Overview

Multi-Factor Authentication (MFA) is a security process that is used to verify a user's identity by requiring the user to provide multiple credentials.  Typically, those factors are something that the users knows like a PIN or a Passcode and something the users has like a mobile devices or USB token.  A third factor can be a biometric factor like a fingerprint or facial or voice recognition.

• Two-factor authentication (2FA) always utilizes two factors to verify the user's identity. 
• Multi-factor authentication could involve two of the factors or it could involve more factors “Multi-factor” means any number of factors greater than one.

For the purposes of this guide, we will consider Two-factor Authentication to be equivalent to Multi-Factor Authentication.

How Does it Work?

The second factor of authentication is delivered to a Smartphone using a multi-factor authentication applications like Google Authenticator, Microsoft Authenticator, VMware Verify or Authy.

Other authentication options include the use of a hardware based authentication tool like a RSA token, a USB dongle or a Yubikey device that provides the authentication factor to the environment.  

Our DaaS product has the ability to set up Multi-Factor authentication by leveraging the VMware IT Admin portal also known as the Enterprise Center. 

3rd Party MFA Applications

• Okta -  XTIUM can deploy a Clearlogin tile in Okta and conversely can deploy Okta in Clearlogin. The same features and functionality exist with either deployment.  Use SAML 2.0.  
• Duo - You would not want to deploy DUO with Clearlogin, because if something breaks you won't be able to get into DUO to disable it.
• Microsoft MFA -  Choose between Receive Authentication which can leverage Fingerprint Authentication or Enter numerical code for sign in.

Setting up MFA?

The following information will be needed in order to set up MFA in the DaaS IT Admin portal. 

Where applicable the value to add in the portal is provided:

1. 2 Factor Authentication Method: This is the Protocol that you are using.  It will be either Radius or RSA.  
2. Maintain Username: Yes.
3. External Connections Only: If Yes, DaaS will not prompt for a token when logging in from specified subnets.
4. Provider Name.
5. Hostname / IP Address.
6. Shared Secret  - Secret word or phrase used to identify the IT Admin's identity.
7. Authentication Port.
8. Accounting Port.
9. Mechanism.

This is what the page will look like:

Once the MFA is set up, users will be prompted to enter their MFA code from their authentication app into their login screen before they can access their DaaS environment:

The screen changes to a new prompt where the second factor is added using Active Directory credentials:

When the authentication process is complete the user will have the ability to launch their DaaS seat: