MFA Configuration Options


Access Manager supports RADIUS for authentication which most MFA providers utilize in their own solutions, therefore many MFA products can be successfully integrated with Access Manager.

If you have a specific MFA or 2FA provider that you would like to inquire about, please contact us for more information.

Access Manager integrates with your existing MFA provider, it does not provide its own service. Therefore, you will need to follow the configuration guides below before you can configure your MFA usage in Access Manager. This includes deploying the required Federated Sign-In Module as well as having an Administrative account with your MFA provider.

For specific MFA providers, please review the links below:

Duo Security MFA – How to Configure (Admin)

Duo Security MFA – How to Login (Users)

Google Authenticator (or other TOTP providers) – How to Configure (Admin)

Google Authenticator (or other TOTP providers) – How to Login (Users)

RADIUS – How to Configure (Admin)

Configuration Options

The MFA Configuration Options allows an Access Manager System Administrator to determine which users or groups will have to authenticate using their MFA provider in order to login.

The following options are available:


Please first read our enabling granular control over MFA configuration for different users or groups of users article to configure the System to support this feature.

Add: Select a user or group that will be added to the System MFA configuration.

Edit: Modify the System MFA configuration of the selected user or group.

Delete: Remove the selected user or group from the System MFA configuration.


Default: When selected, this specific configuration becomes the default MFA provider for all users or groups. In turn, the specific users or groups added then become exceptions to this default.

Principal: The user or group that will be bound to this configuration. Principal is removed when the Default option is enabled because default applies to all principals.

MFA Provider: The selected provider that will be bound to this principal. The list of providers is populated based on the MFA integration(s) that have been established with the System. Select the none option, if you want the principal to login without requiring MFA authentication.


The mfa-generic provider option enforces the requirement of a mfa token when a user establishes a desktop client SSH Proxysession only; it does not generate mfa tokens for any other login or connection purposes. These mfa generic tokens are generated in Management > My Profile > Preferences > MFA Code and have a 3 minute expiration time.


By default, all principals with the System Administrator role are added with no (none) MFA provider configured. This is done to prevent accidental lock out if the MFA integration or configuration is mis-configured. You may change this default behavior if needed.