How an administrator configures two-factor authentication

Supported MFA Methods

1. TOTP (Time-based One-Time Password)

  • Description:
    A 6-digit one-time password generated by an authenticator app on the user’s mobile device.
  • Examples of apps: Google Authenticator, Microsoft Authenticator
  • Setup:
    Users scan a QR code during setup and use the app to generate codes for sign in.
  • Security Level: High (recommended)
  • Requirements:
    • User must have access to a smartphone

2. Email Verification Code

  • Description:
    A one-time code is sent to the user’s registered email address.
  • Usage:
    User receives a code by email and enters it to complete the sign in.
  • Security Level: Low (less secure)
  • Pros:
    • No app installation required
    • Easy for less tech-savvy users
  • Cons:
    • Email delivery delays may occur
    • Less secure than app-based methods

3. Both TOTP & Email (Combined Mode)

  • If both methods are enabled for the tenant:
    • Users can choose their preferred MFA method
    • A selection page is shown at login to pick TOTP or Email
  • Security Level: Low (less secure)

Security Level Mapping

Enabled Methods Security Level
Only TOTP High
Only Email Low
TOTP + Email Low

In STP Cloud, TOTP is used as the default standard for two-factor authentication.
TOTP (Time-based One-Time Password) requires users to retrieve a time-based code from an authenticator app and enter it as the second factor during login.
Commonly used apps include Microsoft Authenticator and Google Authenticator.

Administrators can configure two-factor authentication for their tenants using the Identity Administrator in STP Cloud.

Enabling TOTP as Two-Factor Authentication

  • TOTP is enabled by assigning the STP.MFA.Policy license.
  • The corresponding authorizations are granted via the STP.MFA.Policy.Role role.
  • Both the license and the role are assigned by default.

How an Administrator Configures Email as Two-Factor Authentication

In STP Cloud, you can also use Email as a two-factor authentication method.
With this option, the user will receive a one-time code via email that can only be used once during login.

Note:
We do not recommend using Email as Two-Factor Authentication as it offers a lower level of security compared to TOTP.

Enabling Email as Two-Factor Authentication

  • Email Two-Factor Authentication is enabled by assigning the STP.MFA.EMAIL.Policy license.
  • The corresponding authorizations are granted via the STP.MFA.EMAIL.Policy.Role role.
  • By default, this license and role are not assigned to tenants.
    You must explicitly assign both to the target tenant to enable Email Two-Factor Authentication.

The configuration on the Identity Providers page in the Identity Administrator

Identity Administrator

If ‘Two-factor authentication (TOTP)’ has been activated by license, the area of the same name is available here. The administrator can use the drop-down list shown to set how the second factor is to be used.

Possible options

No second factor activated

A second factor is not available to any user. This setting is not recommended as it does not offer any additional security.

Second factor for all optional

This is set so that each user can decide for themselves whether they want to use two-factor authentication. This variant provides little additional protection and is not recommended.

Second factor mandatory for administrators

This enforces the second factor for administrators. It is still optional for all other users. This is the recommended minimum requirement, as it ensures that at least the particularly security-relevant administrator accounts are additionally secured.

Second factor mandatory for all

This ensures that the second factor is used for all user accounts. This is the recommended variant as it offers the highest level of security.

Security Level

Identity Administrator

You can view and select the appropriate security level based on your preferred MFA method.

If your tenant has been assigned the license for Email-based MFA, the Email option will be visible and selectable.

Identity Administrator

Related to