Multi-Factor Authentication Enforcement Points
Organizations may require Multi-Factor Authentication:
Restricting Access to Client Applications by Using MFA
After the user enters the username and password, they are prompted to select an additional verification method: e-mail or SMS. The methods are available depending on what data the user has added and enabled for MFA on the identity provider (IDP) side. After selecting the email verification, for example, a one-time-password (OTP) code is sent to the user via mail. After providing the code, it’s verified and, either allows the access or denies it, depending on the outcome of the verification. If the whole process succeeds, the client app can proceed to getting consent and requesting an access token. This process is outlined in the diagram below:
Restricting Consent Grant for Access Scopes
After the user enters their username and password (and possibly completes the authentication MFA), the consent screen gets displayed with the scopes requested by the client application. When MFA protection is enabled for the selected scopes, additional actions are required. The user needs to select the MFA method and enter OTP provided by them via mail or SMS. As soon as the verification code is provided and its verification is successful, the scope becomes available for granting.
Enforcing MFA for Cloudentity Platform
Organizations may require multi-factor authentication from the administrator user while logging into the Cloudentity platform.
One Time Passwords (OTPs)/Verification Codes for MFA
MFA supported in Cloudentity uses the combination of the knowledge factor (username and password), or passkey, and the possession factor (One Time Password (OTP) also called verification code).
OTPs used for an additional verification of the user’s identity can be handled in Cloudentity in two ways:
- OTP sent via SMS (supported by Twilio)
- OTP sent via email (supported by any SMTP gateway)
The verification codes' length and lifetime is configurable.