How an Administrator Configures Two-Factor Authentication

Supported MFA Methods

1. TOTP (Time-based One-Time Password)

  • Description:
    A 6-digit one-time code generated by an authenticator app on the smartphone.
  • Examples of apps: Google Authenticator, Microsoft Authenticator
  • Setup:
    The user scans a QR code and uses the app to generate codes.
  • Security level: High (recommended)
  • Requirements:
    • Smartphone access required

2. Email Verification Code

  • Description:
    A one-time code is sent to the user's registered email address.
  • Usage:
    User enters the code received via email during login.
  • Security level: Low (less secure)
  • Advantages:
    • No app installation needed
    • Simple for less tech-savvy users
  • Disadvantages:
    • Possible delays in email delivery
    • Less secure than app-based methods

3. Both Methods (TOTP & Email)

  • If both methods are enabled:
    • Users can choose their preferred MFA method
    • A selection page for TOTP or Email appears during login
  • Security level: Low (less secure)

Security Levels

Enabled Methods Security Level
TOTP Only High
Email Only Low
TOTP + Email Low

In the STP Cloud, TOTP is used by default for two-factor authentication.
TOTP is an authentication standard where the user reads a time-based code from a suitable app and provides it as a second factor during login. Possible apps for this include Microsoft Authenticator or Google Authenticator. The administrative configuration of two-factor authentication is done in the STP Cloud in the Identity Administrator.

Enabling Two-Factor Authentication

Two-factor authentication is activated by the license STP.MFA.Policy. The role STP.MFA.Policy.Role grants the corresponding permissions. Both are assigned by default.

How an Administrator Configures Email as Two-Factor Authentication

In the STP Cloud, Email can also be used as a method for two-factor authentication.
In this case, the user receives a one-time code via email, which they can use only once during login.

Note:
The use of the email method is not recommended as it offers a lower level of security than TOTP.

Enabling Email as Two-Factor Authentication

  • Email authentication is activated via the license STP.MFA.EMAIL.Policy.
  • The necessary permissions are granted via the role STP.MFA.EMAIL.Policy.Role.
  • By default, this license and role are not automatically assigned.
    You must manually assign both components to the desired tenant to activate Email 2FA.

Configuration on the Identity Providers Page in the Identity Administrator

Identity Administrator

If 'Two-Factor Authentication' is activated via license, there is a section of the same name here. With the shown dropdown list, the administrator can set how the second factor should be used.

Possible Options

No Second Factor Enabled

No second factor is available. This setting is not recommended as it provides no additional security.

Second Factor Optional for All

This setting allows each user to decide whether they want to use two-factor authentication. This option provides only minimal additional protection and is not recommended.

Second Factor Mandatory for Administrators

This enforces the second factor for administrators. For all other users, it remains optional. This is the recommended minimum requirement as it ensures that at least the particularly security-relevant administrator accounts are additionally secured.

Second Factor Mandatory for All

This ensures that the second factor is used for all user accounts. This is the recommended option as it offers the highest security.

Security Level

Identity Administrator

You can view and select the appropriate security level based on your preferred MFA method.

If your tenant has been assigned the license for Email-based MFA, the email option is visible and selectable.

Identity Administrator
This article has been automatically translated by an AI and may therefore contain errors.

Related to