Skip to main content

Multi factors authentication

There are 3 kinds of authentication factors:

  • Something you know --> password, pin...

  • Something you possess --> smartphone, security key, certificate...

  • Something you are --> fingerprint, face, eye iris, voice...

A strong authentication is the combination of 2 different kinds of factors.
So in order to protect an application, it's important to do a multi factors authentication (or MFA).

Create an access-rules with MFA

If you already have users and applications, you can create access-rules in order to define how users will authenticate to an application.
You can find the detail using the URL: access rules

Setup the allowed factors

Trustelem factors, used in addition to the password, are:

  • SMS: users receive a SMS with a code on their mobile phone - additional cost, not available by default

  • TOTP Authenticator: user can use any kind of Time based One Time Password (TOTP) which is a code provide by an application (Google Authenticator, Microsoft Authenticator...)

  • Trustelem Authenticator: the mobile application made by Trustelem; if the network is up the user receives a push notification, otherwise he can use a TOTP

    Note: the application is available in Google Play and the Apple store.

mfa.png

Usually a multi factors authentication asks first the password then the second factor.
But LDAP protocol doesn't support this flow.

  • if you want to use push notifications with LDAP, be sure to set a response time long enough on your application.

  • if you want to use a code with LDAP, provide in the same form your password and your code stick together.

To setup the allowed factors, , you have to use the URL:

https://admin-mydomain.trustelem.com/app#/security/auth

On this page, there are 3 parameters: Login, Auto-enroll, User can reset token auth-factors.png

Login parameter

For a chosen factor, you can activate the option login for all users or for specific users.
When it's done:

  • the allowed users can use this factor for a multi factor authentication.
  • an administrator can enroll this factor for a user.
Auto-enroll parameter

For a chosen factor, you can activate the option auto-enroll for all users or for specific users.
When it's done, the defined users will have an enrollment page for this factor, after each authentication.
The enrollment can be skipped but it will be showed again at the next login.

mfa2.png

User can reset token parameter

For a chosen factor, you can activate the option User can reset token for all users or for specific users.
When it's done, the defined users can use their dashboard to reset this factor:

https://mydomain.trustelem.com/#security

mfa3.png

Enrollment

Individual enrollment using dashboard

This has to be done by a Trustelem administrator enroll1.PNG

Individual enrollment using email

This has to be done by a Trustelem administrator enroll2.PNG

Auto-enrollment
  • Activate Auto-enroll for the wanted factors and users
  • Every time users authenticate on Trustelem, they will have a window asking them to enroll the new factor.
  • They can skip the enrollment, but the window will continue to appear after the next authentications until they do the enrollment.
  • All factors are independent, which means that users must enroll each factor for which “auto-enroll” is enabled. enroll3.PNG
Email campaign enrollment
  • The enrollment can be done by email campaign.
  • Every users in the selected groups will received an activation link by email, only if they don’t have the factor already enrolled.
  • If you select multiple factors, users will have a selector in the link and will have to enroll only one of them. enroll4.PNG