UniFi Identity Enterprise - Configure MFA Methods
We offer 6 types of multi-factor authentication (MFA) methods. You can require users to verify their identity using one or multiple MFA methods when signing in to UniFi Identity Enterprise or accessing workspace resources.
Note: If an MFA method has been added to a policy rule in Security > Identity Firewall > Policy, you must remove it from the rule before you can disable it.
Verify
The Verify mobile app enables users to verify their accounts by entering a unique one-time password (OTP), tapping a verification prompt, or matching a number on their mobile devices. Its robust security measures make data migration or cloning difficult. The app leverages the detailed authentication context on verification prompts and the number matching feature.
Notes
- It’s highly recommended to enable Require PIN, Touch ID, or Face ID and Require number matching by tapping or entering a number option when the verification prompt is enabled for enhanced security.
- To enable "Set as a passwordless sign-in method", you must first enable Passwordless Sign-In.
Configure User Enrollment
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > MFA > Verify and click Manage.
- Go to Authentication Method to enable the verification prompt if you want to add it to security policies. The OTP will be enabled once the Verify is enabled. When Verify OTP and verification prompts are added to the policies that the users match, users can authenticate their accounts using these two methods. See this article for details about configuring security policies.
- Configure the verification prompt.
- Require PIN, Touch ID, or Face ID: After tapping the verification prompts, users need to verify their identity using PIN, Touch ID, or Face ID.
- Set as a passwordless sign-in method: When enabled, users can sign in using the verification prompts sent from their Verify mobile app, without having to enter passwords. Relevant sign-in policies need to be applied for this method to take effect.
- Require number matching by [tapping/entering] a number: Users need to use their Verify app to enter or tap a specific number they are prompted.
- Remember users' devices and skip number matching for [1-90] days: When enabled, the system remembers a user's sign-in environment including their PC, mobile device, web browser, IP address, and more. Once remembered, the user can sign in to UniFi Identity without having to complete number matching for a certain period.
- Go to User Enrollment to define whether users need to set up this MFA method.
- Required (Recommended): Users must set up this MFA method during their first sign-in to UniFi Identity Enterprise. They will be guided to download the Verify app and can choose to either scan the QR code or enter the security key to set up this method.
- Optional: Users can choose whether to set up this MFA method during their first sign-in to UniFi Identity Enterprise. If they choose to set it up, they will be guided to download the Verify app and can choose to either scan the QR code or enter a security key to set up this method.
- Show on the first-time sign-in page: This MFA method will show up on the UniFi Identity Enterprise first-time sign-in page. But users can still choose to set it up later in their Identity Enterprise Portal.
- Click Update.
Disable Verify
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > MFA > Verify and click Manage.
- Click Disable Verify.
- Click Disable to confirm the action.
Passkeys
Passkeys, a phishing-resistant alternative to passwords, are the cryptographic entity that provides a faster, easier, and more secure sign-in experience. Each passkey is unique to the specific website or app it is created for, thereby protecting against phishing, man-in-the-middle attacks, brute force attacks, credential stuffing, and other malicious activities.
Configure User Enrollment
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > MFA > Passkeys and click Manage.
- Go to User Enrollment to define whether users need to set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Required (Recommended): Users must set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Optional: Users can choose whether to set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Show on the first-time sign-in page: This MFA method will show up on the UniFi Identity Enterprise first-time sign-in page. But users can still choose to set it up later in their Identity Enterprise Portal.
- Click Update.
Disable Passkeys
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > MFA > Device Biometrics and click Manage.
- Click Disable Device Biometrics.
- Click Disable to confirm the action.
Google Authenticator
Google Authenticator is an app that provides a time-based one-time password (TOTP). Users will be prompted to enter the time-based, six-digit code they see in the Google Authenticator app.
Note: The time shown on a user's device might not be the same as that shown in the Google Authenticator app. To account for this, Google Authenticator allows a time difference of plus or minus two minutes on the user's device.
Configure User Enrollment
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > MFA > More Factors > Google Authenticator and click Manage.
- Go to User Enrollment to define whether users need to set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Required (Recommended): Users must set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Optional: Users can choose whether to set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Show on the first-time sign-in page: This MFA method will show up on the UniFi Identity Enterprise first-time sign-in page. But users can still choose to set it up later in their Identity Enterprise Portal.
- Click Update.
Disable Google Authenticator
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > MFA > More Factors > Google Authenticator and click Manage.
- Click Disable Google Authenticator.
- Click Disable to confirm the action.
Email Authentication
Email Authentication requires users to enter a six-digit OTP sent to their email address within a certain time frame.
Best Practices
- Assign a shorter challenge lifetime to your email magic links and OTPs: This can reduce the risks of unauthorized third parties intercepting unencrypted emails. Please keep in mind that emails are not always transmitted using secure protocols.
- Set the default OTP lifetime to 10 minutes or less: The default OTP lifetime is 5 minutes. You can increase the lifetime in 5-minute intervals, up to a maximum of 30 minutes.
- Ask users to check their spam or junk folders if they did not receive an OTP.
- Ask users to request another email authentication message if the email authentication message arrives after the OTP's lifetime has expired because of network issues.
Configure User Enrollment
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > MFA > More Factors > Email Authentication and click Manage.
- Go to OTP Validity Period to determine how long an OTP is valid for (5 to 30 minutes) after it is sent to a user's email address.
- Go to User Enrollment to define whether users need to set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Required (Recommended): Users must set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Optional: Users can choose whether to set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Show on the first-time sign-in page: This MFA method will show up on the UniFi Identity Enterprise first-time sign-in page. But users can still choose to set it up later in their Identity Enterprise Portal.
- Click Update.
Disable Email Authentication
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > MFA > More Factors > Email Authentication and click Manage.
- Click Disable Email Authentication.
- Click Disable to confirm the action.
SMS Authentication
SMS Authentication requires users to enter the authentication codes or security tokens received in their SMS text messages. Admins can enable other MFA methods as alternatives if they have concerns about the security of this method.
Configure User Enrollment
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > MFA > More Factors > SMS Authentication and click Manage.
- Go to User Enrollment to define whether users need to set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Required (Recommended): Users must set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Optional: Users can choose whether to set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Show on the first-time sign-in page: This MFA method will show up on the UniFi Identity Enterprise first-time sign-in page. But users can still choose to set it up later in their Identity Enterprise Portal.
- Click Update.
Disable SMS Authentication
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > MFA > More Factors > SMS Authentication and click Manage.
- Click Disable SMS Authentication.
- Click Disable to confirm the action.
Security Question
Security Question requires users to provide the correct answer to a question they've chosen from a list of options.
Configure User Enrollment
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > MFA > More Factors > Security Question and click Manage.
- Tick the "Answer to the security question is case sensitive" checkbox if you want users to enter the same capitalized or lowercase letters as the answer they set for the security question.
- Go to User Enrollment to define whether users need to set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Required (Recommended): Users must set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Optional: Users can choose whether to set up this MFA method during their first sign-in to UniFi Identity Enterprise.
- Show on the first-time sign-in page: This MFA method will show up on the UniFi Identity Enterprise first-time sign-in page. But users can still choose to set it up later in their Identity Enterprise Portal.
- Click Update.
Disable Security Question
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > MFA > More Factors > Security Question and click Manage.
- Click Disable Security Question.
- Click Disable to confirm the action.