Supported MFA Methods
1. TOTP (Time-based One-Time Password)
-
Description:
A 6-digit one-time code generated by an authenticator app on the smartphone. - Examples of apps: Google Authenticator, Microsoft Authenticator
-
Setup:
The user scans a QR code and uses the app to generate codes. -
Security level:
High(recommended) -
Requirements:
- Smartphone access required
2. Email Verification Code
-
Description:
A one-time code is sent to the user's registered email address. -
Usage:
User enters the code received via email during login. -
Security level:
Low(less secure) -
Advantages:
- No app installation needed
- Simple for less tech-savvy users
-
Disadvantages:
- Possible delays in email delivery
- Less secure than app-based methods
3. Both Methods (TOTP & Email)
- If both methods are enabled:
- Users can choose their preferred MFA method
- A selection page for TOTP or Email appears during login
-
Security level:
Low(less secure)
Security Levels
| Enabled Methods | Security Level |
|---|---|
| TOTP Only | High |
| Email Only | Low |
| TOTP + Email | Low |
In the STP Cloud, TOTP is used by default for two-factor authentication.
TOTP is an authentication standard where the user reads a time-based code from a suitable app and provides it as a second factor during login. Possible apps for this include Microsoft Authenticator or Google Authenticator. The administrative configuration of two-factor authentication is done in the STP Cloud in the Identity Administrator.
Enabling Two-Factor Authentication
Two-factor authentication is activated by the license STP.MFA.Policy. The role STP.MFA.Policy.Role grants the corresponding permissions. Both are assigned by default.
How an Administrator Configures Email as Two-Factor Authentication
In the STP Cloud, Email can also be used as a method for two-factor authentication.
In this case, the user receives a one-time code via email, which they can use only once during login.
Note:
The use of the email method is not recommended as it offers a lower level of security than TOTP.
Enabling Email as Two-Factor Authentication
- Email authentication is activated via the license
STP.MFA.EMAIL.Policy. - The necessary permissions are granted via the role
STP.MFA.EMAIL.Policy.Role. -
By default, this license and role are not automatically assigned.
You must manually assign both components to the desired tenant to activate Email 2FA.
Configuration on the Identity Providers Page in the Identity Administrator
If 'Two-Factor Authentication' is activated via license, there is a section of the same name here. With the shown dropdown list, the administrator can set how the second factor should be used.
Possible Options
No Second Factor Enabled
No second factor is available. This setting is not recommended as it provides no additional security.
Second Factor Optional for All
This setting allows each user to decide whether they want to use two-factor authentication. This option provides only minimal additional protection and is not recommended.
Second Factor Mandatory for Administrators
This enforces the second factor for administrators. For all other users, it remains optional. This is the recommended minimum requirement as it ensures that at least the particularly security-relevant administrator accounts are additionally secured.
Second Factor Mandatory for All
This ensures that the second factor is used for all user accounts. This is the recommended option as it offers the highest security.
Security Level
You can view and select the appropriate security level based on your preferred MFA method.
If your tenant has been assigned the license for Email-based MFA, the email option is visible and selectable.
Related to