On the User Details page, you will notice that you can toggle the MFA status of a user from On or Off
This article will expand upon this feature and how it can be utilized for your organization.
MFA ON
When MFA is toggled on for the user, the user must MFA each time when trying to authenticate with Evo and Evo services. This includes both the Credential Provider and the Evo portal. Depending on how that user is configured, the user must provide either:
- 6-digit Email OTP
- Evo Secure Login Mobile App 6-digit OTP or Push Notification
- 3rd Party Mobile Authenticator 6-digit OTP
- Hard Key 6-digit OTP (Yubikey or FEITIAN)
NOTE: You are unable to use Email OTP to authenticate with the Evo Credential Provider.
MFA OFF
When MFA is toggled off for the user, the user is no longer required to provide MFA when authenticating with Evo Services. This includes both the Credential Provider and the Evo Portal.
What happens if the machine with the Evo Credential Provider is offline?
Good question! With the Evo Credential Provider version 1.1.20, we now cache the previous state of an ONLINE machine login (with either MFA ON or MFA OFF) to determine what the user will see if they try to login to the machine when it is offline. This is very important as this is what tells the Evo Credential Provider how to operate in the even that the machine goes offline. Consider the following real world scenarios to understand how this works:
Scenario 1 - MFA State Cached
User A will be without internet access in the coming days. User A requests that their MFA status be changed from "MFA On" to "MFA Off". The Evo Administrator completes this request. While User A's machine is still ONLINE, User A successfully logs into the Evo Credential Provider on the machine. This now successfully cache's the "MFA Off" state of the User. Now when the user's machine is OFFLINE, the user will be able to auth without providing MFA.
Scenario 2 - MFA State not Cached
User B will be without internet access in the coming days. User B requests that their MFA status be changed from "MFA On to "MFA Off". The Evo Administrator completes this request. However, unlike User A, User B does NOT successfully complete an Evo Credential Provider login to their machine when it is still ONLINE. The machine has no way of knowing to cache this MFA state. Now when the user tries to auth with the Evo Credential Provider when the machine is OFFLINE, it will still operate as if User B's MFA status has not changed, thus requesting User B to provide an Offline Code in order to authenticate.
How long is this MFA state cached for?
The Evo Credential Provider will cache this information for 7 days. After these 7 days, the user must restore connectivity to the machine and refresh this setting with a successful ONLINE Evo Credential Provider Login.