Configuring MFA for non-SSO users | SecurityHub

  • Updated

Product: SecurityHub
Applies to: Customer SecurityHub administrators
 

Multi-factor authentication (MFA) can be configured for domains that are not using SSO.

Note: This option is only available if you have a valid domain associated with your organization. If you do not have a valid domain associated with your organization, you can request a domain be added. For more information, see Managing domains.

When you add an MFA rule, as part of the configuration, you can specify test users. The rule will initially be created in the testing mode, meaning that only the test users will be subject to the rule This allows you to ensure that the rule is working properly before making it available to all users in the configured domains.

MFA rules can have one of the following statuses.

  • Setup - The connector has one or more domains associated with it that can be tested using the test users. The connector is not live.
  • Active - The connector is live and in use.
  • Inactive - The connector does not have any domains associated with it.

Your contract determines which features are available and which roles can access them. Note that compliance admins only have view rights to the available features.

Icons_Approved.svg How to configure MFA

  1. From within SecurityHub, click Login Security.
  2. Click MFA.
  3. In the Rule Name field, enter a name for the rule.
  4. In the Select Verification field, select one of the following options:
    • To require that all users verify their identity when logging in, select Always Require Verification. If users are required to verify their identities based on others risks, they will not be asked to verify again.
    • To require users to enter a code every time they log in, select Send Verification Codes by Email. The code will be sent to the user's email every time they log in.
  5. In the Contact Email Address field, provide an email address for the person or group that can assist users with issues that prevent them from logging in. 
  6. Click Next.
  7. In the Domains field, enter the domains to which this rule will apply. Click Select all domains to display all domains. Note that domains that are associated with an SSO connector are not shown.
  8. In the Test Users field, enter the email addresses of the users that will test the rule. The users must be part of the domain. A maximum of 15 test users can be added.
  9. Click Next.
  10. Review the rule details and click Add.

Icons_Approved.svg How to edit a rule

  1. From within SecurityHub, click Login Security.
  2. Click MFA.
  3. In the Actions column of the rule you want to edit, click the edit icon.
  4. Click Domain Associations to update the rule status and associated domains.
  5. In the Status field, select the status. 
    • Setup - The rule has domains associated with it and can be tested. It is not active.
    • Inactive - No domains are associated with the rule.
    • Active - The rule is in use.
  6. Update domains and test users as necessary.
  7. Click Rule Details to change the rule action and countries affected by this rule.
  8. Make changes and click Save.

Icons_Approved.svg How to delete a rule

Only rules that are inactive, that is, they do not have domains associated with it, can be deleted.

  1. From within SecurityHub, click Login Security.
  2. Click MFA.
  3. Ensure that the rule that you want to delete is in the inactive state. If it is not in the inactive state, in the Actions column, click the edit icon, change the status to inactive and click Save.
  4. In the Actions column of the rule you want to delete, click the trashcan icon.
  5. Click Delete to confirm

Icons_Approved.svg How to view rule details

  1. From within SecurityHub, click Login Security.
  2. Click Access Control.
  3. Click the name of the rule.
  4. Click Back to return to the list of rules.

 

Was this article helpful?

We'd love your feedback.

Please tell us how we can improve this article.