How to use MFA redirection

Multi-Factor Authentication (MFA) redirection enables users to perform MFA on behalf of any chosen user. This means the user that is logging in can be configured to perform MFA as the redirect user, and receive an identity token for the original login user after they successfully login.

Once configured, the MFA redirection is handled automatically.

How MFA redirection works

To explain how redirection works, we've defined the following two users:

  • Original login user: The user who is actively trying to log in.
  • Redirect user: The user who has MFA setup. MFA will redirect to this user to answer any MFA challenges.

The general MFA redirection flow is:

  1. The original user attempts to login.
  2. The MFA challenges required are based on policy for the original user.
  3. The MFA redirects to the redirect user, so they can respond to all the challenges.
  4. Once the login succeeds, an identity token/cookie is provided for the original user.

In a typical use case, the redirect user will have all their account challenge attributes set:

  • Phone number
  • Configured security questions
  • Yubikey
  • Mobile Authenticator
  • etc.

This enables the redirect user to satisfy any MFA requirement.

The original login user has no attributes configured, and therefore they cannot satisfy any MFA. When the original login user is challenged for additional authentication, the MFA redirection feature can be configured so the MFA challenges are sent to the redirect user, who has the required mechanisms configured.

MFA Examples

Phone MFA example:

  • The MFA redirect user configures the original login user to have MFA redirected through them.
  • The MFA is set up to use a phone number for authentication.

Since the original login user is configured for MFA redirection, the original login user can send the MFA challenge to a redirect user that does have a phone number, and therefore can satisfy the phone MFA mechanism required to login.

The policy and authentication rules for the original login user still apply whether redirection is used or not. The specified MFA redirect user will be used to determine which MFA mechanisms are able to be satisfied, as well as perform MFA.

Note:   MFA will act as if the redirect user was directly logging in. This means password reset, forgot password, account unlock, etc. still apply exactly as it would to the redirect user, even though the original login user is the one using the login. However, once the login is complete, the identity will be granted to the original login user. The redirected user just facilitates the act of MFA.

 

Real-world example:

A real-world use case is when an admin (the original login user) uses their dash-A account to perform a privileged task rather than their normal enterprise account (the redirect user). The admin does not have a phone enrolled with their dash-A account but they do with their normal enterprise account. They do have the Mobile Authenticator associated with their enterprise account. MFA redirection enables the admin to carry one phone rather than two and use the Mobile Authenticator to satisfy the MFA.

How to set up MFA Redirection

To configure a user for MFA redirection:

  1. From the Admin Portal, navigate to Access > Users.
  2. Click on the user account you want to configure for MFA redirection.
  3. Ensure you're on the Account page and scroll down to MFA Redirection.
  4. Check the Redirect Multi-factor Authentication to a different user account box.
  5. On the user selector, click Select.
  6. Search for the user you want to use for the MFA redirection. Select the user you want to use and click OK.

    Note:   If you select a user that is the same as the user you're currently editing, you will generate an error.

  7. Click Save.