Configure MFA Methods for Users

Why you need Two-Factor Authentication?

Passwords are everywhere, users use them to access their money, do communication etc. At first, we used one password for everything but that wasn’t good enough so we started making our passwords more complicated with a combination of numbers, uppercase/lowercase letters & even special characters. But no matter how complex your password or the password management system is, it is never enough to prevent account takeover because all it takes is one simple phishing email or database breach and your password is out in the world. So, if passwords are impossible to protect, how do you protect your account ?

That’s where two-factor authentication comes in. 2FA adds another method of identity verification in order to secure your accounts. First thing you know – Your username and password. Something unique that you have – Your phone or fingerprint. By combining your username and password with the second method your access becomes more secure and impossible for an attacker to pass it even if they have your password.

Configure 2FA for users

To Configure two-factor authentication (2FA) for users you need to select one of the method from "default Authentication methods" section. Authentication methods include OTP over SMS, OTP over email & OTP over both SMS and email. You can choose Authentication methods for your end-users in the following way:

Log in to the miniOrange Admin Console.
Select Configure 2FA Options For EndUsers from 2-Factor Authentication Tab.

Here you can see five main functionalities to configure 2-Factor Authentication for Users:

1. Select Default 2FA Authentication Method for your end-users:

In this method, you can select default method for end users.
Let's say you want to set OTP over SMS as default method for your end-users.
First, you have to click on the checkbox of OTP over SMS.
Then click on Save.

select sms over email 2fa method for user

To verify, the admin has to select the Users tab from the left navigation bar.
And click on the User List.

In this list, you can check for the end-user and the corresponding second factor type.
If the default 2FA method set by you is the same as the second factor type over here, then you have configured successfully.

2. Select the 2FA methods allowed to be shown to end-users

The admin has a choice to show the end-users all or any combination of 2FA methods.
The below screenshot depict that all 2FA methods which are shown to the end-users.

Suppose admin choices some other combination then, he/she has to enable and disable the checkbox accordingly.
Then click on save.
So in the end-user dashboard, he would be just able to see the above enabled methods to set 2FA for himself.

3. Advanced Options

Select the 2FA method at the time of login:
Enable this option to allow users to choose their preferred 2FA method at login.
Send Authentication QR code via Email:

Turn on this setting to email users the Authenticator QR code during onboarding, allowing them to activate their chosen Authenticator as their MFA method easily.

Select Authenticator: In the 2FA Options for End-Users section, you can select a preferred authenticator for two-factor authentication. Use the 2FA Options for End-Users dropdown to choose from the available options, and then click on Save.

miniOrange Authenticator Biometric Setting:
Activate this option to mandate biometric authentication for users in Push Notifications using the miniOrange Authenticator app.
Grid Pattern Size:
This setting defines the size of the grid used in the Grid Pattern MFA method. The grid is square, and you can choose from the following sizes: 4x4, 5x5, 6x6, 7x7, 8x8.
Grid Pattern OTP Length:
This defines how many tiles the user must select inside the grid to generate the OTP. You can configure a length between 4 to 8.

[Note: For users who have already configured Grid Pattern Size & Grid Pattern OTP Length, the configurations will not get updated.]

miniOrange Authenticator Number Matching Settings:

Number Matching MFA displays a random number on the login screen and sends a push notification to the miniOrange Authenticator app. The user must confirm the same number to approve the login; incorrect or timed-out responses are rejected. This prevents accidental approvals and protects against MFA fatigue attacks.

Configuration:

A new Number Matching toggle is introduced on the 2FA Options for End Users page. When enabled, this flow replaces the existing Accept/Deny push authentication.

Authentication:

When an end user initiates login and selects miniOrange Push, the browser displays a random number.

At the same time, a push notification is sent to the miniOrange Authenticator mobile app containing four different numbers.

The user must select the same number shown on the browser in the miniOrange Authenticator app to approve authentication.
Authentication is successful only if the selected number matches; otherwise, the request is rejected.

4. Verify 2FA for end-users

Click on Customization at the left side panel and select Branding Customization.

Here you will see Login Page URL for Organization's users.

Copy this Login Page URL in browser and enter miniorange credentials. Now you will be redirected towards end-user dashboard.
Now from the left panel click on configure 2FA in end-user dashboard.
Here you will see the methods you selected for the particular end-user.

Now you can configure default method for end users accordingly.

Contents