section of the main navigation menu. Only MFA providers that have been successfully integrated with 12Port will be available for assignment.

MFA Rule Types

The software supports the following rules:

  • User based - this rule assigns an MFA provider to an individual user. This is the strongest assignment that overwrites all other rules.
  • Group based - this rule assigns an MFA provider to a group of users from the integrated user directories. The software uses this rule when there are no rules that assign MFA to an individual user. In case of conflicts when a user is a member of several groups with different MFA assignments, the software will choose the last updated (or created) rule.
  • Default - the software uses the MFA provider assigned to a default rule in such cases where no user or group based assignments exist for the logged in user. When the Default assignment is not defined, no MFA is required for the user.

Creating User or Group Assigned MFA Rules

To create a MFA Rules for a User(s) or Group(s):

  1. Log in with an Administrator or MFA Manager account.
  2. Navigate to Management > MFA Rules and click the Add button.
  3. In the User or Group parameter, select the User or Group that will have this MFA Rule applied to their account.
  4. For the MFA Configuration parameter, select the configured MFA Provider that will be used to enforce MFA on the assigned account. The MFA Provider is labeled based on its configuration "Name (MFA Type)", for example "Production (Duo Security)".
  5. For Intelligent MFA, this feature is optional. To enable it, toggle the switch to the "on" position and configure the settings as required based on your security policies.
  6. Click the Save button to complete the operation.

Tip

MFA rules could be used to assign an MFA provider as well as to make an exception for a certain user or a group. Create a rule with the MFA Disabled (Disabled) provider to exclude a user or a group from the broader defined MFA rule category.

Creating a Default MFA Rule

To create a Default MFA Rule:

  1. Log in with an Administrator or MFA Manager account.
  2. Navigate to Management > MFA Rules and click the Manage Default button.
  3. For the MFA Configuration parameter, select the configured MFA Provider that will be used to enforce MFA on the assigned account. The MFA Provider is labeled based on its configuration "Name (MFA Type)", for example "Production (Duo Security)".
  4. For Intelligent MFA, this feature is optional. To enable it, toggle the switch to the "on" position and configure the settings as required based on your security policies.
  5. Click the Save button to complete the operation.

Managing MFA Rules

To edit an existing MFA Rule:

  1. Log in with an Administrator or MFA Manager account.
  2. Locate the MFA Rule to be edited and use the Actions > Edit option to modify the rule.
  3. Make any necessary changes and click the Save button to complete the edit operation.

To delete an existing MFA Rule:

  1. Log in with an Administrator or MFA Manager account.
  2. Locate the MFA Rule to be deleted and use the Actions > Delete option to remove the rule.

Tip

You can also bulk delete MFA Rules by selecting each rule to be deleted and using the Mass Actions > Delete option.

Intelligent MFA

The Intelligent MFA feature enables adaptive multi-factor authentication (MFA) enforcement. It dynamically determines whether MFA is required based on a defined Grace Period or Frequency of logins. When a login occurs within the established norms (such as trusted locations, time periods, or frequency), the system will bypass MFA prompts during login, streamlining the user authentication process.

Intelligent MFA Options

To enable the Intelligent MFA feature:

  1. Assign a User or Group to the Principal.
  2. Select a MFA Provider for MFA Configuration. The MFA Disabled option will hide the Intelligent MFA configuration.
  3. Toggle the Parameter: Switch the Intelligent MFA setting to "on" to activate the feature.
  4. Define the Grace Period: Use the slider to configure a Grace Period, which can be set between 10 minutes and 24 hours (default is 1 hour). The Grace Period determines the amount of time, following a successful MFA login, during which the user will not be prompted for MFA again from the IP address, as long as the login Time context (Work Hours, After Hours, Holiday, or Weekend) remains unchanged.
  5. Set the Login Frequency: Adjust the slider to define the Login Frequency, with a range from 2 to 100 (default is 10). The Login Frequency specifies the maximum number of logins permitted within the Grace Period before triggering an MFA prompt. If this threshold is exceeded, MFA will be required again, until the Grace Period from the first MFA login expires.

Warning

While enabling Intelligent MFA can enhance the user experience by reducing the frequency of MFA prompts during login, it may reduce overall application security. This is because it introduces a grace period between MFA challenges, potentially allowing unauthorized access during this window. Ensure you carefully evaluate the security trade-offs before enabling this feature.