Multi-Factor Authentication (MFA) redirection enables users to perform MFA on behalf of any chosen user. This means the user that is logging in can be configured to perform MFA as the redirect user, and receive an identity token for the original login user after they successfully login.
Once configured, the MFA redirection is handled automatically.
How MFA redirection works
To explain how redirection works, we've defined the following two users:
- Original login user: The user who is actively trying to log in.
- Redirect user: The user who has MFA setup. MFA will redirect to this user to answer any MFA challenges.
MFA is performed as the redirect user, on behalf of the original login user. This means any MFA mechanism that is used (i.e. email, text, Mobile Authenticator, etc.) all are completed by the redirect user.
The general MFA redirection flow is:
- The original user attempts to login.
- The MFA challenges required are based on policy for the original user.
- The MFA redirects to the redirect user, so they can respond to all the challenges.
- Once the login succeeds, an identity token/cookie is provided for the original user.
In a typical use case:
- The original login user has no attributes configured, and therefore they cannot satisfy any MFA.
When the original login user is challenged for additional authentication, the MFA redirection feature can be configured so the MFA challenges are sent to the redirect user, who has the required mechanisms configured.
- The redirect user will have all their account challenge attributes set:
- Phone number
- Configured security questions
- Mobile Authenticator
This enables the redirect user to satisfy any MFA requirement.
The MFA redirect process acts as if the redirect user was directly logging in. The redirect user just facilitates the act of MFA, which causes any actions available during the login process (password reset, forgot password, account unlock, etc.) to apply to the redirect user's account, even though the original login user is the one using the login.
However, once the login is complete, the login identity will be granted to the original login user, and any actions (password reset, forgot password, account unlock, etc.) will apply back to the original login user's account.
Phone MFA example:
- The original login user configures their account to have MFA redirected through the redirect user.
- The MFA is set up to use a phone number for authentication.
Since the original login user is configured for MFA redirection, the original login user can send the MFA challenge to a redirect user that does have a phone number, and therefore can satisfy the phone MFA mechanism required to login.
The policy and authentication rules for the original login user still apply whether redirection is used or not. The specified MFA redirect user will be used to determine which MFA mechanisms are able to be satisfied, as well as perform MFA.
A real-world use case is when an admin (the original login user) uses their dash-A account to perform a privileged task rather than their normal enterprise account (the redirect user). The admin does not have a phone enrolled with their dash-A account but they do with their normal enterprise account. They do have the Mobile Authenticator associated with their enterprise account. MFA redirection enables the admin to carry one phone rather than two and use the Mobile Authenticator to satisfy the MFA.
How to set up MFA redirection
Note: You must have the MFA Redirect Management permission in order to set redirect for a user. All system admins already have this right applied to their account.
To configure a user for MFA redirection:
- From the Admin Portal, navigate to Access > Users.
- Click on the user account you want to configure for MFA redirection.
- Ensure you're on the MFA Redirection tab and check the Redirect Multi-factor Authentication to a different user account box.
- On the user selector, click Select.
- Search for the user you want to use for the MFA redirection. Select the user you want to use and click OK.
Note: If you select a user that is the same as the user you're currently editing, you will generate an error.
- Click Save.