Temporarily Disabling Multi-factor Authentication for Users

This section describes an example of changing login rules for a user who is no longer capable of performing multi-factor authentication to single-factor authentication (password-based authentication only).

[ Note ]

Configuring this type of authentication weakens security for the user. Do not perform this procedure if you are unable to determine if disabling multi-factor authentication for the particular user is appropriate.

We recommend that you re-enable multi-factor authentication as soon as possible once the user is capable of performing multi-factor authentication again.

Once a user requests that multi-factor authentication be disabled, an email is sent to the email address registered by the "Mail destination from the system" setting. Refer to "User Requests Disabling Multi-factor Authentication" for contents of the email sent. After receiving the email message requesting that multi-factor authentication be disabled, log into IIJ ID Console and perform the following procedure.

[ Note ]

    • Multi-factor authentication is disabled per group. Multi-factor authentication will be disabled for all users in the same group.
    • To disable multi-factor authentication for a specific user, create a new group, add only the user to the group, and then apply the login policy to the group.
    • Once disabled, multi-factor authentication cannot be automatically re-enabled. An ID administrator must manually reconfigure the user to use multi-factor authentication.
    • We recommend that multi-factor authentication not be disabled if a device may be exploited by a third-party, such as when a device is lost.
    • If a device registered to use multi-factor authentication is lost, a third-party may gain unauthorized access via the lost device. Disable the corresponding user account if a third-party may be able to gain unauthorized access. Refer to "Disabling Users" for more information on disabling user accounts.

[ Reference ]

Disabling Multi-factor Authentication for Users
  1. Because login policies are applied to groups, create a group which will be used to disable multi-factor authentication (skip this step if such a group has already been created).
    In this example, the group has been named "Disable Multi-factor." Refer to " Adding Groups" for more information on creating groups.

  2. Click "Group Management" and then "Member Settings" and add the users for which you will disable multi-factor authentication (skip this step if users have already been added to the appropriate group).
    Refer to "Adding Group Members" for more information on adding group members.

  3. In IIJ ID Console, click "System" and then "Security Settings" or access the URL to the "Login Policy settings page" in the email message responding to your request of disabling multi-factor authentication. 


  4. Click "Login Policy."


  5. Click "Add New Login Policy."
    * Skip steps 5 through 7 if "Disable Multi-factor" already exists.

  6. Enter the name of the group that includes the appropriate user (example: Disable Multi-factor) in "Assigned groups" and then configure the login policy information.



  7. Click "Register."

  8. Increase the priority until the policy applied to "Disable Multi-factor" or "Password authentication only" has a priority of "1."
    Refer to "Changing Login Policies" for more information on changing the priority of login policies.

  9. If necessary, notify the user that multi-factor authentication has been disabled.

    [ Reference ]

    Remove the users from this group member to re-enable multi-factor authentication for the user.