Temporarily Disabling Multi-factor Authentication for Users
This section describes an example of changing login rules for a user who is no longer capable of performing multi-factor authentication to single-factor authentication (password-based authentication only).
[ Note ]
Configuring this type of authentication weakens security for the user. Do not perform this procedure if you are unable to determine if disabling multi-factor authentication for the particular user is appropriate.
We recommend that you re-enable multi-factor authentication as soon as possible once the user is capable of performing multi-factor authentication again.
Once a user requests that multi-factor authentication be disabled, an email is sent to the email address registered by the "Mail destination from the system" setting. Refer to "User Requests Disabling Multi-factor Authentication" for contents of the email sent. After receiving the email message requesting that multi-factor authentication be disabled, log into IIJ ID Console and perform the following procedure.
[ Note ]
- Multi-factor authentication is disabled per group. Multi-factor authentication will be disabled for all users in the same group.
- To disable multi-factor authentication for a specific user, create a new group, add only the user to the group, and then apply the login policy to the group.
- Once disabled, multi-factor authentication cannot be automatically re-enabled. An ID administrator must manually reconfigure the user to use multi-factor authentication.
- We recommend that multi-factor authentication not be disabled if a device may be exploited by a third-party, such as when a device is lost.
- If a device registered to use multi-factor authentication is lost, a third-party may gain unauthorized access via the lost device. Disable the corresponding user account if a third-party may be able to gain unauthorized access. Refer to "Disabling Users" for more information on disabling user accounts.
[ Reference ]
- The content of email sent by the system can be customized. Refer to "Email Customization" for more information.
- Email address to which email is sent by the system can be customized. Refer to "Changing Email Addresses to Receive IIJ ID System Email" for more information.
- For more information on the method by which a user requests multi-factor authentication to be disabled, refer to "Requesting an Administrator to Disable Multi-factor Authentication" in "IIJ ID Service Manual [For Users]."
Disabling Multi-factor Authentication for Users
- Because login policies are applied to groups, create a group which will be used to disable multi-factor authentication (skip this step if such a group has already been created).
In this example, the group has been named "Disable Multi-factor." Refer to " Adding Groups" for more information on creating groups. - Click "Group Management" and then "Member Settings" and add the users for which you will disable multi-factor authentication (skip this step if users have already been added to the appropriate group).
Refer to "Adding Group Members" for more information on adding group members. - In IIJ ID Console, click "System" and then "Security Settings" or access the URL to the "Login Policy settings page" in the email message responding to your request of disabling multi-factor authentication.
- Click "Login Policy."
Click "Add New Login Policy."
* Skip steps 5 through 7 if "Disable Multi-factor" already exists.
Enter the name of the group that includes the appropriate user (example: Disable Multi-factor) in "Assigned groups" and then configure the login policy information.
Click "Register."
Increase the priority until the policy applied to "Disable Multi-factor" or "Password authentication only" has a priority of "1."
Refer to "Changing Login Policies" for more information on changing the priority of login policies.
If necessary, notify the user that multi-factor authentication has been disabled.
[ Reference ]
Remove the users from this group member to re-enable multi-factor authentication for the user.