1. Home
  2. Security
  3. Multi Factor Authentication – MFA

Multi Factor Authentication – MFA

In today’s world, Multi Factor Authentication (MFA) needs no introduction. Applications that focus on security provide MFA as an additional layer of security on top of its regular login-in/ authentication mechanism. Falcon Deploy comes with MFA enabled as its default configuration. It is based on TOTP algorithm.

Authentication Setup

When a user account is created in Falcon Deploy, the following steps are done by the authentication framework.

  • The user’s temporary password is encrypted and stored in the database.
  • Enables the user account for MFA. A security key is setup and attached to the user’s profile.
  • A welcome email is sent to the user with a link to the password page where users can set their password. The email also has the MFA security key.
Sample welcome email with MFA secret key
Note

For security purposes, please do not share your MFA key with anyone.

2 Factor

Users are responsible for setting up the 2 Factors used for authentication.

First Factor

User is presented with a login screen. The username and password will be the 1st factor. After successful authentication, the user is presented with another screen for the 2nd Factor, the MFA.

Second Factor

User will use the dynamic code, usually a six digit number from their MFA client. The MFA code is time based and changes continuously. After entering the correct code, user is logged in to the application.

User action

As a user, when you receive the welcome email, we encourage you to reset your account password and configure a MFA client as soon as possible with the provided key.

Once the password and MFA is setup, you can login using 2 Factor authentication.

MFA client

There are few options available for setting up MFA.

  • Hardware MFA device
  • Virtual MFA device
  • SMS based MFA
Note

If you have a hardware MFA device, we recommend you use the hardware MFA device as it is more secure than a virtual MFA client. You can work with your internal security team in understanding which MFA client is preferred within the organization.

Virtual MFA devices

Virtual MFA client is a less expensive, sometimes free alternative to Hardware MFA device. You can use a smartphone or tablet as a MFA device. The software on it is responsible for generating a time based, six digit numeric code. Users will enter the code generated by the software in Falcon Deploy MFA screen.

A popular software based mobile device app is Google Authenticator. It is available on Android, iOS and BlackBerry OS. You can download the app from your app/play store and use the Falcon Deploy security key to set it up. Once setup, it will be rotating the security code at regular intervals. Every time you login, for the 2nd factor, use the code generated in the app.

Failed Login

During login, each time you fail to authenticate using MFA, you are using up login attempts. If you fail to authenticate within permitted retries, your user account will be locked.

If your account is locked, you will have to wait for a specific duration before trying again. This duration is set by your Falcon Deploy administrator. An administrator can unlock your account anytime during the wait period.

Retry count and Lock hours are configured by your Falcon Deploy administrator.

MFA screen shows remaining attempts before disabling a user account.
Note

Only administrators can reset a users MFA key. The event will be logged in audit trail. The user is notified via email about the new secret key. Administrators do not have access to a users MFA secret key. It is encrypted in the database. It is hidden in their web page view.

Updated on March 13, 2019

Related Articles