Supported MFA Methods
1. TOTP (Time-based One-Time Password)
- Description:
A 6-digit one-time password generated by an authenticator app on the user’s mobile device. - Examples of apps: Google Authenticator, Microsoft Authenticator
- Setup:
Users scan a QR code during setup and use the app to generate codes for sign in. - Security Level:
High(recommended) - Requirements:
- User must have access to a smartphone
2. Email Verification Code
- Description:
A one-time code is sent to the user’s registered email address. - Usage:
User receives a code by email and enters it to complete the sign in. - Security Level:
Low(less secure) - Pros:
- No app installation required
- Easy for less tech-savvy users
- Cons:
- Email delivery delays may occur
- Less secure than app-based methods
3. Both TOTP & Email (Combined Mode)
- If both methods are enabled for the tenant:
- Users can choose their preferred MFA method
- A selection page is shown at login to pick TOTP or Email
- Security Level:
Low(less secure)
Security Level Mapping
| Enabled Methods | Security Level |
|---|---|
| Only TOTP | High |
| Only Email | Low |
| TOTP + Email | Low |
In STP Cloud, TOTP is used as the default standard
for two-factor authentication.
TOTP (Time-based One-Time Password) requires users to retrieve a
time-based code from an authenticator app and enter it as the second
factor during login.
Commonly used apps include Microsoft Authenticator and
Google Authenticator.
Administrators can configure two-factor authentication for their tenants using the Identity Administrator in STP Cloud.
Enabling TOTP as Two-Factor Authentication
- TOTP is enabled by assigning the
STP.MFA.Policylicense. - The corresponding authorizations are granted via the
STP.MFA.Policy.Rolerole. - Both the license and the role are assigned by default.
How an Administrator Configures Email as Two-Factor Authentication
In STP Cloud, you can also use
Email as a two-factor authentication method.
With this option, the user will receive a one-time code via email that
can only be used once during login.
Note:
We do not recommend using Email as Two-Factor
Authentication as it offers a lower level of security compared
to TOTP.
Enabling Email as Two-Factor Authentication
- Email Two-Factor Authentication is enabled by assigning the
STP.MFA.EMAIL.Policylicense. - The corresponding authorizations are granted via the
STP.MFA.EMAIL.Policy.Rolerole. - By default, this license and role are not assigned
to tenants.
You must explicitly assign both to the target tenant to enable Email Two-Factor Authentication.
The configuration on the Identity Providers page in the Identity Administrator
If ‘Two-factor authentication (TOTP)’ has been activated by license, the area of the same name is available here. The administrator can use the drop-down list shown to set how the second factor is to be used.
Possible options
No second factor activated
A second factor is not available to any user. This setting is not recommended as it does not offer any additional security.
Second factor for all optional
This is set so that each user can decide for themselves whether they want to use two-factor authentication. This variant provides little additional protection and is not recommended.
Second factor mandatory for administrators
This enforces the second factor for administrators. It is still optional for all other users. This is the recommended minimum requirement, as it ensures that at least the particularly security-relevant administrator accounts are additionally secured.
Second factor mandatory for all
This ensures that the second factor is used for all user accounts. This is the recommended variant as it offers the highest level of security.
Security Level
You can view and select the appropriate security level based on your preferred MFA method.
If your tenant has been assigned the license for Email-based MFA, the Email option will be visible and selectable.
Related to