This guide goes over how to enable and set up MFA for users/clients. At this time MFA is only available on Windows Desktop Edge Endpoints. If any of your users are using different endpoints their access to services in APPWANs with MFA enabled will not be allowed. Please enable with caution.
To enable MFA you must first go to the MANAGE APPWANS screen and click on the appwan that has the endpoints that you need to have MFA enabled.
Then on the APPWAN details screen you will see a toggle on the bottom right that is labeled Multi Factor Authentication.
Here all you need to do is toggle the button to 'YES'.
Setting Up MFA on the Client/Endpoint
After enrolling an identity click on it and open the detail page. On the detail page click the toggle to enable MFA:
NOTE: User can set up MFA on the windows edge client at any time once the identity is enrolled. This will not impact your service access UNTIL you/your administrator enables MFA on a given APPWAN.
After toggling the toggle, a QR Code will be generated and displayed and will look like:
- Shows the QR Code. Use your mobile to scan the code into an authenticator application of your choice.
- If a OTP-style application is installed and is mapped on the system to open links starting with
- Show Secret will show you the secret that can be used to manually install the token into an authenticator app
- Once the token is imported into the authenticator app - enter the 6-digit code into the "Authentication Code" field and click the button to enroll the identity for MFA.
Post MFA Enrollment
After enrolling the identity it will be automatically authorized for the current session and recovery codes will be shown. Save these recovery codes as they will be needed in case the token is ever lost.
These recovery codes will be your only backup if you lose your MFA, so it is important to save them somewhere safe.
The detail screen will change and show two new icons:
- The first icon will show the recovery codes for the identity if needed
- The lock icon show the MFA status and represents if the identity has successfully been authorized.
Authenticating Using a Time-based One-time Token
After being enrolled should the session become invalid the lock icon will change to a yellow color and be shown on the main page. Click on the lock icon on either screen or click the "Authenticate" button on the detail page to initiate authentication.
A dialog will be shown. Enter the code and complete authentication.
After setting up MFA, you will see that under MANAGE ENDPOINTS, the endpoints attached to the APPWAN that you enabled MFA will now show YES under Enrolled MFA.
You will also be able to reset MFA per endpoint using the three dots on the right.
- This could be useful if the user has gotten a new phone and does not have their recovery codes.