MFA (Multi-factor Authentication) Configuration

Administrators can configure how multi-factor authentication is configured within their organization.

Multi-factor authentication (MFA) is a method in which users must verify their identity in multiple ways to log in to the system, such as user name, password, and authentication code.

MFA is ready for testing as of February 29.

To access MFA Configuration, go to Admin > Tools > Core Functions > Multi-factor Authentication.

General Settings - Online Help Link

When users log in, and MFA is enabled, a Help link is available on the page. By default, this link opens Cornerstone's Online Help for this functionality. However, organizations may prefer to create a customized support page with specific, company-related help and instructions for users in their organization.

If your organization has created a customized support page to help users log in with multi-factor authentication, enter the URL for that page in this field.

General Settings - Skip the Multi-Factor Authentication on Subsequent Logins

The setting allows users to skip the multi-factor authentication on subsequent logins. The expiration time for this setting is 24 hours by default.

If this setting is enabled, users will see the Multi-Factor Authentication screen only for the first login attempt. After successfully logging in, the Multi-Factor Authentication screen will be bypassed for one day.

Include and Exclude Organizational Units and Users

Two sections control which organizational units (OUs) and users must log in with MFA: the Include Organizational Units and Users and Exclude Organizational Units and Users sections. The Exclude Organizational Units and Users section takes precedence, meaning that if a user is included in both sections, they are not required to log in with MFA.

Administrators may select the All users are required to login with MFA option. When this option is selected, administrators may still add users or OUs to the Exclude section since the Exclude section takes precedence.

Otherwise, administrators can select the Organization Units (OU) and Users tabs in each section to choose which OUs and users must log in with MFA. All child OUs are included by default when an OU is selected.

To avoid latency when logging in to the system, the maximum number of configurable OUs and users is limited:

  • Maximum number of Organizational Units (OUs) to Include - 40
  • Maximum number of Organizational Units (OUs) to Exclude - 10
  • Maximum number of individual users to Include - 100
  • Maximum number of individual users to Exclude - 100

Important: When adding new OUs in the MFA Configuration page, all previously selected OUs needs to be re-selected, otherwise they will be removed from the list. This will be improved with the July release.