Modifying Classes
To modify a class, enter 1 in the Opt field for that class on the Work with Classes screen (STRMFA> 21 > 1). The Modify Class screen appears:
| Modify Class Class . . . . . . . . . . . JOE Text . . . . . . . . . . . JOE MFA Preferred device . . . E N=No MFA, C=Cell, E=Email, S=Screen If no screen, prefer . . . E C=Cell, E=Email Restrict Emails to domain . Allow OTP instead of TOTP . N Y=Yes, N=No OAuth2/OpenID Add't Authentication Factor OTP TOTP Qstn App API Device Auth.C Radius Use 1-9 to specify MFA. . Priority (1=Highest) AOD. . Blank=Do not use P-R. . If API, MFA provider . . . DUO, OKTA, PINGID... Private questions Number of private questions 0 0-10 Maximum retries 3 0=*NOMAX Wait before next attempt . 60 1-999 seconds (999=No retry) Password-Reset Verify user by . . . . . . E N=No verify, C=Cell, E=Email, M=MFA How to send the password . C S=Screen, C=Cell, E=Email How to reset password . . . 1 1=New pwd, 2=Enable user, 9=Select Password must be changed in 10 1-999 minutes (999=*NOMAX) F3=Exit |
The screen contains these fields:
Class
The name of the class. The default class is specified as *DFT.
Text
A free-form text description of the class.
MFA Preferred Device
The device to be used for MFA verification. A user who connects to the system and requires MFA is sent a link for confirmation, either via email or via SMS to the user's smartphone.
Values include:
C: Cell phone
E: Email
N: The class does not use MFA.
S: Screen
If no screen, prefer
The destination for messages if the MFA Preferred Device is set to Screen but is not available.
Values include:
C: Cell phone
E: Email
Restrict Emails to domain
The domains to which verification codes and new passwords can be sent by email. For example, they might be restricted to domains within the organization. If this field is left empty, the emails can go to any domain.
Allow OTP instead of TOTP
Values include: Y=Yes, N=No
Add't Authentication Factor
The methods that MFA, Authority on Demand, and Password Reset use for additional authentication. When the user signs in using MFA and follows the link sent via email or SMS, the page displays a series of buttons on the lower right. The user can select those buttons to use alternate methods of verification. The values set here determine the order in which the buttons appear onscreen, from left to right. If no value is set for a method here, no button appears for that method.
The three lines show that methods available for MFA, Authority on Demand, and Password Reset.
The methods are:
OTP
A one-time password, sent via email or SMS, as set in the Preferred Verification Device field.
TOTP
A temporary one-time password, as shown in an authenticator app, such as the Microsoft Authenticator or Google Authenticator, installed on the user's smartphone. Users are set up with MFA (as shown in ) receive a QR code by email. Scanning this code with an authenticator app connects the app and your MFA system. Users authenticating via TOTP enter the code shown for your system in their app. The codes change every thirty seconds. If a code expires while the user is entering it, they must enter the code that replaced it.
Qstn
A set of personal security questions that the user must answer correctly. The questions for each person are entered on the Modify Person Identification Questions screen (as shown in Modifying Person Identification Questions).
App
The iSecurity authorization App.
API
A relevant API.
OAuth2/OpenID Device
The OAuth 2.0 Device Authorization Grant (formerly known as the Device Flow) is an OAuth 2.0 extension that enables devices with no browser or limited input capability to obtain an access token.
OAuth2/OpenID Auth. C
The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.
RADIUS
RADIUS authentication goes through a separate authentication server to authenticate users.
The two fields under Private Questions are relevant if Qstn has been selected as an additional authentication option.
Number of private questions
The number of private questions that the user is asked. The value can be between 0 and 10. The default is 0, meaning that Password Reset will skip the personal questions.
Wait before next attempt
The number of seconds that a user must wait after entering the maximum number of failed responses before trying again.
The number can be between 0 and 998. A value of 999 means that there is no waiting time between failures.
The four fields under Password Reset are relevant for Password Reset.
Verify user by
Possible values are:
N: No verification
C: Cell
E: Email
M: MFA
How to send the password
Possible values are:
S: Screen
C: Cell
E: Email
How to reset password
Possible values include:
1: New password
2: Enable user
9: Select
Password must be changed in
The number of minutes within which the password must be changed. Values are from 1 to 998, with 999 indicating no maximum time.