title: Multi-Factor Authentication category: Security tags: mfa, two-factor, totp, security, authentication priority: Normal
Multi-Factor Authentication
Multi-Factor Authentication (MFA) adds a critical layer of security to IdentityCenter by requiring users to verify their identity with something they have (a device or code) in addition to something they know (a password). This article covers how to configure, enforce, and manage MFA across your IdentityCenter environment.
Why MFA Matters
Passwords alone are not sufficient protection for an identity governance platform. IdentityCenter has access to your entire directory, privileged group memberships, and sensitive identity data. A compromised admin account without MFA could lead to:
- Unauthorized access to all identity data
- Modification of group memberships and permissions
- Policy changes that weaken your security posture
- Exfiltration of directory information
MFA dramatically reduces the risk of account compromise, even if a password is stolen through phishing, credential stuffing, or a data breach.
Supported MFA Methods
IdentityCenter supports the following second-factor methods:
| Method | Security Level | User Experience | Requirements |
|---|---|---|---|
| TOTP (Authenticator App) | High | User opens authenticator app and enters 6-digit code | Microsoft Authenticator, Google Authenticator, Authy, or any TOTP-compatible app |
| SMS Verification | Medium | User receives a text message with a one-time code | Valid mobile phone number |
| Email Code | Medium | User receives an email with a one-time code | Valid email address; email delivery configured |
Recommendation: TOTP is the preferred method. Unlike SMS, it is not vulnerable to SIM-swapping attacks and does not depend on cellular network availability. Always prefer TOTP over SMS for administrator accounts.
Enabling MFA
Global MFA Configuration
MFA is configured globally through the Security Settings page:
- Navigate to Administration > Settings > Security
- Locate the Multi-Factor Authentication section
- Configure the following options:
| Setting | Description | Recommended Value |
|---|---|---|
| MFA Enabled | Master toggle to enable MFA across the system | Enabled |
| Enforcement Policy | Who is required to use MFA | "All Administrators" at minimum |
| Allowed Methods | Which MFA methods are available | TOTP (always), SMS and Email (optional) |
| Grace Period | Days before MFA becomes mandatory after enablement | 7 days |
| Remember Device | Allow users to skip MFA on trusted devices | Enable with 30-day expiry |
Enforcement Policies
Choose the enforcement level that matches your security requirements:
| Policy | Who Must Use MFA | Best For |
|---|---|---|
| Disabled | No one | Development and testing only |
| Optional | Users can enable it themselves | Low-security environments |
| Admins Only | Users with Administrator or higher roles | Balanced approach |
| All Users | Everyone who logs in to IdentityCenter | High-security and regulated environments |
Best Practice: At minimum, require MFA for all administrator accounts. For environments subject to compliance frameworks (SOX, HIPAA, PCI-DSS), require MFA for all users.
Per-User MFA Enforcement
Beyond the global policy, you can enforce MFA for specific users:
- Navigate to Administration > Users
- Select the user
- In the Security section, toggle Require MFA to enabled
- The user will be prompted to enroll at their next login
This is useful for:
- Requiring MFA for specific high-privilege users before rolling out globally
- Enforcing MFA on accounts that have access to sensitive data
- Temporarily requiring MFA for users under investigation
MFA Enrollment Flow
When a user is required to set up MFA, they go through the following enrollment process:
TOTP Enrollment
- User logs in with their username and password
- IdentityCenter presents a QR code and a manual setup key
- User scans the QR code with their authenticator app (Microsoft Authenticator, Google Authenticator, etc.)
- The app generates a 6-digit code that refreshes every 30 seconds
- User enters the current code to confirm enrollment
- IdentityCenter generates a set of recovery codes
- User is instructed to save recovery codes in a secure location
SMS Enrollment
- User logs in with their username and password
- User enters or confirms their mobile phone number
- IdentityCenter sends a verification SMS with a 6-digit code
- User enters the code to confirm enrollment
Email Code Enrollment
- User logs in with their username and password
- User confirms their email address
- IdentityCenter sends a verification email with a 6-digit code
- User enters the code to confirm enrollment
Recovery Codes
Recovery codes are a critical safety net for users who lose access to their MFA device:
- 8 single-use recovery codes are generated during enrollment
- Each code can be used exactly once in place of a TOTP/SMS/Email code
- Users should store these codes in a secure location (password manager, printed and locked away)
- Once all recovery codes are used, the user must contact an administrator
Administrator Recovery
If a user loses both their MFA device and their recovery codes:
- Navigate to Administration > Users
- Select the locked-out user
- Click Reset MFA
- The user's MFA enrollment is cleared
- They will be prompted to re-enroll at their next login
Important: Verify the user's identity through an out-of-band method (phone call, in-person) before resetting MFA. An attacker who has compromised the user's password may also request an MFA reset.
Session Timeout and Re-Authentication
MFA integrates with IdentityCenter's session management:
| Setting | Description | Recommended Value |
|---|---|---|
| Session Timeout | How long an idle session remains valid | 30 minutes for admins, 60 minutes for users |
| Absolute Timeout | Maximum session duration regardless of activity | 8 hours |
| Re-Authentication for Sensitive Actions | Require MFA again for critical operations | Enabled |
Sensitive actions that can trigger re-authentication:
- Changing security settings
- Modifying identity provider configurations
- Resetting another user's MFA
- Exporting audit logs
- Modifying administrator role assignments
Monitoring MFA Status
Track MFA enrollment and usage across your organization:
- Navigate to Administration > Users
- The user list shows an MFA status indicator for each account
- Filter by MFA status to find users who have not enrolled
MFA-related events are recorded in the audit log:
- MFA enrollment completed
- MFA verification succeeded / failed
- Recovery code used
- MFA reset by administrator
- MFA method changed
Best Practices
- Require MFA for all administrator accounts — This is the single most impactful security measure you can take
- Prefer TOTP over SMS — TOTP is not vulnerable to SIM-swapping and works offline
- Provide recovery code guidance — Include instructions in your onboarding documentation for saving recovery codes securely
- Set a reasonable grace period — Give users 7 days to enroll after MFA is enabled to avoid lockouts
- Monitor enrollment rates — Follow up with users who have not enrolled within the grace period
- Audit MFA resets — Every MFA reset should be logged and reviewed; frequent resets for one account may indicate compromise
- Test MFA before global rollout — Enable MFA for administrators first, then extend to all users after confirming everything works
- Keep a local break-glass account — Maintain one local admin account without SSO (but with a very strong password) in case MFA or SSO becomes unavailable
Next Steps
- Identity Providers & SSO — Configure external authentication
- API Key Management — Secure programmatic access
- Audit Logging & Change Tracking — Monitor security events
- Security Hardening Guide — Full hardening checklist