This page requires updating. Please do so and remove this template when finished.

What is multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to an online account such as Moodle site. MFA helps improve security of your site.

Manage multi-factor authentication

From Site administration > Plugins > Admin tools > Manage multi-factor authentication you can select the 'factors' which must satisfy in order to login. These factors must add up to 100. By configuring multiple factors and weighting them you can easily have quite complex and flexible rules.

Non administrator: This factor enables you to give points for free to a user who is not an admin. This makes it easy to require admin users to have 2 or more factors while not affecting normal users.

Authentication type: Here you can specify that users with certain auth types, eg SAML via ADFS already have 100 points, making them exempt from additional checks.

User capability: This factor checks whether a user has a capability, in the system context. If the user has this capability, they will not gain the points for this factor, and must instead use other factors to authenticate with the system. This is similar to the non-admin factor, however it operates on a role basis. In practice, the capability 'factor/capability:cannotpassfactor' should be given to roles who must use other factors to authenticate to the system. There is an additional setting for this factor that will allow admins to gain points for this factor, as by default they will always gain no points for this factor.

Cohort:

Email: A simple factor which sends a short lived code to your email which you then need to enter to login. Generally speaking this is a low security factor because typically the same username and password which logs you into moodle is the same which logs you into your email so it doesn't add much value.

Grace period: This allows users to log in without interacting with MFA for a set period of time. Users can only achieve the points for this factor if there are no other input factors for them to interact with during the login process. This factor should be placed last in the list, that way all other factors are interacted with during the login process first. On the first page after login, if a user is currently within their grace period, regardless of whether they used gracemode as a login factor, they are presented a notification informing them of the grace period length, and that they may need to setup other factors or risk being locked out once the grace period expires.

IP range: Use this factor if you are on a secure network.This is very useful because it requires no setup by the end user, so you can set it up so that you can log in fully via a secure network, and once logged in they can setup other factors like TOTP, and then use those other factors for logging in when not on a secure network.