Multi-Factor Authentication in Tenant Management

Multi-factor authentication (MFA) can be used to provide an additional layer of authentication and security for users. When MFA is required, users are required to enter both a password and an MFA Token. An MFA Token is a one-time password (OTP) generated by a hardware token or virtual MFA device (for example, an app like Google Authenticator) that you provide. The device must comply with TOPT standard RFC 6238.

MFA requirements are set up in login authenticators and applied through roles. If your account manager has enabled MFA for your Tenant Management users, who all have the Partner TM Admin role, then all of these users will have the login experience described previously. If you want to configure MFA for users in your tenants, you would do so in the CXone Admin application.

MFA Secrets

An MFA secret pairs an employee's user account in Tenant Management with the hardware or virtual MFA device that employee uses to generate the OTP. Tenant Management allows you to either generate an MFA secret in either of the following ways:

• Manually — You can type an alphanumeric value into the MFA Secret field. For example, some MFA devices provide a value (often called a "key") for this purpose. If you type your own MFA Secret, the value must be either 16, 26, or 32 characters and encoded in Base32, Base32 allows you to use a 32-character set comprised of the uppercase letters A-Z and the numerals 2-7. The MFA Secret must be RFC 6238-compliant.
• Automatically — You can automatically generate a value in the MFA Secret field when you enable MFA authentication for a user. You would then pass this value to the user, who would use it to set up a virtual MFA device. For example, the user can install Google Authenticator on a mobile device and turn on two-step verification (search Google's support site for keyword authenticator).

  As of now, scanning the QR code or barcode is not supported and the employee can use only manual setup for turning on the two-step authentication using a virtual MFA device.

Enable MFA Authentication for a User

1. Navigate to and open the selected user.
2. Enter the MFA Token Period and MFA Secret.
   Learn more about the fields in this step

   Field	Details
   MFA Token Period	Enter a duration after which the MFA token in refreshed. The value must be between 15 and 300 seconds, and compatible with the virtual or hardware MFA device your organization uses. For example, Google Authenticator only allows a value of 30 seconds.
   MFA Secret	Click the Edit icon (indicated by the pencil) next to the MFA Secret field and then either manually type a value or click Generate (indicated by the circular arrows icon) to automatically generate a value. For more information, see MFA Secrets.

3. Enable Require Multi Factor Authentication for a login authenticator applied to the user's role. For more information, see Manage Login Authenticators.

4. If you are not using hardware MFA devices, make sure affected users set up their virtual MFA device using their MFA Secret and Tenant Management username.