Adding another 2FA (user perspective)
IMPORTANT! Secfense Broker only supports combining strong (FIDO2/WebAuthn compliant) second factors. This means a user can add multiple U2F keys or combine a U2F key with Secfense Authenticator. However, users cannot mix strong authentication with weaker 2FA methods, such as TOTP codes or SMS.
Users of protected applications can add as many strong 2FAs as needed. However, only the first 2FA added is considered trusted until the user performs a specific action to trust the additional 2FAs. By default, this option to trust additional 2FAs is not enabled and must be activated by the Administrators of Secfense Broker. The feature to enable is called User Dashboard.
The User Dashboard can also be used to view your current, approved methods of authentication.
Enabling User Dashboard
To enable the User Dashboard, the operator needs to know the path within the protected application to which the user will be redirected after logging in.
To obtain the path:
Log in to the protected application and note the URL in the address bar. It might look something like https://example.com/start/app/index.html?ref=1234. Typically, some knowledge of the HTTP protocol is required to identify the URI (everything after and including the first slash up to the first question mark), which is usable for this purpose. For the given example, it is advised to use "/start/app" as the User Dashboard URL.
Please avoid any locations that seem like random or context-dependent strings.
To enable the User Dashboard:
- Go to Application Representation.
- Click Advanced Settings and scroll down to the "Other" section.
- In the "User Dashboard URL" field, input the previously identified location and click Save.
- Choose the position of the widget from the dropdown list (the widget can be moved by the user).
Once configured, users will see the Secfense icon in the designated part of the screen:
If the location is set correctly, the icon will appear only after the user logs in.
Approving additional MFA
When a user who is already enrolled in MFA tries to register another method and succeeds, they will be prompted with the following window:
TThey will need to authenticate with their existing method and use the User Dashboard to approve the new MFA method.
To approve the new method:
- Click the Secfense icon, which will open the User Dashboard.
- The newly added method will be listed under "Pending Security Objects" and can be:
- Approved
- Rejected
- Rejected and reported (a log will be generated for SIEM systems)
Once approved, all MFA methods can be used interchangeably.