Advanced Settings

The Advanced tab at the far right of the Multi-Factor Authentication (MFA) page contains important settings that you can configure to further control the MFA processes for password resets, ADSelfService Plus logins, and endpoint logins.

Reset/Unlock MFA

• Password Reset/Unlock Account MFA idle time limit: Enabling this setting will establish a time limit for how long a user can take to finish identity verification. For instance, if you set this to five minutes, users have to enter their SMS verification code or approve the push notification within five minutes.
• Deny users from performing password reset/account unlock when partially enrolled: When this option is selected, end users who have partially completed the enrollment process (e.g., enrolled in two out of four authentication methods) will not be allowed to reset passwords and unlock accounts.
• Force enrollment post successful MFA for authenticators selected for other endpoints: Enabling this setting ensures users enroll with all the authenticators required not only for reset password and account unlock, but also other endpoints like machines, VPN, OWA and applications login. Enrollment is also enforced for authenticators set as mandatory in the MFA Enrollment tab.

ADSelfService Plus Login MFA

• Enable Passwordless Login: This setting allows users to access applications and the self-service portal without a password. Please refer to this page for more information.
Note: Passwordless logins to the ADSelfService portal require the Professional Edition of ADSelfService Plus with Endpoint.
Note: To avoid security loopholes, the Trust this browser setting will be disabled when Passwordless Login is enabled. When Passwordless Login is enforced, the users have to authenticate each time they attempt to access the application.
• ADSelfService Plus login MFA process idle time is __ mins: Enabling this setting will establish a time limit for users to complete the MFA process.
• Keep the Trust this browser option selected by default: When this option is enabled, the Trust this browser checkbox will be selected by default in the MFA verification screen.
• Expire trust for a browser after ___: When this option is enabled, users will not be asked to go through MFA for the specified length of time when they log into ADSelfService Plus using trusted browsers. The duration of the trust period can be specified in days, hours, or minutes.
• Force enrollment for not enrolled users after successful password verification: When this setting is enabled, users will not be forced to go through MFA when they log in for the first time. Instead, they will be asked to go through enrollment after successful password verification.
• Force enrollment post successful MFA for authenticators selected for other endpoints: Enabling this setting ensures users enroll with all the authenticators required not only for ADSelfService Plus logins, but also for MFA during reset password and account unlock, as well as machines, VPN, OWA, and cloud application logins. Enrollment is also enforced for authenticators set as mandatory in the MFA Enrollment tab.

Cloud Application Login MFA

• Enable Passwordless Login: This setting allows users to access applications and the self-service portal without a password. Please refer to this page for more information.
Note: Passwordless logins for cloud applications require the Professional Edition of ADSelfService Plus with Endpoint MFA.
Note: To avoid security loopholes, the Trust this browser setting will be disabled when Passwordless Login is enabled. When Passwordless Login is enforced, the user has to authenticate each time they attempt to access the application.
• SSO-enabled applications login MFA process idle time limit is __ mins: Enabling this setting will set a time limit (in minutes) for users to finish the MFA process.
• Force enrollment for not enrolled users after successful password verification: When this setting is enabled, users will not be forced to go through MFA when they log in for the first time. Instead, they will be asked to go through enrollment after successful password verification.
• Keep a browser trusted for ___: When this option is enabled, users will not be asked to go through MFA for the specified length of time when they log in to ADSelfService Plus using trusted browsers. The duration of the trust period can be specified in days, hours or minutes.
• Keep the Trust this browser option selected by default: When this option is enabled, the Trust this browser checkbox will be selected by default in the MFA verification screen.
• Force enrollment post successful MFA for authenticators selected for other endpoints: Enabling this setting ensures users enroll with all the authenticators required not only for cloud application logins, but also for MFA during reset password and account unlock, as well as machines, VPN, OWA and ADSelfService Plus login. Enrollment is also enforced for authenticators set as mandatory in the MFA Enrollment tab.

Endpoint Settings

Machine Login MFA

• Machine Login MFA process idle time limit is __ mins: Enabling this setting will set a time limit for the authentication during Windows, macOS, or Linux login. For example, if you set the time limit to three minutes, users have three minutes to complete authentication using the methods enabled.
• Skip MFA when the ADSelfService Plus server is down or unreachable: This option ensures users aren't left stranded on their machine login screens during the MFA process when the ADSelfService Plus server is down or unreachable. However, this also means renouncing the advanced security layer of MFA, which is not recommended. To avoid such circumstances, deploy offline MFA. This setting is not applicable when:
  • Offline MFA is configured, and the user is enrolled with offline MFA on their device.
  • Machine-based MFA is enforced in the device.
• Keep a machine trusted for ___: When this setting is enabled, users who have logged in once using the machine login MFA can skip going through MFA authentication during subsequent logins. Enabling this setting helps users avoid going through the MFA process every time they lock and unlock their machines. The trusted machine's status will be revoked after the specified length of time lapses. The duration of the trust period can be specified in days, hours, or minutes.
• Keep the Trust this machine option selected by default: By enabling this setting, you can keep the box next to Trust this machine checked on the MFA authentication screen by default.
• __ if the user is not enrolled in MFA: This setting determines the authentication flow for the user when they have not enrolled for any of the authenticators for Machine login MFA. The admin can configure one of the following actions to occur:
  • Allow logins: The user will be permitted to bypass MFA and gain access.
  • Deny logins: The user will be restricted from access.
  • Force enrollment:
    • The user will be forced to enroll with the authenticators for online MFA and offline MFA only after successful primary authentication.
    • This option can be applied for only Windows and macOS machines. If a user is not enrolled and this option is selected, they're denied access into their Linux machine.
Important:
• Authenticators required for both MFA types will be considered collectively, so if the user isn't enrolled for any of the authenticators required for both online and offline MFA, they will be considered not enrolled. Alternatively, if they are enrolled for at least one authenticator required for either of these methods, they're considered as partially enrolled.
• This setting applies only for not enrolled users. Partially enrolled users will not be considered as not enrolled, and instead will be forced to enroll for the remaining authenticators after completing MFA using the enrolled authenticators.
• If authenticators that users cannot enroll themselves for such as custom hardware TOTP tokens and AD security questions are selected, they will be denied access even if Force enrollment is selected as only the admin can enroll them.
• When Machine-based MFA is enforced, this setting is overridden and users who haven't enrolled for any of the authenticators will be denied access to the machine, and partially enrolled users will be forced to enroll for the remaining authenticators required.
Note: Offline MFA support requires the Professional Edition ADSelfService Plus of the Endpoint MFA add-on.
• Restrict users from performing offline MFA after _ days/attempts: When this setting is enabled, offline MFA is restricted to a certain number of days or attempts and users are mandated to connect back to ADSelfService Plus once this limit is exhausted.
Note: Offline MFA requires the Professional Edition of ADSelfService Plus with Endpoint MFA.
• It is recommended that a value appropriate to your organizational requirements is entered. Setting lower values than required could leave users stranded without access to the machine.
• It is recommended that you enable this setting as any change made to the self-service policy, MFA configuration, advanced settings, and modifications related to Offline MFA enrollment will reflect in the machines for the enrolled users only after they complete MFA when online.
• This limit will be reset when the particular user performs online authentication on the specific machine.
• Force user to enroll their device for offline MFA after successful online authentication: When this setting is enabled, once a user completes online MFA in a machine, It is automatically enrolled for offline MFA without notifying the user. If not enabled, the user can choose to enroll their machine for offline MFA or skip it.

MFA for OWA Login

• OWA login MFA process can be idle for __ mins: When this setting is enabled, the user session will expire if the user is idle for more than the specified time interval.
• Skip MFA when the ADSelfService Plus server is down or unreachable: Enable this option if you want to avoid situations where the users can't access Outlook Web Access (OWA) or Exchange admin center if the ADSelfService Plus server is down or unreachable. However, be aware that enabling this option means renouncing the advanced security layer of MFA when the ADSelfService Plus server is down or unreachable, which is not recommended. To avoid these situations, deploy ADSelfService Plus with High Availability or Load Balancing.
• Keep the Trust this browser option selected by default: By enabling this setting, you can keep the box next to Trust this browser checked on the MFA authentication screen by default.
• Expire trust for a browser after __: When this setting is enabled, users who have logged in once using MFA for OWA or the Exchange admin center can skip the MFA authentication process during subsequent logins from the same browser. The trusted browser's status will be revoked after the specified length of time. The duration of the trust period can be specified in days, hours, or minutes.

VPN Login MFA

• Keep the VPN MFA session valid for __ mins: Enabling this setting will set a time limit for the second-factor authentication during VPN login. Say, if you set this to 2 minutes, users have to enter the code or approve the notification, as per the authentication method enabled, within 2 minutes.
Note: If your VPN server allows you to configure the RADIUS timeout limit, set it to a value that is greater than the session time limit you configure in this setting.
• Skip MFA when the ADSelfService Plus server is down or unreachable: Enable this option if you do not want users to be left stranded at the login screen during VPN login if the ADSelfService Plus server is down or unreachable.
• Skip MFA when the user is not enrolled for the required authenticators: Enable this option to allow users to skip MFA when they have not enrolled for the authentication methods enabled for VPN login.
• Send additional attributes as a response to the VPN server after successful MFA: Enable this option if you wish to send additional attributes to the VPN server or other RADIUS endpoints. These attributes will only be sent to the VPN provider after successful MFA and will be utilized by the VPN server to determine the level of access each user should have or other purposes. You will be able to find the full list of supported attributes with the documentation recieved from your VPN vendor.
Note: Please update the NPS extension to version 2.3 or higher to use this feature.

Configuring additional attributes:

1. If you try to enable this feature before configuring the attributes, you will be shown a pop-up to configure them. Click OK. You can also click on the Configure Attributes link.
2. You can configure RADIUS' Standard or Vendor-specific attributes and corresponding values to be sent to the VPN providers (other RADIUS endpoints).

3. Enter the Vendor ID by clicking on the Edit [] button. The Vendor ID is the unique number that denotes your VPN provider. For example, if using Fortigate, the Vendor ID is 12356.
4. Choose the Type of attribute and enter the Attribute Number, Format and Value in the fields displayed.
• For attributes of format string, the values should be in characters and for the attributes of format int, the values should be in integers.
• For enum attributes which contain multiple predefined values, provide the desired value in terms of their associated integers. For example, if you wish to use Login as the service-type attribute, enter 1 in the Value field.
• In case attributes are in the IPv4 or IPv6 address formats, please provide a valid IP address in the Value field.
• For example, your IPv4 address can look like "10.1.1.1", and your IPv6 address can look like "2001:0db8:85a3::8a2e:0370:7334".
5. Click OK after configuring all the attributes you require.
6. Once successfully configured, the Send additional attributes as a response to the VPN server after successful completion of MFA setting will be enabled.

Q&A Settings

• Display __ Questions Out Of (Available list of Security Questions) at random. With this option, you can define the number of questions to be displayed to the end user. The questions will be randomly selected by ADSelfService Plus from the available list of security questions configured under Security Question and Answer Settings.
• Display __ AD Security Questions Out Of (Available list of AD Security Questions) at random. Select this option to specify the number of AD Security Questions to be asked during the identity verification process. The questions will be randomly selected by ADSelfService Plus from the available list of security questions configured under AD Security Questions Settings.
• Display Security Questions one by one. Checking this option will display the security questions one by one (i.e., one question per page).
• Display all Security Questions. Selecting this option will display all the security questions on a single page.
• Verify security question(s) answer as case sensitive. Selecting this option will require answers to be case-sensitive.
• Hide security answers during authentication. Selecting this option will hide security answers by default.
• Prevent a user from providing their username as answer. Selecting this option will prevent users from using their usernames as an answer.
• Prevent a user from providing the same answer to multiple questions. Selecting this option will prevent users from providing the same answer to multiple questions.
• Prevent a user from using any word in the question in their answers. Selecting this option will prevent users from copying words in the questions as answers.
• Force users to use only English characters (a-z), numbers (0-9), and symbols. Selecting this option will make sure that users use only alphanumeric characters and symbols in their answers.
• Store security answers using reversible encryption. Selecting this option will store the security answers as plain text in the ADSelfService Plus database. The answers can be viewed using the Security Questions and Answers report.
• Store security answers using ___ algorithm. Selecting this option will ensures that the answers to security questions are encrypted and stored MD5 or SHA-512 algorithm.

Verification Code Settings

Mail/Mobile Attributes

• Select the attribute you want to view from the Select Type dropdown.
• Click Add Attribute to add a new attribute that contains the users' email address or mobile number.

Secondary Email/Mobile Number

• Prevent enrolling already enrolled <drop-down>: Use this option to prevent multiple users from enrolling with the same Secondary Email address and/or Mobile Number across the product.
Note:
• The duplicate verification check is performed at the product level if the flag is enabled for the policy, and the user falls under that policy. We do not validate the enrollment value with primary AD email/mobile data. We exclusively handle the duplicate check within the secondary enrollment data.
• The same mobile number can be used for enrollment by two users as long as the mobile number formats are different. They will not be considered duplicate entries. For instance, if a user has already enrolled with the number 000-111-222, another user can enroll with 0001-11-222 as long as that format is allowed. It will not be considered a duplicate entry.



• Allow or Block email addresses from the following domains ___: Use this option to block or allow emails from specified domains. If you choose Block, users will be able to add email addresses from any domain apart from the listed domain(s). Choosing Allow will ensure that only trusted email service providers are utilized by the users to receive verification codes. You can leave this field empty to allow any domain after choosing Allow.
• Allow or Block the following mobile number formats ___: Use this option to block or allow particular mobile number formats. If you choose Block, users will be able to add mobile numbers in any format apart from the listed format(s). Choosing Allow will ensure that users enter mobile numbers only in the particular format(s) configured.You can leave this field empty to allow any format after choosing Allow.
Note: If you do not want users to register secondary email address and mobile number, disable these settings:
• Allow or Block email addresses from the following domains ___
• Allow or Block the following mobile number formats ___
• Choose enforcement: Use this setting to configure whether adding secondary email addresses and mobile numbers is mandatory or optional for the users. The available options are:
• Make this registration optional
• Force users to register email address
• Force users to register mobile number
• Force users to register both email address and mobile number

Others

• Set verification code length to ___ digits: Use this setting to set the number of digits in the verification code.
• Show 'Select Email ID/Mobile No.' in the mail/mobile dropdown list as default value: Enabling this option will show Select Email ID/Mobile No. as the default value in the email and mobile drop-down during identity verification.
• Partially hide Email ID/Mobile No. on MFA pages: This option will partially hide the email address and mobile number of the user during the identity verification process.



Skip the "Choose Email Address/Mobile Number" step and auto-trigger the verification code: In some cases, the user might have enrolled in ADSelfService Plus with multiple email addresses or mobile numbers. By default, the product shows the user a drop-down to select the email address or mobile number to send the verification code to. However, when the "Choose Email Address/Mobile Number step and auto-trigger the verification code" option is checked, this drop-down is not displayed and the code is sent directly to the user's primary email address, which is determined based on:

• Email address or mobile number specified by the end user during self-enrollment, or by the admin during auto-enrollment via CSV or external databases (whichever is the latest).
• Email addresses or mobile numbers linked to the Active Directory user object. Admins can configure the mail or mobile attributes to be used for the policy, using the Advanced section of the MFA settings as shown in the screenshot below. To find it in the product GUI, log in to the product admin portal and go to Configuration → Self-Service → Multi-Factor Authentication (MFA) → Advanced tab → Verification Code → Mail/Mobile Attributes".

  

• Include admin/manager in CC of the identity verification email sent to users: Use this setting to include the user's manager or admin's email address in the CC line of the verification code email sent to the user. To achieve this:
• Check the box next to this setting.
• Enter the admin's email address in the Email ID field.
• Click Add Manager to include the email address of the user's manager.

General

• Hide CAPTCHA: Enable this setting to hide CAPTCHA in MFA pages.
• Enable MFA Backup Verification Codes: Select this setting to enable the generation of MFA backup codes that let end-users prove their identity when their MFA device or authenticator is unavailable.

About backup codes

These one-time use backup codes allow users to prove their identities in case their MFA device is not reachable or they are unable to use their enrolled MFA methods of authentication. Once the Enable one-time backup codes setting is enabled, the backup codes can be generated. End-users can save them beforehand and use them to authenticate themselves during machine or VPN logon, ADSelfService Plus portal login, or self-service actions. Backup codes can be generated in two ways:

• By the user: Users can generate backup codes in the ADSelfService Plus end-user portal. A total of five codes are generated every time the Generate Backup Codes option is used. Each code can be used only once.
• By the admin: Admins can also generate backup codes for users who have enrolled in MFA using the Enrolled Users Report. This comes in handy when users have not generated their own backup codes and cannot use the enrolled MFA methods.