This article outlines the steps a domain administrator can take to set up and manage multifactor authentication in your Kahua domain. For information on the steps a user will take to set up their multifactor authentication, refer to Multifactor Authentication.
Establish a default authentication group
Authentication Groups allow you to manage authentication settings at a group level, rather than applying changes to each user individually. Additionally, you can create a default group with settings that are applied to all users by default. You can still create additional authentication groups to manage named users with different authentication needs.
To create a default authentication group that uses TOTP (Time-based One Time Password) for authentication, complete the following steps:
- Navigate to Apps > Domain Settings > Authentication.
- Scroll down to External User Authentication.
- Select Manage Authentication Groups.
- Click Add to open the new group page.
- Enter a Name. You can use "Default TOTP" to indicate this is the default authentication group, or another name of your choosing.
- In the Provider Type field, select Kahua.
- Select Mfa Enabled.
- In the Mfa Type field, select TOTP.
- Click Save. The new authentication group is saved and appears in the list of authentication groups.
- IMPORTANT: If you want this to be the default authentication method for your users, you must assign the new group as the default in your domain. To do this, in the Domain User Authentication field at the bottom of this page, select the newly created group.
- Click Update. The settings in the newly created group are now the default that will be applied to any user signing into your domain who is not a member of another authentication group.
What to do when a user needs MFA reset
If a user loses access to the authenticator app (lost phone, deleted app, etc.) you can go to their user profile and un-enroll them from multifactor authentication. This will remove their current multifactor authentication configuration. They will be required to re-enroll the next time they attempt to log in to Kahua.
To un-enroll a user from MFA, complete the following steps.
- Navigate to Apps > Users.
- Select the user.
- In the Enable Multifactor Authentication section, click Un-Enroll.
- They have now been unenrolled from MFA. They will be required to re-enroll the next time they attempt to log in to Kahua.