Multi-factor authentication: Difference between revisions
(Added a new section with Recommendations and example setup) |
(→What is multi-factor authentication (MFA)?: Updated description. →Manage multi-factor authentication: updated description and added link to new section with recommendations. Created new Weights and factors section and an 'Available factors' subsection.) |
||
| Line 1: | Line 1: | ||
{{Authentication}} | {{Authentication}} | ||
==What is multi-factor authentication (MFA)?== | ==What is multi-factor authentication (MFA)?== | ||
[https://en.wikipedia.org/wiki/Multi-factor_authentication Multi-factor authentication (MFA)] is | [https://en.wikipedia.org/wiki/Multi-factor_authentication Multi-factor authentication (MFA)] is a security measure that requires users to verify their identity using two or more factors of authentication. Factors can be something users know, like a password, something they have, like a phone or security token, or something they are, like a fingerprint. | ||
MFA helps improve security of your Moodle site because it is more difficult for attackers to compromise multiple factors. | |||
==Manage multi-factor authentication== | ==Manage multi-factor authentication== | ||
From | From Site administration > Plugins > Admin tools > Manage multi-factor authentication, you can turn MFA on by checking the box MFA plugin enabled. | ||
If you’re configuring MFA for your site for the first time, we recommend that you check out the [[Recommendations and example setups]] to streamline the experience for your users. | |||
=== Weights and factors === | |||
In Site administration > Plugins > Admin tools > Manage multi-factor authentication, you can see a list of the available factors and select the ones that make up MFA for your site. | |||
These factors have weight points, and users have to reach 100 points in order to be able to log in. By configuring multiple factors and adjusting their weights, you can create complex and flexible rules for multi-factor authentication. | |||
For example, you could have two factors with 100 points each, if you want to give users different methods of authentication. Or you could have two factors with 50 points each, meaning that users will have to go through both factors to be able to log in. | |||
During the login process, factors that don't require user input, like IP address or user role, are assessed first. Then, the remaining factors are evaluated in order of weight, starting from the highest, until either the cumulative points reach the login threshold (100) or all factors have been checked and login is denied. | |||
==== Available authentication factors ==== | |||
'''Non administrator:''' This factor enables you to give points for free to a user who is not an admin. This makes it easy to require admin users to have 2 or more factors while not affecting normal users. | '''Non administrator:''' This factor enables you to give points for free to a user who is not an admin. This makes it easy to require admin users to have 2 or more factors while not affecting normal users. | ||
'''Authentication type:''' Here you can specify that users with certain auth types, eg [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML] via [https://en.wikipedia.org/wiki/Active_Directory_Federation_Services ADFS] already have 100 points, making them exempt from additional checks. | '''Authentication type:''' Here you can specify that users with certain auth types, eg [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML] via [https://en.wikipedia.org/wiki/Active_Directory_Federation_Services ADFS] already have 100 points, making them exempt from additional checks. | ||
| Line 28: | Line 41: | ||
'''Security key:''' | '''Security key:''' | ||
== Recommendations and example setups == | == Recommendations and example setups == | ||
When setting up MFA for your site, it’s important to ensure that you’re making your site more secure, but also creating a good experience for your users, including making sure that they are able to log in if they follow the right steps. Here are some recommendations to ensure that MFA is streamlined for your users: | When setting up MFA for your site, it’s important to ensure that you’re making your site more secure, but also creating a good experience for your users, including making sure that they are able to log in if they follow the right steps. Here are some recommendations to ensure that MFA is streamlined for your users: | ||
# Make sure you turn on the '''Grace period''' factor when you turn on an authentication factor that requires users to configure something themselves ('''Authenticator app''' or '''Security key'''). This will give your users time to set up MFA before they are required to use it. | # Make sure you turn on the '''Grace period''' factor when you turn on an authentication factor that requires users to configure something themselves ('''Authenticator app''' or '''Security key'''). This will give your users time to set up MFA before they are required to use it. | ||
# If you don’t want to make MFA mandatory, enable '''No other factors'''. This will allow users with no other factors to log in using only their password. | # If you don’t want to make MFA mandatory, enable '''No other factors'''. This will allow users with no other factors to log in using only their password. | ||
# '''IP range''' factor is a very straightforward authentication method if all your users are using the same network. Once users are logged in using this factor, you can allow them to set up additional factors, such as an authenticator app, and then use those other factors to log in when not on your secure network. | # '''IP range''' factor is a very straightforward authentication method if all your users are using the same network. Once users are logged in using this factor, you can allow them to set up additional factors, such as an authenticator app, and then use those other factors to log in when not on your secure network. | ||
=== Example setups === | === Example setups === | ||
| Line 44: | Line 54: | ||
'''a) Email verification''' | '''a) Email verification''' | ||
# Enable MFA. | # Enable MFA. | ||
# Turn on factor '''Email''' and give it 100 points. | # Turn on factor '''Email''' and give it 100 points. | ||
| Line 52: | Line 61: | ||
'''b) Authenticator app''' | '''b) Authenticator app''' | ||
# Enable MFA. | # Enable MFA. | ||
# Turn on the factor '''Grace period''' and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the '''Grace period warning banner''' to let your users know that MFA will be enabled soon and encourages them to set up their authenticator app. | # Turn on the factor '''Grace period''' and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the '''Grace period warning banner''' to let your users know that MFA will be enabled soon and encourages them to set up their authenticator app. | ||
| Line 60: | Line 68: | ||
'''c) Email OR authenticator app''' | '''c) Email OR authenticator app''' | ||
# Enable MFA. | # Enable MFA. | ||
# Turn on the factor '''Email''' and give it 100 points. | # Turn on the factor '''Email''' and give it 100 points. | ||
| Line 69: | Line 76: | ||
'''d) Email AND authenticator app''' | '''d) Email AND authenticator app''' | ||
# Enable MFA. | # Enable MFA. | ||
# Turn on the factor '''Email''' and give it 50 points. | # Turn on the factor '''Email''' and give it 50 points. | ||
| Line 75: | Line 81: | ||
# Turn on the factor '''Authenticator app''' and give it 50 points. Users will have to pass both factors to get to 100 points and be able to log in. | # Turn on the factor '''Authenticator app''' and give it 50 points. Users will have to pass both factors to get to 100 points and be able to log in. | ||
# You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time. | # You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time. | ||
==Summary of good conditions for login== | ==Summary of good conditions for login== | ||
Here are listed the factors selected and their total weighting, adding up to 100. | Here are listed the factors selected and their total weighting, adding up to 100. | ||
Revision as of 13:33, 29 November 2023
What is multi-factor authentication (MFA)?
Multi-factor authentication (MFA) is a security measure that requires users to verify their identity using two or more factors of authentication. Factors can be something users know, like a password, something they have, like a phone or security token, or something they are, like a fingerprint.
MFA helps improve security of your Moodle site because it is more difficult for attackers to compromise multiple factors.
Manage multi-factor authentication
From Site administration > Plugins > Admin tools > Manage multi-factor authentication, you can turn MFA on by checking the box MFA plugin enabled.
If you’re configuring MFA for your site for the first time, we recommend that you check out the Recommendations and example setups to streamline the experience for your users.
Weights and factors
In Site administration > Plugins > Admin tools > Manage multi-factor authentication, you can see a list of the available factors and select the ones that make up MFA for your site.
These factors have weight points, and users have to reach 100 points in order to be able to log in. By configuring multiple factors and adjusting their weights, you can create complex and flexible rules for multi-factor authentication.
For example, you could have two factors with 100 points each, if you want to give users different methods of authentication. Or you could have two factors with 50 points each, meaning that users will have to go through both factors to be able to log in.
During the login process, factors that don't require user input, like IP address or user role, are assessed first. Then, the remaining factors are evaluated in order of weight, starting from the highest, until either the cumulative points reach the login threshold (100) or all factors have been checked and login is denied.
Available authentication factors
Non administrator: This factor enables you to give points for free to a user who is not an admin. This makes it easy to require admin users to have 2 or more factors while not affecting normal users. Authentication type: Here you can specify that users with certain auth types, eg SAML via ADFS already have 100 points, making them exempt from additional checks.
User capability: This factor checks whether a user has a capability, in the system context. If the user has this capability, they will not gain the points for this factor, and must instead use other factors to authenticate with the system. This is similar to the non-admin factor, however it operates on a role basis. In practice, the capability 'factor/capability:cannotpassfactor' should be given to roles who must use other factors to authenticate to the system. There is an additional setting for this factor that will allow admins to gain points for this factor, as by default they will always gain no points for this factor.
Cohort: This factor requires the user to be in a particular cohort in order to log in.
Email: A simple factor which sends a short lived code to your email which you then need to enter to login. Generally speaking this is a low security factor because typically the same username and password which logs you into moodle is the same which logs you into your email so it doesn't add much value.
Grace period: This allows users to log in without interacting with MFA for a set period of time. Users can only achieve the points for this factor if there are no other input factors for them to interact with during the login process. This factor should be placed last in the list, that way all other factors are interacted with during the login process first. On the first page after login, if a user is currently within their grace period, regardless of whether they used gracemode as a login factor, they are presented a notification informing them of the grace period length, and that they may need to setup other factors or risk being locked out once the grace period expires.
IP range: Use this factor if you are on a secure network.This is very useful because it requires no setup by the end user, so you can set it up so that you can log in fully via a secure network, and once logged in they can setup other factors like TOTP, and then use those other factors for logging in when not on a secure network.
No other factors: This is designed to allow people to pass only if they have not setup other factors for MFA already.
Role:This factor checks whether a user has any chosen roles assigned in any context, and does not provide points if that is the case. This can be used to ensure the selected roles must use a higher level of authentication such as TOTP, while letting non-specified roles authenticate seamlessly. This factor should generally have high privilege roles such as manager and administrator selected to enforce higher account security for these groups. Trust this device:
Authenticator app: This factor sends a code to an authenticator app a user has already installed on their smartphone. Another term is TOTP - Time-based one-time password.
Security key:
Recommendations and example setups
When setting up MFA for your site, it’s important to ensure that you’re making your site more secure, but also creating a good experience for your users, including making sure that they are able to log in if they follow the right steps. Here are some recommendations to ensure that MFA is streamlined for your users:
- Make sure you turn on the Grace period factor when you turn on an authentication factor that requires users to configure something themselves (Authenticator app or Security key). This will give your users time to set up MFA before they are required to use it.
- If you don’t want to make MFA mandatory, enable No other factors. This will allow users with no other factors to log in using only their password.
- IP range factor is a very straightforward authentication method if all your users are using the same network. Once users are logged in using this factor, you can allow them to set up additional factors, such as an authenticator app, and then use those other factors to log in when not on your secure network.
Example setups
These are some examples of common MFA setups to increase the security of your Moodle site.
a) Email verification
- Enable MFA.
- Turn on factor Email and give it 100 points.
- You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.
- Let your users know that email verification is now enabled. Next time your users try to log in, they will see a message that asks them to check their email and enter a code that has been sent there.
b) Authenticator app
- Enable MFA.
- Turn on the factor Grace period and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the Grace period warning banner to let your users know that MFA will be enabled soon and encourages them to set up their authenticator app.
- Turn on the factor Authenticator app and give it 100 points.
- You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.
c) Email OR authenticator app
- Enable MFA.
- Turn on the factor Email and give it 100 points.
- Turn on the factor Grace period and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the Grace period warning banner to let your users know that MFA will be enabled soon and encourages them to set up their authenticator app.
- Turn on the factor Authenticator app and give it 100 points.
- You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.
d) Email AND authenticator app
- Enable MFA.
- Turn on the factor Email and give it 50 points.
- Turn on the factor Grace period and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the Grace period warning banner to let your users know that MFA will be enabled soon and encourages them to set up their authenticator app.
- Turn on the factor Authenticator app and give it 50 points. Users will have to pass both factors to get to 100 points and be able to log in.
- You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.
Summary of good conditions for login
Here are listed the factors selected and their total weighting, adding up to 100.
General MFA settings
- The MFA plugin enabled box should be checked for MFA to work.
- From this section you can add any relative URL from the siteroot for which the MFA check will not redirect from
- Links to any guidance pages or files may be uploaded here.
Admin locked out of site - how to resolve
Be careful as an administrator when configuring and testing the factors that you do not lock yourself out of the site. If you do then MFA can be disable from the command line by entering:
: php admin/cli/cfg.php --component=tool_mfa --name=enabled --set=0
