Set up multi-factor authentication

The Deep Security Manager allows you the option to use multi-factor authentication (MFA). MFA is a method of access control requiring more than a user name and password that is recommended as a best practice.

In this article:

Enable multi-factor authentication

  1. In Deep Security Manager, select User Properties from the menu under your user name in the upper-right corner.
  2. On the General tab, click the Enable MFA button. This will open the Enable Multi-Factor Authentication wizard to guide you through the rest of the process.
  3. The first screen of the wizard will remind you to install a compatible virtual MFA application, such as Google Authenticator. For more information, see Supported multi-factor authentication (MFA) applications at the bottom of this article.
  4. If your device supports scanning QR codes, you can use your camera to configure your MFA application and click Next.

    Otherwise, you can choose My device does not support scanning QR codes. Show secret key for manual time-based configuration.

  5. Enter the Authentication Code (without the space), for example: 228045.


  6. If the authorization code is correct, MFA will be enabled for your account and you will be required to enter a new MFA code each time you sign in.

Disable multi-factor authentication

  1. In the Deep Security Manager, select User Properties from the menu under your user name in the upper-right corner.

  2. On the General tab, click the Disable MFA button.
  3. Click OK on the confirmation screen to disable MFA.

  4. Your user properties screen displays with a note to indicate the changes to MFA. Click OK to close the screen.

Supported multi-factor authentication (MFA) applications

The following smartphones and applications are actively supported for MFA. However, any application implementing an RFC 6238 compliant Time-base One-time Password Algorithm should work.

Smartphone

MFA App

Android Google Authenticator, Duo
iPhone Google Authenticator, Duo
Blackberry Google Authenticator

Troubleshooting MFA

What if my MFA is enabled but not working?

The most common source of MFA login issues is caused by the time on your Deep Security Manager being out of sync with your device.

Follow the instructions below for your chosen operating system to make sure the time is properly synced:

If your Deep Security Manager is Linux:

Check that NTP is working correctly by entering ntpstat in the command line. To view the current system time and date, enter date.

If your Deep Security Manager is Windows:

Check that the Windows Time Service is working correctly. To view the current system time and date, enter time and date in the command line.

What if my MFA device is lost or stops working?

If your MFA device is lost, destroyed, or stops working, you'll need to have MFA disabled for your account in order to be able to sign in.

  1. Get in touch with the person who provided you with your sign in credentials and ask them to follow the instructions in Disable multi-factor authentication. (You'll then be able to sign in with just your user name and password.)
  2. After you've signed in, change your password.
  3. Follow the instructions for Enable multi-factor authentication.

If you are the only administrative user for a Deep Security as a Service account, contact technical support (sign in Deep Security as a Service, and click Support in the top right-hand corner) for assistance in temporarily deactivating MFA for your account.