# Configuring MFA rules Multi-factor authentication (MFA) can be enabled or disabled for all user connections, but you can configure more complex rules for specific connections. This functionality allows you to create enable or disable MFA for the same user or computer, which will be applied depending on where the user is connecting from and from which device. Each MFA provider has one rule that consists of one or several criteria for matching against user connections. In turn, each criteria consists of one or several specific objects that can be matched. You can match the following objects: * User, a group the user belongs to, or the computer the user connects from. * Secure Gateway the user connects to. * Client device name. * Client device operating system. * IP address. * Hardware ID. The format of a hardware ID depends on the operating system of the client. Notice the following about the rules: * Criteria are connected by the AND operator. For example, if a rule has a criteria that matches certain IP addresses and a criteria that matches client device operating systems, the rule will be applied when a user connection matches one of the IP addresses AND one of the client operating systems. * Objects are connected by the OR operator. For example, if you only create a criteria for matching client device operating systems, the rule will be applied if one of the operating systems matches the client connection. To configure a rule: 1. Navigate to **Site Settings** > **Connection** > **Multi-factor authentication**. 2. Double-click the name of the Google Authenticator provider that you want to configure. 3. Click the **Restrictions** link. 4. Click the **Edit** button. 5. Clear the **Inherit Defaults** option. 6. Specify criteria for the rule. You will find the following controls: * **Allow**: specifies that the MFA provider must be enabled when a user connection matches the criteria. Click **Allow** to change it to **Deny**. * **Deny**: specifies that the policy the MFA provider must not be enabled when a user connection matches the criteria. Click **Deny** to change it to **Allow**. * **(+):** adds a new criteria. If you want to match a Secure Gateway, a client device name, a client device operating system, an IP address, or a hardware ID, click **(+)**. * **is:** specifies that the MFA provider must be enabled (or not not enabled, per **Allow** and **Deny**) when a user connection matches the criteria. Click is to change it to **is not**. This control appears when at least one object is added. * **is not:** specifies that the MFA provider must be enabled (or not not enabled, per **Allow** and **Deny**) when a user connection does not match the criteria. Click is not to change it to **is**. This control appears when at least one object is added. You can also disable and enable criteria by clicking on the switch to the left of it. 7. Click **Save** when done.