Multi factors authentication

There are 3 kinds of authentication factors:

  • Something you know –> password, pin…

  • Something you possess –> smartphone, security key, certificate…

  • Something you are –> fingerprint, face, eye iris, voice…

A strong authentication is the combination of 2 different kinds of factors.
So in order to protect an application, it’s important to do a multi factors authentication (or MFA).

Create an access-rules with MFA

If you already have users and applications, you can create access-rules in order to define how users will authenticate to an application.
You can find the detail using the URL:

https://doc-trustelem.wallix.com/administration/accessrules/

Setup the allowed factors

Trustelem factors, used in addition to the password, are:

  • SMS: users receive a SMS with a code on their mobile phone.

  • Google Authenticator: user can use any kind of Time based One Time Password (TOTP) which is a code provide by an application.

  • Trustelem Authenticator: the mobile application made by Trustelem; if the network is up the user receives a push notification, otherwise he can use a TOTP

    Note: the application is available in Google Play and the Apple store.

    mfa

  • Security key: user has to plug a fido key. The fido key can be for example:

https://www.yubico.com/fr/works-with-yubikey/catalog/trustelem/

Usually a multi factors authentication asks first the password then the second factor.
But LDAP protocol doesn’t support this flow.

  • if you want to use push notifications with LDAP, be sure to set a response time long enough on your application.

  • if you want to use a code with LDAP, provide in the same form your password and your code stick together.

To setup the allowed factors, , you have to use the URL:

https://admin-mydomain.trustelem.com/app#/security/auth

On this page, there are 3 parameters: Login, Auto-enroll, User can reset token

Login parameter

For a chosen factor, you can activate the option login for all users or for specific users.
When it’s done:

  • the allowed users can use this factor for a multi factor authentication.
  • an administrator can enroll this factor for a user.
Auto-enroll parameter

For a chosen factor, you can activate the option auto-enroll for all users or for specific users.
When it’s done, the defined users will have an enrollment page for this factor, after each authentication.
The enrollment can be skipped but it will be showed again at the next login.

mfa

User can reset token parameter

For a chosen factor, you can activate the option User can reset token for all users or for specific users.
When it’s done, the defined users can use their dashboard to reset this factor:

https://mydomain.trustelem.com/#security

mfa