Multi-Factor Authentication (MFA) Options

Multi-Factor Authentication is utilized when Applications require two forms of Authentication to verify the identity of a user at Sign in. The Username and Password is the most standard form of Authentication. A second factor can be chosen from the options below.

The Optimal Cloud provides the following Multi-Factor Authentication options:

• Email One-Time Passcode (OTP) - An email containing an OTP is sent to the user at the email address provided during registration of the user's account. The OTP is then entered to verify the user's identity.
• SMS One-Time Passcode (OTP) - An SMS message containing an OTP is sent to the phone number provided during registration of the user's account. The OTP is then entered to verify the user's identity.
• Voice One-Time Passcode (OTP) - A voice message containing an OTP is sent to the phone number provided during registration. The OTP is then entered to verify the user's identity.
• PUSH via Optimal Authenticator - The user must register a device with the OptimalCloud and install the Optimal Authenticator application. When the user attempts to Login the Optimal Authenticator application receives a message from the OptimalCloud and pops up a dialog box requesting approval for Login. The user may approve or deny the request.
• Time Based One-Time Passcode (TOTP) - This option is an OTP that is valid for a specific amount of time. The user must register a device with the OptimalCloud and install a Mobile Authentication application. The Optimal TOTP service works with any TOTP compliant authentication application including those available from Google, Microsoft, and the Optimal Authenticator which is available to download for free in app stores. When the user attempts to Login the Mobile Authentication application receives a message from the OptimalCloud and pops up a box containing the TOTP and a timer. The user must enter the TOTP in the Login screen before the timer expires. If the timer expires the user will receive a new TOTP.
• Behavioral Biometrics - Patterns of typing biometrics data, also known as keystroke dynamics are used to verify user identity. A new user types their username multiple times to enroll typing patterns that are stored as a baseline of their typing behavior. When the user attempts to Login, they will be prompted to type their username and it is matched against the baseline.
• Password and Pin - This method is used for Service Accounts allowing multiple users to use the same account. This authentication method uses a username, password and a PIN that is configured by an Admin. The account must be a member of the OFIS-ServiceAccounts group. For more information on setting up this method please contact support@optimalidm.com.

• Device Authentication - Authentication methods that use hardware-based authentication. The hardware authenticator can be one of the following options.

  • FIDO2 Security Key - is an Authentication method using a Fast Identity Online (FIDO2) Security Key. To use this method you must first obtain a FIDO2 Security Key such as a YubiKey. To use a FIDO2 Security Key you must first install it on your Device following the vendor's instructions. This also includes support for U2F Security Keys.
  • Windows Hello - is an Authentication method on a Windows Device using a PIN, facial recognition, or a fingerprint. To use this method you will need to configure the Windows Hello application on your device. For information on how to configure Windows Hello see the Learn about Windows Hello and set it up documentation.

  • Touch ID - is an Authentication method on a Mac, iPhone or iPad that utilizes fingerprint recognition. To use this method you must first set up Touch ID on your Device. For information on how to configure Touch ID for the iPhone or iPad see the Use Touch ID on iPhone and iPad documentation. For information on how to configure Touch ID for the Mac see the Use Touch ID on Mac documentation.

  • Face ID - is an Authentication method on an iPhone or iPad that utilizes facial recognition. To use this method you must first set up Face ID on your iPhone or iPad. For information on how to configure Touch ID for the iPhone or iPad see the Use Face ID on iPhone and iPad documentation.

  • Android Phone - An Android mobile device (version 7.0 or later) and can also be used as an Authentication Device. This is restricted to Chrome browsers. See the Use your phone's built-in security key documentation for more details.

See the My Company Account/Tenant section for instructions on how to enable these options.

Enroll in Multi-Factor Authentication

The following Multi-Factor Options do not require enrollment if the information required has been entered during your OptimalCloud account registration:

• Email One-Time Passcode (OTP) - If you have entered an email address during account registration no enrollment is needed for this option.
• SMS One-Time Passcode (OTP) - If you have entered a mobile phone number during account registration no enrollment is needed for this option. This option is only available if it has been enabled by your organization.
• Voice One-Time Passcode (OTP) - If you have entered a mobile phone number during account registration no enrollment is needed for this option. This option is only available if it has been enabled by your organization.

If you have not entered an any of the required pieces of information, please go to the My Profile tab under Account Settings to enter this information.

Enroll a Device/Token for MFA Options

This section provides instructions on how to add a device and select the MFA options to be associated with that device.

Navigate to the Account Settings Tab.

Click on the Multi-Factor Token/Device Options application and the Multi-Factor Login Page will be presented.

Choose any MFA method and authenticate as described for that method in the Authenticate with MFA Options section. Once you have authenticated with an MFA option, you will be presented with the Multi-Factor Authentication Device/Token Management page.

Click on the button and the Multi-Factor Authentication Add Device page will be presented.

The following MFA options are available to be selected for your device:

• Push Notification & Time-based onetime passcode (TOTP) - This option allows the user to use either Push Notification or Time-based onetime passcode authentication on the specified device.

• Time-based onetime passcode - This option allows the user to use only Time-based onetime passcode authentication on the specified device. This option requires the installation of a TOTP agent which are implemented by Optimal, Google, Microsoft or any TOTP Authentication software that follows the TOTP Standard.

• Device Authentication - This option allows the user to authenticate using Authentication methods that use hardware-based authentication. This method supports using a Hardware Device (U2F/FIDO2), Windows Hello, TouchID or FaceID. Prior to enrolling your device you will need to have and install a Hardware Device (U2F/FIDO2) or set up Windows Hello, TouchID, or FaceID on your device.

PUSH and Time-Based Onetime Passcode

View one of the videos below or follow the instructions to set up MFA via PUSH.

How to add and use PUSH Notifications.

How to setup a Third Party TOTP

Select the Push notification & Time-based onetime passcode Option below and click the button.

You will now be requested to enter the type of your device and a name for the device.

Select the type of device you wish to register.

Enter the name for the device in the Device Name field. This field is required.

Click the button to proceed.

You will be presented with a QR Code to scan from your device.

Open the Optimal Authenticator Application on your device. Hit the "+" button and then "Scan QR code" button. Place your device camera over the QR code.

If the scan does not work, hit the "Input manually" button and enter the text from the Secret field on the Multi-Factor Authentication Add Device page as shown above.

Once the QR code is scanned or the Secret is manually entered you will receive a message on your device that the device has been successfully registered.

Hit the button to return to the Multi-Factor Device/Token Management page.

The device that was registered will now be shown in the list of managed devices on the Multi-factor Authentication Device/Token Management page. The name of the device, which MFA options were selected, and the date the device was registered are displayed.

Click the button to verify that the device has been set up correctly. To perform the test please see the Authenticate with MFA Options section for the type of MFA Authentication selected.

Device Authentication

Select the Device Authentication method below and click the button.

Continue with the instructions for the type of MFA Device you are enrolling.

FIDO2 Security Key for Windows System

To enroll an MFA Device in the OptimalCloud that uses this method you must have first obtained a FIDO2 Security Key such as a YubiKey and install it on your Device.

View the video below or continue with the following instructions.

The Device Type has been preselected. Insert your Security Key.

Enter the Device Name and Click the button. The Security Key setup popup will be presented.

If you have Windows Hello installed on your Windows System you will see a popup to set up the Device using Windows Hello.

Click the button and the Security Key setup popup will be presented.

If you do not have Windows Hello configured you will see the Security Key setup Popup.

To set up your security key to sign in to OptimalCloud, click the button.

The following popup will be presented.

Press your finger on your Security Key.

If your Security Key uses another activation method, follow those instructions.

The MFA Device/Token Management page will now be shown with the Security Key entry added.

FIDO2 Security Key for MacBook

To enroll an MFA Device in the OptimalCloud that uses this method you must have first obtained a FIDO2 Security Key such as a YubiKey and install it on your Device.

The Device Type has been preselected. Insert your Security Key.

Enter the Device Name and Click the button.

If your Mac is configured with Touch ID the following popup will appear.

Click on the link and the following popup will appear.

Select the Security Key option and click the button.

The following popup will appear.

You will be asked if you want to allow the OptimalCloud to start using a Security Key to sign in.

Press your finger on the Security Key.

If your Security Key uses another activation method, follow those instructions.

You will be redirected back to the MFA Device/Token Management page. The Security Key will now appear as a Device in the table.

FIDO2 Security Key for iPhone and iPad

To enroll an MFA Device in the OptimalCloud that uses this method you must have first obtained a FIDO2 Security Key such as a YubiKey and install it on your Device.

The Device Type has been preselected.

Enter the Device Name and click the button.

If your iPad or iPhone has Face ID or Touch ID installed you will see the following popup appear.

You will be asked to use Touch ID or Face ID depending on which is installed on your Device.

Click the link and the following popup will appear.

You will be asked if you want to allow the OptimalCloud to start using a Security Key to sign in.

For an iPad Insert and activate your Security Key or bring your Security Key near the top of your iPhone.

You will be redirected back to the MFA Device/Token Management page. The Security Key will now appear as a Device in the table.

Windows Hello

To use this method you will need to configure the Windows Hello application on your device. For information on how to configure Windows Hello see the Learn about Windows Hello and set it up documentation. You may use any Windows Hello option that is configured to enroll the Device.

View the video or follow the instructions below.

The Device Type has been preselected.

Enter the Device Name and click the button.

The popup shown below will appear. If the fingerprint option has been enabled during the Windows Hello configuration, you will be asked to scan your finger. This is the Windows Hello preferred option and will always be presented first if configured.

To set up Windows Hello to signin to the OptimalCloud, scan your finger on the fingerprint reader and the new device will be added to the Device/Token Management table as shown below.

If you do not want to enroll your device using the fingerprint option, click the link and the other options that were configured will be presented as shown below.

In this case the PIN was the only other option configured. Selecting that option will present a data entry field to enter the PIN as shown below.

Entering the PIN would also result in the Device being added to the Device/Token Management Table.

If you have forgotten your PIN, click the link and follow the presented instructions.

Touch ID MacBook

To use this method you must first set up Touch ID on your Device.

For information on how to configure Touch ID for the Mac see the Use Touch ID on Mac documentation.

The Device Type has been preselected.

Enter the Device Name and click the button. The following popup will be presented.

You will be asked if you want to allow the OptimalCloud to use Touch ID.

To set up a Device using another MFA option click the link and other previously installed choices will be presented.

To continue setting up a Device using Touch ID place your finger on the Touch ID button on your keyboard.

The following popup will appear. The system is setting up your Device.

When the Device set up is completed, you will be redirected to the MFA Device/Token Management page and the laptop Device will be shown in the MFA Device/Token Management table.

Touch ID iPad and iPhone

To use this method you must first set up Touch ID on your Device.

For information on how to configure Touch ID for the iPhone or iPad see the Use Touch ID on iPhone and iPad documentation.

The Device Type has been preselected.

Enter the Device Name and click the button. The following popup will be presented.

You will be asked if you want to allow the OptimalCloud to use Touch ID.

To continue setting up a Device using Touch ID place your finger on the Touch ID button on your keyboard. This will be the Home button or the Power button depending on your Device.

The following popup will appear when the system has finished enrolling your Device.

You will be redirected to the MFA Device/Token Management page and the iPad or iPhone Device will be shown in the MFA Device/Token Management table.

Face ID iPhone and iPad

To enroll in this method you must first set up Face ID on your iPhone or iPad. For information on how to configure Touch ID for the iPhone or iPad see the Use Face ID on iPhone and iPad documentation.

The Device Type has been preselected.

Enter the Device Name and click the button. The iPhone has been used for this example.

The following popup will be presented.

If you would like to enroll this Device using the Security Key option, click the link.

To continue to enroll this Device using Face ID click on the button and the following popup will appear.

You will be asked if you want to allow the OptimalCloud to use Face ID.

To continue setting up a Device using Face ID, scan your face with your iPhone or iPad. For instructions on how to do this please see the see the Use Face ID on iPhone and iPad documentation.

The following popup will appear showing that the system is setting up your Device.

When the system is finished setting up your Device the following popup will appear.

You will be redirected to the MFA Device/Token Management page and the iPad or iPhone Device will be shown in the MFA Device/Token Management table.

Delete a Device/Token

Clicking on the Action button will present the Delete Device message. The name of the Device to be deleted will be shown in the Device Name field.

Type "YES" in the box and click on the button.

The following message will appear when the device has been successfully deleted.

The deleted device will no longer appear on the Multi-Factor Authentication Device/Token Management page.

Enroll in Behavioral Biometrics MFA Options

This section provides instructions on how to enroll in the Behavioral Biometrics MFA Option. To enroll in this option it must be enabled for your Tenant.

Follow the instructions below or view the video for an example of this process.

Navigate to the Account Settings Tab.

Click on the Behavioral Biometrics Options application and the Multi-Factor Login Page will be presented.

Choose any MFA method and authenticate as described for that method in the Authenticate with MFA Options section. Once you have authenticated with an MFA option, the Behavioral Biometrics Management page will be presented.

The Behavioral Biometrics MFA option uses behavioral biometrics data, also known as keystroke data to verify user identity. To enroll in this option, type your username in the fields provided exactly as you do when you Login. The Behavioral Biometrics uses these entries to establish a baseline.

When the page is presented the #Patterns Registered field shows zero. You must have a least 5 sample patterns registered in order to use this MFA option.

Type your username in the Pattern Entry fields provided. Your username is shown in the Username field.

If the pattern you type does not match, the following message will be displayed

Clear the unmatched character and continue to type your username in that field until the pattern is accepted. You do not have to clear and retype the Pattern Entry fields that have already been accepted.

Continue until the typed patterns in all of the Pattern Entry fields have been accepted as shown below.

The # Patterns Registered field will show the number of your saved typing patterns.

When all of the patterns have been saved and the # Patterns Registered field shows 5, you will see this message.

The Pattern Entry Fields are for entering the typing patterns only. The typing patterns will not continue to be displayed once you have left this page. The # Patterns Registered field will continue to show the number of your saved typing patterns.

Delete Behavioral Biometrics Enrollments

To delete your Behavioral Biometrics Enrollments navigate to the Behavioral Biometrics Management page.

Your typing patterns are no longer displayed. The # Patterns Registered field contains the number of your typing patterns that have been saved.

Click the button and the yellow message below will be presented.

You must type "YES" in the box and click the button as shown below.

The number of enrollment patterns in the # Patterns Registered field will now show zero and you will be returned to the Behavioral Biometrics Management page to enter more enrollment patterns.

Authenticate with MFA Options

To Login to the OptimalCloud you will be prompted to enter your username.

Enter your username and click the button.

For Service Accounts enter the username provided to you.

Depending on how your Tenant is configured you may be prompted in one of the following ways:

1) Enter your password to Login. 2) Enter your password and then one of the following authentication methods as a second factor to Login. 3) Enter one of the following authentication methods to Login. 4) Enter one of the following methods and then another one as a second factor to Login.

After Login you may be prompted to use one of these authentication methods to access a specific application.

SMS/Text OTP

To use this option it must be enabled for your Tenant.

When Multi-Factor Login is required, the Multi-Factor Login Page is presented.

Select the "SMS/Text" option. The mobile phone number that was entered during account registration will be partially shown.

Click the button and an SMS/Text message containing the One-Time Passcode (OTP) will be sent to the mobile phone number specified. A "passcode sent" message will appear on the page.

If you do not receive an email with the OTP, click the button to send another SMS/Text message.

When you do receive the SMS/Text message, enter the OTP in the One-Time Passcode box.

Click the button to verify the OTP.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Voice OTP

To use this option it must be enabled for your Tenant.

When Multi-Factor Login is required, the Multi-Factor Login Page is presented.

Select the "Voice Call" option. The mobile phone number that was entered during account registration will be partially shown.

If you entered both a mobile phone number and a land line phone number during account registration, the drop down box will allow you to select which phone number to use as shown in the diagram below. Select the phone number.

Click the button and an Voice Call containing the One-Time Passcode (OTP) will be sent to the phone number specified. A "passcode sent" message will appear on the page.

If you do not receive an Voice Call with the OTP, click the button to send another Voice Call.

When you do receive the Voice Call, enter the OTP in the One-Time Passcode box.

Click the button to verify the OTP.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Email OTP

When Multi-Factor Login is required, the Multi-Factor Login Page is presented.

Select the "Email" option. The email that was entered during account registration will be partially shown.

Click the button and an email containing the One-Time Passcode (OTP) will be sent to the email address specified. A "passcode sent" message will appear on the page.

If you do not receive an email with the OTP, click the button to send another email.

When you do receive the email, enter the OTP in the One-Time Passcode box.

Click the button to verify the OTP.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

PUSH

When Multi-Factor Login is required, the Multi-Factor Login Page is presented.

If you have registered a device to use the PUSH MFA option the Multi-Factor Login page containing the Push option will be presented.

The name of the device that has been registered will appear next to the "Push to Mobile Device" option. If more than one device has been registered the dropdown box will present the possible selections for the device to be used in the authentication.

Open the Optimal Authenticator application on your registered device.

Select the "Push to Mobile Device" option and Click the button.

The following message will be displayed.

The Optimal Authenticator application will present the following image on the registered device:

If you do not press the button within the time limit the PUSH authentication will expire and an error message will be presented on the Multi-Factor Login page.

Click the button to perform the PUSH authentication again.

Press the button to complete the authentication.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Time-Based Onetime Passcode

When Multi-Factor Login is required, the Multi-Factor Login Page is presented.

If you have registered a device to use the TOTP MFA option the Multi-Factor Login page containing the TOTP option will be presented. These instructions use the Optimal Authenticator application.

The name of the device that has been registered will appear next to the "TOTP Mobile/Windows App" option. If more than one device has been registered the dropdown box will present the possible selections for the device to be used in the authentication.

Select the "Push to Mobile Device" option.

Open the Optimal Authenticator application on the selected device. The Optimal Authenticator will present a Time-based Onetime passcode and a clock showing the amount of time that the passcode is valid.

Enter the Onetime Passcode in the the box on the Multi-Factor Login page and click the button.

If the time for the Onetime Passcode has expires before it has been entered an error message will be presented.

Return to the Optimal Authenticator on the device to obtain a new Onetime Passcode.

Enter the Onetime passcode and click the button before the time expires.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Password and PIN

This method is used for Service Accounts allowing multiple users to use the same account. To use this authentication method a username, password and a PIN must be configured by an Admin. The account must be a member of the OFIS-ServiceAccounts group.

The Multi-Factor Login page with the Password + PIN option will be presented. Select that option and the PIN entry box will be presented.

Enter the password and the PIN that has been provided to you.

Click the button.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Device Authentication

When Multi-Factor Login is required, the Multi-Factor Login Page is presented.

If you have enrolled a Device for Device Authentication, the Multi-Factor Authentication page containing the Device Authentication options will be presented.

Click on the Device Authentication option. If you have multiple Devices enrolled, the dropdown will allow you to choose which device to use.

FIDO2 Security Key for Windows System

To use this method of authentication you must have installed a FIDO2 Security Key on your Device and enrolled a Security Key Device in the OptimalCloud MFA Device/Token Management.

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the button. The following message will be presented.

Press your finger on the Security key and you will be signed in to the selected application.

If your Security Key uses another method of activation, follow those instructions.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

FIDO2 Security Key for MacBook

To use this method of authentication you must have installed a FIDO2 Security Key on your Device and enrolled a Security Key Device in the OptimalCloud MFA Device/Token Management.

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the button. The following message will be presented.

Select the Security Key option and click the button.

The following popup will appear.

Insert and activate your security key by pressing your finger on the key.

If your Security Key uses another method of activation, follow those instructions.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

FIDO2 Security Key for iPhone and iPad

To use this method of authentication you must have installed a FIDO2 Security Key on your Device and enrolled a Security Key Device in the OptimalCloud MFA Device/Token Management.

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the button. The following popup will be presented.

For an iPad Insert and activate your Security Key or bring your Security Key near the top of your iPhone.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application..

Windows Hello

To use this option you must first have installed Windows Hello on your system and enrolled a Windows Hello Device in the OptimalCloud MFA Device/Token Management..

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the button. The following popup will be presented.

When using Windows Hello you may authenticate with any of the Windows Hello options that have been previously configured.

If you would like to continue with the fingerprint option, scan your finger on the fingerprint reader and you will be signed in to the selected application.

If you would like to use an alternate Windows Hello option for authentication, click on the link and a popup showing more options will be presented.

In this example the PIN is the only other option that has been configured. Clicking on the PIN option will present the data entry field as shown below. Enter your PIN and you will now be directed to the OptimalCloud Portal page or signed in to the selected application.

If you have forgotten your PIN, click on the link and follow the presented instructions.

Touch ID MacBook

To use this method you must first set up Touch ID on your Device and enrolled a Touch ID Device in the OptimalCloud MFA Device/Token Management. .

For information on how to configure Touch ID for the Mac see the Use Touch ID on Mac documentation.

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the button. The following popup will be presented.

To use another MFA option click the link and other previously installed options will be presented.

To continue using Touch ID press your finger on the Touch ID button on your Keyboard.

The following message will appear in the popup.

When the process in completed you will now be directed to the OptimalCloud Portal page or signed in to the selected application..

Touch ID iPad and iPhone

To use this method you must first set up Touch ID on your Device and enrolled a Touch ID Device in the OptimalCloud MFA Device/Token Management. .

For information on how to configure Touch ID for the iPhone or iPad see the Use Touch ID on iPhone and iPad documentation.

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the button. The following popup will be presented.

To Sign in with another method click on the "Other account".

To continue with Touch ID, press your finger on the Touch ID button for your Device.

The following message will appear on the popup.

When the Sign in process has completed the following message will appear.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Face ID iPhone and iPad

To use this method you must first set up Face ID on your iPhone or iPad and enroll a Device in the OptimalCloud. For information on how to configure Touch ID for the iPhone or iPad see the Use Face ID on iPhone and iPad documentation.

The iPhone has been used for this example.

Click on the Device Authentication option as shown above. Verify that the correct Device is shown in the dropdown and click the button. The following popup will be presented.

You will be asked if you want to sign in.

If you have a Security Key set up you may use that method by clicking on the link.

To continue signing in with Face ID click the button.

The following popup will appear.

You will be asked if you want to sign in using Face ID.

To sign in using Face ID, scan your face with your iPhone or iPad. For instructions on how to do this please see the see the Use Face ID on iPhone and iPad documentation.

The following popup will appear showing that the system is processing your Facial recognition.

When your sign in process is complete the following popup will appear.

You will now be directed to the OptimalCloud Portal page or signed in to the selected application.

Behavioral Biometrics

To use this option it must be enabled for your Tenant.

If you have enrolled in the Behavioral Biometrics MFA option and attempt one of the below actions

1) Login to the OptimalCloud and a Multi-Factor option is required for your Tenant 2) Click on an application that requires MFA

the Multi-Factor Authentication page containing the Behavioral Biometrics option will be presented.

Select the Behavioral Biometrics option and the entry field for your username will be presented.

Type your username in the entry field provided and click the button.

If the authentication fails because the typing patterns do not match, the following messages will appear on the page.

Please clear the username field and type your username again.

Click the button.

Upon successful match of the typing patterns, you will now be directed to the OptimalCloud Portal page or signed in to the selected application.

If you have registered Behavioral Biometric patterns, and DO NOT set the remember me toggle when entering your username on the Login page, the typing pattern from typing in your username will be compared to the typing patterns you have registered.

If the typing patterns match you will be presented with the Portal page or an MFA options list depending on whether your Tenant is configured for MFA on Login. If the typing patterns do not match, you will be presented with the password entry field or an MFA options list depending on whether your Tenant is configured for Adaptive Authentication.