User Security Authentication Settings
You can enable users to perform certain tasks related to their accounts.
To access and enable the User Security Authentication Settings options:
- Log in to the Admin Portal, click Access > Policies, and select the policy set that you want to edit.
- Click User Security > Authentication Settings where you see the following options:
Authentication Settings
| Available Settings | Description |
|---|---|
| Enable users to change their passwords | This policy determines whether users can change their passwords from the Account page, and is independent of the policies available under Password Reset. The default value "--" is equivalent to Yes. |
| Authentication Profile required to change password | The profile needed to change password. |
| Enable users to enroll FIDO2 Authenticators | This policy determines whether users can enroll FIDO2 authenticators to authenticate to Cloud Suite. Select Yes to display the Security Key and On-device Authenticator options to users. Select no to hide the Security Key and On-device Authenticator options from users. The default value “—” is equivalent to No. |
| Require users to configure FIDO2 Security Key at sign in | If set to yes, users must configure a FIDO2 security key after they log in and before they can access other areas of the Admin Portal. |
| FIDO2 Security Key Display Name | Enter a name that will be familiar to your users (such as the name of the FIDO2 Security Keys used by your organization). |
| Authentication Profile required to configure FIDO2 Authenticators | The profile needed to configure FIDO2 Authenticators. |
| Enable users to configure an OATH OTP client (requires enabling OATH OTP policy) | This policy is typically used when you bulk upload OATH tokens (for example, those generated by a YubiKey). Select Yes to display the QR code to users. Select No to hide the QR code from users. The default value "--" is equivalent to Yes. Important: If you choose to not display the QR code, users without an enrolled device will not be able to scan the QR code and get a passcode pushed to their devices. In order for this policy to take effect, you also have to set the Security > OATH OTP > Allow OATH OTP policy to Yes. |
| Require users to configure at sign in | If set to yes, users must configure an OATH OTP client after they log in and before they can access other areas of the Admin Portal. |
| OATH OTP Display Name | Enter a name that will be familiar to your users (such as the name of the OTP Client used by your organization). This value will be used throughout the UI wherever users configure or use an OTP Client. NOTE: this is only a label and does not prevent users from using other OATH Clients. |
| Authentication Profile required to configure OATH OTP client | The profile needed to configure OATH OTP client |
| Enable users to configure Security Questions | This policy determines whether configuring security questions is required for users to authenticate using security question. The default value is enabled and requires that users configure one security question. |
| Require users to configure at sign in | If set to yes, users must configure their security questions before they can access any areas of theAdmin Portal after they log in. |
| Allow duplicate security question answers | Existing questions will remain, allowing duplicate answers if already provided before the policy/config is disabled. |
| Required number of user-defined questions | Specifies the number of questions from the user generated security questions list that must be configured by users. |
| Required number of admin-defined questions | Specifies the number of questions from the admin generated security questions list that must be configured by users. |
| Minimum number of characters required in answers | The minimum number of characters required in answers. |
| Authentication Profile required to set security questions | The authentication profile required to set security questions. |
| Require users to register device at sign in to use Mobile Authenticator (requires Permit Device Registration policy in Devices) | If set to yes, users must register their mobile device when they log in so that they can use the Mobile Authenticator app. In order for this policy to take effect, you also have to set the Devices > Permit Device registration policy to Yes. |
