Configuring MFA rules
Multi-factor authentication (MFA) can be enabled or disabled for all user connections, but you can configure more complex rules for specific connections. This functionality allows you to create enable or disable MFA for the same user or computer, which will be applied depending on where the user is connecting from and from which device. Each MFA provider has one rule that consists of one or several criteria for matching against user connections. In turn, each criteria consists of one or several specific objects that can be matched.
You can match the following objects:
User, a group the user belongs to, or the computer the user connects from.
Secure Gateway the user connects to.
Client device name.
Client device operating system.
IP address.
Hardware ID. The format of a hardware ID depends on the operating system of the client.
Notice the following about the rules:
Criteria are connected by the AND operator. For example, if a rule has a criteria that matches certain IP addresses and a criteria that matches client device operating systems, the rule will be applied when a user connection matches one of the IP addresses AND one of the client operating systems.
Objects are connected by the OR operator. For example, if you only create a criteria for matching client device operating systems, the rule will be applied if one of the operating systems matches the client connection.
To configure a rule:
Navigate to Site Settings > Connection > Multi-factor authentication.
Double-click the name of the Google Authenticator provider that you want to configure.
Click the Restrictions link.
Click the Edit button.
Clear the Inherit Defaults option.
Specify criteria for the rule. You will find the following controls:
Allow: specifies that the MFA provider must be enabled when a user connection matches the criteria. Click Allow to change it to Deny.
Deny: specifies that the policy the MFA provider must not be enabled when a user connection matches the criteria. Click Deny to change it to Allow.
(+): adds a new criteria. If you want to match a Secure Gateway, a client device name, a client device operating system, an IP address, or a hardware ID, click (+).
is: specifies that the MFA provider must be enabled (or not not enabled, per Allow and Deny) when a user connection matches the criteria. Click is to change it to is not. This control appears when at least one object is added.
is not: specifies that the MFA provider must be enabled (or not not enabled, per Allow and Deny) when a user connection does not match the criteria. Click is not to change it to is. This control appears when at least one object is added.
You can also disable and enable criteria by clicking on the switch to the left of it.
Click Save when done.