This article is for customers rolling our 2FA for the first time in Identity, if you are a migrating customer who is currently already using 2FA in People® check out our migration article here.
If you want further information about Access Identity 2FA check out our introduction article here.
The steps to configure 2FA in Access Identity
The Access identity 2FA enforcement is linked directly to a domain rather than to a user. Once a domain is setup for forced 2FA all users with email addresses within this will be covered by the forced 2FA.
-- Step 1 --
Identify your domains
Your domains will be on the right-hand side of your email addresses after the @ symbol for your users. Usually, it's your company name followed by .com or .co.uk, for example, the email: email@example.com, the domain would be "theaccessgroup.com".
Please gather together at least one email address from each domain you wish to register and ensure that you have the ability to test email messages with at least 1 user per domain that is to be registered, in order to complete the following steps.
If in doubt, your IT team should be able to support you with understanding what your domains are.
-- Step 2 --
Identify who manages your domain
Usually someone from your IT department will have access to the domain DNS. You will need to locate whomever is able to add a TXT record to this to verify ownership of the domain.
-- Step 3 --
Register for identity
To register each domain with Access Identity, you need to register at least 1 email address per domain. To do this, go to https://identity.accessacloud.com/ and click the Create New Account button.
Please Note: If you already registered with Access Identity due to using other Access Products, once clicking the link: https://identity.accessacloud.com/ You can either enter your password or reset your password to access your Identity account if you have forgotten this.
You will need to do this with one email per domain you wish to set up. Ideally, this person should be someone with administration rights in your business in case you need to come back and edit this later.
This is a once off task with one user per domain. Once set up is complete, all other users will be automatically moved to Access Identity, without any impact to how they login in.
-- Step 4 --
Once you have registered for Identity, you will need to or IT team or your Domain manager to follow and complete the steps in the following document: Click here
You will need to follow this document once per domain.
**Please note that 2FA and SSO is included in all PeopleHR packages **
-- Step 5 --
Setup Forced 2FA i.e. all users from a registered domain must use 2FA to login.
This step is optional, if not followed user can opt in to 2FA individually.
Navigate to Security policies in your identity account:
Select 'Add security policy'
Scroll down to 'Two-factor authentication'
Tick the 'Force two-factor authentication' ✅
Select 'Save changes' at the bottom right
Go to 'Domains' (the field above Security policies on the left)
Associate your security policy to the domain listed.
-- Step 6 --
Contact the PeopleHR Support team to activate your licence for 2FA.
-- Step 7 --
Run a test
Once you have done this please sign out of Access Identity. To test your setup go back to the homepage https://identity.accessacloud.com/ and type your email address in. When you click next you should be prompted to setup 2FA as part of your login if forced 2FA has been applied, going forward this will be a mandatory login step.
You're good to go 🎉
If you are able to do this and successfully get back to Access Identity then your domain is setup and all users with the same email domain will now be forced through the 2FA authentication.
What do we do if we don't have a company domain
If you do not own a domain and user emails contain icloud/yahoo etc... they will be unable to login via the 2FA mechanism, we do however, offer social sign in options for Gmail, Microsoft and LinkedIn, which will allow users to directly authenticate through them. Please note all other domains will need to login with a username and password going forward and 2FA will not be possible for these users.
Can we force all users to use 2FA in the company?
This is available by domain, if the whole company use the same domain this will be completed in one set up, if there are multiple domains the set up process will need to be performed for each domain that you would like to force 2FA enablement.
Can we force 2FA for admin users only in a company?
Access Identity does not support individual force, however, admin users can opt in to the 2FA by setting this up on their own account by following the steps in the 2FA individual enablement article.
If you have any questions please contact firstname.lastname@example.org