Multi-Factor Authentication (MFA) Options

Multi-Factor Authentication is utilized when Applications require two forms of Authentication to verify the identity of a user at Sign in. The Username and Password is the most standard form of Authentication. A second factor can be chosen from the options below.

The Optimal Cloud provides the following Multi-Factor Authentication options:

Email One-Time Passcode (OTP) - An email containing an OTP is sent to the user at the email address provided during registration of the user's account. The OTP is then entered to verify the user's identity.
SMS One-Time Passcode (OTP) - An SMS message containing an OTP is sent to the phone number provided during registration of the user's account. The OTP is then entered to verify the user's identity.
Voice One-Time Passcode (OTP) - A voice message containing an OTP is sent to the phone number provided during registration. The OTP is then entered to verify the user's identity.
PUSH via Optimal Authenticator - The user must register a device with the OptimalCloud and install the Optimal Authenticator application. When the user attempts to Login the Optimal Authenticator application receives a message from the OptimalCloud and pops up a dialog box requesting approval for Login. The user may approve or deny the request.
Time Based One-Time Passcode (TOTP) - This option is an OTP that is valid for a specific amount of time. The user must register a device with the OptimalCloud and install a Mobile Authentication application. The Optimal TOTP service works with any TOTP compliant authentication application including those available from Google, Microsoft, and the Optimal Authenticator which is available to download for free in app stores. When the user attempts to Login the Mobile Authentication application receives a message from the OptimalCloud and pops up a box containing the TOTP and a timer. The user must enter the TOTP in the Login screen before the timer expires. If the timer expires the user will receive a new TOTP.
Behavioral Biometrics - Patterns of typing biometrics data, also known as keystroke dynamics are used to verify user identity. A new user types their username multiple times to enroll typing patterns that are stored as a baseline of their typing behavior. When the user attempts to Login, they will be prompted to type their username and it is matched against the baseline.
Password and Pin - This method is used for Service Accounts allowing multiple users to use the same account. This authentication method uses a username, password and a PIN that is configured by an Admin. The account must be a member of the OFIS-ServiceAccounts group. For more information on setting up this method please enter a ticket with Optimal IdM Support.
Device Authentication - Authentication methods that use hardware-based authentication. The hardware authenticator can be one of the following options.
- FIDO2 Security Key - is an Authentication method using a Fast Identity Online (FIDO2) Security Key. To use this method you must first obtain a FIDO2 Security Key such as a YubiKey. To use a FIDO2 Security Key you must first install it on your Device following the vendor's instructions. This also includes support for U2F Security Keys.
- Windows Hello - is an Authentication method on a Windows Device using a PIN, facial recognition, or a fingerprint. To use this method you will need to configure the Windows Hello application on your device. For information on how to configure Windows Hello see the Learn about Windows Hello and set it up documentation.
- Touch ID - is an Authentication method on a Mac, iPhone or iPad that utilizes fingerprint recognition. To use this method you must first set up Touch ID on your Device. For information on how to configure Touch ID for the iPhone or iPad see the Use Touch ID on iPhone and iPad documentation. For information on how to configure Touch ID for the Mac see the Use Touch ID on Mac documentation.
- Face ID - is an Authentication method on an iPhone or iPad that utilizes facial recognition. To use this method you must first set up Face ID on your iPhone or iPad. For information on how to configure Touch ID for the iPhone or iPad see the Use Face ID on iPhone and iPad documentation.
- Android Phone - An Android mobile device (version 7.0 or later) and can also be used as an Authentication Device. This is restricted to Chrome browsers. See the Use your phone's built-in security key documentation for more details.

The SMS One-Time Passcode, the Voice One-Time Passcode, the Email Link, the SMS/Text Link and the Behavioral Biometrics form of Multi-Factor Authentication are only available if they have been enabled by your organization.

See the My Company Account/Tenant section for instructions on how to enable these options.

Enroll in Multi-Factor Authentication

The following Multi-Factor Options do not require enrollment if the information required has been entered during your OptimalCloud account registration:

Email One-Time Passcode (OTP) - If you have entered an email address during account registration no enrollment is needed for this option.
SMS One-Time Passcode (OTP) - If you have entered a mobile phone number during account registration no enrollment is needed for this option. This option is only available if it has been enabled by your organization.
Voice One-Time Passcode (OTP) - If you have entered a mobile phone number during account registration no enrollment is needed for this option. This option is only available if it has been enabled by your organization.

If you have not entered any of the required pieces of information, please go to the My Profile tab under Account Settings to enter this information.

Enroll a Device/Token for MFA Options

This section provides users with instructions on how to add a device and select the MFA options to be associated with that device. Users may enroll a device to use for the Time Based One Time Passcode (TOTP), PUSH, or Device Authentication MFA Options.

Navigate to the Account Settings Tab.

Account Setting Tab

Click on the Multi-Factor Token/Device Options application and the Multi-Factor Login Page will be presented.

MFA Page - Email

Choose any MFA method and authenticate as described for that method in the Authenticate with MFA Options section. Once you have authenticated with an MFA option, you will be presented with the Multi-Factor Authentication Device/Token Management page.

Manage TokenDevice Page

Click on the Add Token Device Button button and the Multi-Factor Authentication Add Device page will be presented.

The following MFA options are available to be selected for your device:

Push Notification & Time-based onetime passcode (TOTP) - This option allows the user to use either Push Notification or Time-based onetime passcode authentication on the specified device.

This option requires the installation of the Optimal Authenticator Application which is available to download for free in app stores. The Optimal Authenticator works for all Android, Windows and IOS operating systems.

Time-based onetime passcode - This option allows the user to use only Time-based onetime passcode authentication on the specified device. This option requires the installation of a TOTP agent which are implemented by Optimal, Google, Microsoft or any TOTP Authentication software that follows the TOTP Standard.
Device Authentication - This option allows the user to authenticate using Authentication methods that use hardware-based authentication. This method supports using a Hardware Device (U2F/FIDO2), Windows Hello, TouchID or FaceID. Prior to enrolling your device you will need to have and install a Hardware Device (U2F/FIDO2) or set up Windows Hello, TouchID, or FaceID on your device.

PUSH and Time-Based Onetime Passcode

View one of the videos below or follow the instructions to set up MFA via PUSH.

How to add and use PUSH Notifications.

How to setup a Third Party TOTP

Select the Push notification & Time-based onetime passcode Option below and click the MFA Next button.

MFA Add Device Page

You will now be requested to enter the type of your device and a name for the device.

MFA Add Device Page 2

Select the type of device you wish to register.

Enter the name for the device in the Device Name field. This field is required.

Click the MFA Next button to proceed.

You will be presented with a QR Code to scan from your device.

MFA Add Device Page 3

Open the Optimal Authenticator Application on your device. Hit the "+" button and then "Scan QR code" button. Place your device camera over the QR code.

If the scan does not work, hit the "Input manually" button and enter the text from the Secret field on the Multi-Factor Authentication Add Device page as shown above.

Once the QR code is scanned or the Secret is manually entered you will receive a message on your device that the device has been successfully registered.

Hit the Return to Device Mangement button button to return to the Multi-Factor Device/Token Management page.

Manage Token Device Page 2

The device that was registered will now be shown in the list of managed devices on the Multi-factor Authentication Device/Token Management page. The name of the device, which MFA options were selected, and the date the device was registered are displayed.

Click the Test MFA button button to verify that the device has been set up correctly. To perform the test please see the Authenticate with MFA Options section for the type of MFA Authentication selected.

Device Authentication

Select the Device Authentication method below and click the MFA Next button.

MFA Add Device Page 4

Continue with the instructions for the type of MFA Device you are enrolling.

FIDO2 Security Key for Windows System

To enroll an MFA Device in the OptimalCloud that uses this method you must have first obtained a FIDO2 Security Key such as a YubiKey and install it on your Device.

View the video below or continue with the following instructions.

The Device Type has been preselected. Insert your Security Key.

Add MFA Device Page 5

Enter the Device Name and Click the MFA Next button. The Security Key setup popup will be presented.

If you have Windows Hello installed on your Windows System you will see a popup to set up the Device using Windows Hello.

Use Windows Hello 2

Click the Cancel Button button and the Security Key setup popup will be presented.

If you do not have Windows Hello configured you will see the Security Key setup Popup.

Security Key Setup Msg

To set up your security key to sign in to OptimalCloud, click the OK Button button.

The following popup will be presented.

Security Key Touch Msg

Press your finger on your Security Key.

If your Security Key uses another activation method, follow those instructions.

The MFA Device/Token Management page will now be shown with the Security Key entry added.

Manage Token Device Page 3

FIDO2 Security Key for MacBook

To enroll an MFA Device in the OptimalCloud that uses this method you must have first obtained a FIDO2 Security Key such as a YubiKey and install it on your Device.

The Device Type has been preselected. Insert your Security Key.

Enable Security Key Apple laptop 1

Enter the Device Name and Click the MFA Next button.

If your Mac is configured with Touch ID the following popup will appear.

Enable Security Key Apple laptop 2

Click on the Other Options Link link and the following popup will appear.

Enable Security Key Apple laptop 3

Select the Security Key option and click the Continue Button button.

The following popup will appear.

Enable Security Key Apple laptop 4

You will be asked if you want to allow the OptimalCloud to start using a Security Key to sign in.

Press your finger on the Security Key.

If your Security Key uses another activation method, follow those instructions.

You will be redirected back to the MFA Device/Token Management page. The Security Key will now appear as a Device in the table.

Enable Security Key Apple laptop 6

FIDO2 Security Key for iPhone and iPad

To enroll an MFA Device in the OptimalCloud that uses this method you must have first obtained a FIDO2 Security Key such as a YubiKey and install it on your Device.

The Device Type has been preselected.

Enable Security Key iphone 1

Enter the Device Name and click the MFA Next button.

If your iPad or iPhone has Face ID or Touch ID installed you will see the following popup appear.

You will be asked to use Touch ID or Face ID depending on which is installed on your Device.

Enable Security Key iphone 2

Click the Use Security Key link and the following popup will appear.

Enable Security Key iphone 3

You will be asked if you want to allow the OptimalCloud to start using a Security Key to sign in.

For an iPad Insert and activate your Security Key or bring your Security Key near the top of your iPhone.

You will be redirected back to the MFA Device/Token Management page. The Security Key will now appear as a Device in the table.

Enable Security Key Apple laptop 6

Windows Hello

To use this method you will need to configure the Windows Hello application on your device. For information on how to configure Windows Hello see the Learn about Windows Hello and set it up documentation. You may use any Windows Hello option that is configured to enroll the Device.

View the video or follow the instructions below.

The Device Type has been preselected.

Enable Windows Hello 1

Enter the Device Name and click the MFA Next button.

The popup shown below will appear. If the fingerprint option has been enabled during the Windows Hello configuration, you will be asked to scan your finger. This is the Windows Hello preferred option and will always be presented first if configured.

Enable Window Hello 2

To set up Windows Hello to signin to the OptimalCloud, scan your finger on the fingerprint reader and the new device will be added to the Device/Token Management table as shown below.

Enable Window Hello 3

If you do not want to enroll your device using the fingerprint option, click the Windows Hello More Choices link and the other options that were configured will be presented as shown below.

Enable Window Hello 4

In this case the PIN was the only other option configured. Selecting that option will present a data entry field to enter the PIN as shown below.

Enable Windows Hello 5

Entering the PIN would also result in the Device being added to the Device/Token Management Table.

If you have forgotten your PIN, click the Windows Hello Forgot PIN link and follow the presented instructions.

Touch ID MacBook

To use this method you must first set up Touch ID on your Device.

For information on how to configure Touch ID for the Mac see the Use Touch ID on Mac documentation.

The Device Type has been preselected.

Enable TouchID laptop 1

Enter the Device Name and click the MFA Next button. The following popup will be presented.

Enable TouchID laptop 2

You will be asked if you want to allow the OptimalCloud to use Touch ID.

To set up a Device using another MFA option click the Other Options Link link and other previously installed choices will be presented.

To continue setting up a Device using Touch ID place your finger on the Touch ID button on your keyboard.

The following popup will appear. The system is setting up your Device.

Enable TouchID laptop 3

When the Device set up is completed, you will be redirected to the MFA Device/Token Management page and the laptop Device will be shown in the MFA Device/Token Management table.

Enable TouchID laptop 4

Touch ID iPad and iPhone

To use this method you must first set up Touch ID on your Device.

For information on how to configure Touch ID for the iPhone or iPad see the Use Touch ID on iPhone and iPad documentation.

The Device Type has been preselected.

Enable TouchID iPad 1

Enter the Device Name and click the MFA Next button. The following popup will be presented.

Enable TouchID iPad 2

You will be asked if you want to allow the OptimalCloud to use Touch ID.

To continue setting up a Device using Touch ID place your finger on the Touch ID button on your keyboard. This will be the Home button or the Power button depending on your Device.

The following popup will appear when the system has finished enrolling your Device.

Enable TouchID iPad 3

You will be redirected to the MFA Device/Token Management page and the iPad or iPhone Device will be shown in the MFA Device/Token Management table.

Enable TouchID iPad 4

Face ID iPhone and iPad

To enroll in this method you must first set up Face ID on your iPhone or iPad. For information on how to configure Touch ID for the iPhone or iPad see the Use Face ID on iPhone and iPad documentation.

The Device Type has been preselected.

Enable FaceID Phone 1

Enter the Device Name and click the MFA Next button. The iPhone has been used for this example.

The following popup will be presented.

Enable FaceID Phone 2

If you would like to enroll this Device using the Security Key option, click the Use Security Key link.

To continue to enroll this Device using Face ID click on the Continue Button button and the following popup will appear.

Enable FaceID Phone 3

You will be asked if you want to allow the OptimalCloud to use Face ID.

To continue setting up a Device using Face ID, scan your face with your iPhone or iPad. For instructions on how to do this please see the see the Use Face ID on iPhone and iPad documentation.

The following popup will appear showing that the system is setting up your Device.

Enable FaceID Phone 4

When the system is finished setting up your Device the following popup will appear.

Enable FaceID Phone 5

You will be redirected to the MFA Device/Token Management page and the iPad or iPhone Device will be shown in the MFA Device/Token Management table.

Enable FaceID Phone 6

Delete a Device/Token

Clicking on the MFA Delete Device Action button will present the Delete Device message. The name of the Device to be deleted will be shown in the Device Name field.

Device Delete page

Type "YES" in the box and click on the Device Delete yes button button.

Device Delete YES box

The following message will appear when the device has been successfully deleted.

Delete Device Success Msg

The deleted device will no longer appear on the Multi-Factor Authentication Device/Token Management page.

Enroll in Behavioral Biometrics MFA Options

This section provides users with instructions on how to enroll in the Behavioral Biometrics MFA Option.

To enroll in this option it must be enabled for your Tenant.

Follow the instructions below or view the video for an example of this process.

Navigate to the Account Settings Tab.

Account Setting Tab

Click on the Behavioral Biometrics Options application and the Multi-Factor Login Page will be presented.

MFA Page - Email

Choose any MFA method and authenticate as described for that method in the Authenticate with MFA Options section. Once you have authenticated with an MFA option, the Behavioral Biometrics Management page will be presented.

Behavioral Biometrics page

The Behavioral Biometrics MFA option uses behavioral biometrics data, also known as keystroke data to verify user identity. To enroll in this option, type your username in the fields provided exactly as you do when you Login. The Behavioral Biometrics uses these entries to establish a baseline.

When the page is presented the #Patterns Registered field shows zero. You must have a least 5 sample patterns registered in order to use this MFA option.

Behavioral Biometrics No Enrollments msg

Type your username in the Pattern Entry fields provided. Your username is shown in the Username field.

The username that you type must match the username shown on the page.

If the pattern you type does not match, the following message will be displayed Username does not Match msg

Clear the unmatched character and continue to type your username in that field until the pattern is accepted. You do not have to clear and retype the Pattern Entry fields that have already been accepted.

Continue until the typed patterns in all of the Pattern Entry fields have been accepted as shown below.

The # Patterns Registered field will show the number of your saved typing patterns.

Behavioral Biometrics Patterns Saved

When all of the patterns have been saved and the # Patterns Registered field shows 5, you will see this message.

Enough Enrollments msg

The Pattern Entry Fields are for entering the typing patterns only. The typing patterns will not continue to be displayed once you have left this page. The # Patterns Registered field will continue to show the number of your saved typing patterns.

Delete Behavioral Biometrics Enrollments

To delete your Behavioral Biometrics Enrollments navigate to the Behavioral Biometrics Management page.

Your typing patterns are no longer displayed. The # Patterns Registered field contains the number of your typing patterns that have been saved.

Behavioral Biometrics Return page

Click the Behavioral Biometrics Delete Enrollments button button and the yellow message below will be presented.

Behavioral Biometrics Delete Patterns msg

You must type "YES" in the box and click the Yes Delete Patterns Button button as shown below.

Behavioral Biometrics Delete Patterns Yes msg

The number of enrollment patterns in the # Patterns Registered field will now show zero and you will be returned to the Behavioral Biometrics Management page to enter more enrollment patterns.

Authenticate with MFA Options

To Login to the OptimalCloud you will be prompted to enter your username.

Enter your username and click the MFA Next button.

For Service Accounts enter the username provided to you.

Depending on how your Tenant is configured you may be prompted in one of the following ways:

1) Enter your password to Login. 2) Enter your password and then one of the following authentication methods as a second factor to Login. 3) Enter one of the following authentication methods to Login. 4) Enter one of the following methods and then another one as a second factor to Login.

After Login you may be prompted to use one of these authentication methods to access a specific application.

SMS/Text OTP

To use this option it must be enabled for your Tenant.

When Multi-Factor Login is required, the Multi-Factor Login Page is presented.

MFA Page - SMS

Select the "SMS/Text" option. The mobile phone number that was entered during account registration will be partially shown.

Click the Send Passcode button button and an SMS/Text message containing the One-Time Passcode (OTP) will be sent to the mobile phone number specified. A "passcode sent" message will appear on the page.

If you do not receive an email with the OTP, click the Didn't receive OPT button to send another SMS/Text message.

When you do receive the SMS/Text message, enter the OTP in the One-Time Passcode box.

Click the Verify button button to verify the OTP.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Voice OTP

To use this option it must be enabled for your Tenant.

When Multi-Factor Login is required, the Multi-Factor Login Page is presented.

MFA Page - Voice

Select the "Voice Call" option. The mobile phone number that was entered during account registration will be partially shown.

If you entered both a mobile phone number and a land line phone number during account registration, the drop down box will allow you to select which phone number to use as shown in the diagram below. Select the phone number.

Mulit Phone

Click the Send Passcode button button and an Voice Call containing the One-Time Passcode (OTP) will be sent to the phone number specified. A "passcode sent" message will appear on the page.

If you do not receive an Voice Call with the OTP, click the Didn't receive OPT button to send another Voice Call.

When you do receive the Voice Call, enter the OTP in the One-Time Passcode box.

Click the Verify button button to verify the OTP.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Email OTP

When Multi-Factor Login is required, the Multi-Factor Login Page is presented.

MFA Page - Email

Select the "Email" option. The email that was entered during account registration will be partially shown.

Click the Send Passcode button button and an email containing the One-Time Passcode (OTP) will be sent to the email address specified. A "passcode sent" message will appear on the page.

If you do not receive an email with the OTP, click the Didn't receive OPT button to send another email.

When you do receive the email, enter the OTP in the One-Time Passcode box.

(note this one-time pass-code is only valid for one (1) use and only for the next 60 minutes)

Click the Verify button button to verify the OTP.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

PUSH

When Multi-Factor Login is required, the Multi-Factor Login Page is presented.

If you have registered a device to use the PUSH MFA option the Multi-Factor Login page containing the Push option will be presented.

PUSH and TOTP page

The name of the device that has been registered will appear next to the "Push to Mobile Device" option. If more than one device has been registered the dropdown box will present the possible selections for the device to be used in the authentication.

Open the Optimal Authenticator application on your registered device.

Select the "Push to Mobile Device" option and Click the Verify button button.

The following message will be displayed. PUSH message sent

The Optimal Authenticator application will present the following image on the registered device:

PUSH approve deny

If you do not press the PUSH Approve button button within the time limit the PUSH authentication will expire and an error message will be presented on the Multi-Factor Login page.

Click the Verify button button to perform the PUSH authentication again.

Press the PUSH Approve button button to complete the authentication.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Time-Based Onetime Passcode

When Multi-Factor Login is required, the Multi-Factor Login Page is presented.

If you have registered a device to use the TOTP MFA option the Multi-Factor Login page containing the TOTP option will be presented. These instructions use the Optimal Authenticator application.

TOTP MFA Page

The name of the device that has been registered will appear next to the "TOTP Mobile/Windows App" option. If more than one device has been registered the dropdown box will present the possible selections for the device to be used in the authentication.

Select the "Push to Mobile Device" option.

Open the Optimal Authenticator application on the selected device. The Optimal Authenticator will present a Time-based Onetime passcode and a clock showing the amount of time that the passcode is valid.

TOTP on device

Enter the Onetime Passcode in the the box on the Multi-Factor Login page and click the Verify button button.

If the time for the Onetime Passcode has expires before it has been entered an error message will be presented.

Return to the Optimal Authenticator on the device to obtain a new Onetime Passcode.

Enter the Onetime passcode and click the Verify button button before the time expires.

TOTP passcode page

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Password and PIN

This method is used for Service Accounts allowing multiple users to use the same account. To use this authentication method a username, password and a PIN must be configured by an Admin. The account must be a member of the OFIS-ServiceAccounts group.

The Multi-Factor Login page with the Password + PIN option will be presented. Select that option and the PIN entry box will be presented.

Password and Pin Authn

Enter the password and the PIN that has been provided to you.

Click the Verify button button.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Device Authentication

When Multi-Factor Login is required, the Multi-Factor Login Page is presented.

If you have enrolled a Device for Device Authentication, the Multi-Factor Authentication page containing the Device Authentication options will be presented.

Click on the Device Authentication option. If you have multiple Devices enrolled, the dropdown will allow you to choose which device to use.

FIDO2 Security Key for Windows System

To use this method of authentication you must have installed a FIDO2 Security Key on your Device and enrolled a Security Key Device in the OptimalCloud MFA Device/Token Management.

Device Auth MFA Page

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the Verif button button. The following message will be presented.

Security Key Make Sure It's you

Press your finger on the Security key and you will be signed in to the selected application.

If your Security Key uses another method of activation, follow those instructions.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

FIDO2 Security Key for MacBook

To use this method of authentication you must have installed a FIDO2 Security Key on your Device and enrolled a Security Key Device in the OptimalCloud MFA Device/Token Management.

Use Security Key Apple laptop 1

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the Verify button button. The following message will be presented.

Use Security Key Apple laptop 2

Select the Security Key option and click the Continue Button button.

The following popup will appear.

Use Security Key Apple laptop 3

Insert and activate your security key by pressing your finger on the key.

If your Security Key uses another method of activation, follow those instructions.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

FIDO2 Security Key for iPhone and iPad

To use this method of authentication you must have installed a FIDO2 Security Key on your Device and enrolled a Security Key Device in the OptimalCloud MFA Device/Token Management.

Use Security Key iphone 1

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the Verify button button. The following popup will be presented.

Use Security Key iphone 2

For an iPad Insert and activate your Security Key or bring your Security Key near the top of your iPhone.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application..

Windows Hello

To use this option you must first have installed Windows Hello on your system and enrolled a Windows Hello Device in the OptimalCloud MFA Device/Token Management..

Use Windows Hello 1

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the Verify button button. The following popup will be presented.

Use Windows Hello 2

When using Windows Hello you may authenticate with any of the Windows Hello options that have been previously configured.

If you would like to continue with the fingerprint option, scan your finger on the fingerprint reader and you will be signed in to the selected application.

If you would like to use an alternate Windows Hello option for authentication, click on the Windows Hello More Choices link and a popup showing more options will be presented.

Use Windows Hello 3

In this example the PIN is the only other option that has been configured. Clicking on the PIN option will present the data entry field as shown below. Enter your PIN and you will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Use Windows Hello 4

If you have forgotten your PIN, click on the Windows Hello Forgot PIN link and follow the presented instructions.

Touch ID MacBook

To use this method you must first set up Touch ID on your Device and enrolled a Touch ID Device in the OptimalCloud MFA Device/Token Management. .

For information on how to configure Touch ID for the Mac see the Use Touch ID on Mac documentation.

Use TouchID laptop 1

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the Verify button button. The following popup will be presented.

Use TouchID laptop 2

To use another MFA option click the Other Sign In Options link and other previously installed options will be presented.

To continue using Touch ID press your finger on the Touch ID button on your Keyboard.

The following message will appear in the popup.

Use TouchID laptop 3

When the process in completed you will now be directed to the OptimalCloud Portal page or signed in to the selected application..

Touch ID iPad and iPhone

To use this method you must first set up Touch ID on your Device and enrolled a Touch ID Device in the OptimalCloud MFA Device/Token Management. .

For information on how to configure Touch ID for the iPhone or iPad see the Use Touch ID on iPhone and iPad documentation.

Use TouchID ipad 1

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the Verify button button. The following popup will be presented.

Use TouchID iPad 2

To Sign in with another method click on the "Other account".

To continue with Touch ID, press your finger on the Touch ID button for your Device.

The following message will appear on the popup.

Use TouchID iPad 3

When the Sign in process has completed the following message will appear.

Use TouchID iPad 4

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Face ID iPhone and iPad

To use this method you must first set up Face ID on your iPhone or iPad and enroll a Device in the OptimalCloud. For information on how to configure Touch ID for the iPhone or iPad see the Use Face ID on iPhone and iPad documentation.

The iPhone has been used for this example.

Use FaceID Phone 1

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the Verify button button. The following popup will be presented.

Use FaceID Phone 2

You will be asked if you want to sign in.

If you have a Security Key set up you may use that method by clicking on the Use Security Key link.

To continue signing in with Face ID click the Continue Button button.

The following popup will appear.

Use FaceID Phone 3

You will be asked if you want to sign in using Face ID.

To sign in using Face ID, scan your face with your iPhone or iPad. For instructions on how to do this please see the see the Use Face ID on iPhone and iPad documentation.

The following popup will appear showing that the system is processing your Facial recognition.

Use FaceID Phone 4

When your sign in process is complete the following popup will appear.

Use FaceID Phone 5

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Behavioral Biometrics

To use this option it must be enabled for your Tenant.

If you have enrolled in the Behavioral Biometrics MFA option and attempt one of the below actions

1) Login to the OptimalCloud and a Multi-Factor option is required for your Tenant 2) Click on an application that requires MFA

the Multi-Factor Authentication page containing the Behavioral Biometrics option will be presented.

Select the Behavioral Biometrics option and the entry field for your username will be presented.

Behavioral Biometrics username Login

Type your username in the entry field provided and click the Verify button button.

Behavioral Biometrics username filled in

If the authentication fails because the typing patterns do not match, the following messages will appear on the page.

Behavioral Biometrics Login Fail

Please clear the username field and type your username again.

Click the Verify button button.

Upon successful match of the typing patterns, you will now be directed to the OptimalCloud Portal page or signed in to the selected application.

You can Login without typing in your password

If you have registered Behavioral Biometric patterns, and DO NOT set the remember me toggle when entering your username on the Login page, the typing pattern from typing in your username will be compared to the typing patterns you have registered.

If the typing patterns match you will be presented with the Portal page or an MFA options list depending on whether your Tenant is configured for MFA on Login. If the typing patterns do not match, you will be presented with the password entry field or an MFA options list depending on whether your Tenant is configured for Adaptive Authentication.