Open navigation

Managing Multifactor Authentication in your domain

Note: Starting with the 2025.1 release, multifactor authentication is required on all domains not previously using MFA or SSO. For more information, refer to Kahua Enabling Multi-Factor Authentication (MFA) for All Customers in February 2025 Release.


Multifactor authentication is required on all domains that do not use SSO. Users will be required to either obtain a code through their email or from an authentication app such as Microsoft Authenticator or Google Authenticator, or to establish and use a passkey.


If you want to use single sign-on (SSO) authentication, contact Kahua Support for assistance.


You can use authentication groups as described below to manage which multifactor authentication methods are available to users who access your domain, including both internal users and external users.


You are not required to setup authentication groups. If you do not set up authentication groups, users will select which MFA method to use each time they log in.


This article outlines the steps a domain administrator can take to manage multifactor authentication in their Kahua domain. For information on the steps a user will take to set up their multifactor authentication, refer to Multifactor Authentication.


TABLE OF CONTENTS


Manage MFA options for internal users

If you don't set up any MFA options for your internal users, that is, users for whom your domain is their primary domain, they will be presented with the three default options when they log in: authenticator app code, email, or passkey.


If you want to create a reduced set of options for internal users, you can create an authentication group that includes just those options and then set that authentication group as the default for internal users.


Additionally, you can assign an authentication group to an individual user in the Users app, or use the Authentication Group Criteria section to assign an authentication group to users with email addresses from specific domains (for example, when you want to require all users with email addresses from @company.com to use only the authenticator app code option).


To control what MFA options are available to your internal users, complete the following steps:

  1. Navigate to Apps > Administration > Domain Settings > Authentication.
  2. Scroll down to the bottom of the page and select Manage Authentication Groups to open the Authentication Groups page.
  3. In the Authentication Groups section, click Add.
  4. Enter a Name. You can use something like "Authenticator code" or "Email Verification" or another name of your choosing.

  5. The Provider Type field defaults to "Kahua". Enter a Description as desired.
  6. Select MFA Enabled. Once enabled, you can make any or all of the following MFA methods available to your users:
    • Authenticator app code - Select this option to allow users to use the Time-based One-Time Password (TOTP) method for authentication. Users will be required to use an authenticator app such as Microsoft Authenticator or Google Authenticator to generate a new code to use each time they log in to Kahua.
    • Email - Select this option to allow users to use email verification for authentication. Users will be sent an email containing a code to use each time they log in to Kahua.
    • Passkey - Select this option to allow users to use a passkey for authentication. Passkeys allow users to prove their identity by logging in from a supported device, rather than by using a password. For general information on passkeys, refer to this link.
  7. Click Save. The new authentication group is saved and appears in the list of authentication groups.
  8. To assign this authentication group as the default for internal users in your domain, navigate to the bottom of the page and select it in the Domain User Authentication field. This group will be the default applied to any internal user signing into your domain who is not a member of another authentication group.

    Click Update to complete the change. Click OK on the confirmation message.

  9. To apply an authentication group to users based on the email addresses they use to log in to Kahua, you can set up Authentication Group Criteria. This would be appropriate, for example, when you have internal users from a subsidiary with email addresses from @company.com, and you want just those users to only have the authenticator app code option for MFA when they log in. 
    1. In the Authentication Group Criteria section, select Add

    2. Select the Authentication Group you want to apply to these users. 
    3. Enter the appropriate email suffix in the Username Suffix field (e.g., "@company.com"). 
    4. As this is for internal users, do not select the External Users toggle.
    5. Click Done when you are finished.
    6. Click Save in the section to save your changes. 

  10. When you are done, click the Close icon in the upper right corner to close the Authentication Settings page and return to the Authentication page. If you receive a warning about unsaved changes, confirm that you clicked Save in the Authentication Group Criteria section.
  11. To apply a different authentication group to an individual user, navigate to the Users app (Apps > Administration > Users) and select that user's profile. Select the appropriate Authentication Group on their user profile and click Save


Manage MFA options for external users

If you don't set up any MFA options for your external users, that is, users for whom your domain is not their primary domain, they will be presented with the three default options when they log in: authenticator app code, email, or passkey.


If you want to create a reduced set of options for external users, you can create an authentication group that includes just those options and then use the Authentication Group Criteria section to set that authentication group as the default for external users.


Additionally, you can assign an authentication group to an individual user in the Users app, or use the Authentication Group Criteria section to assign an authentication group to users with email addresses from specific domains (for example, when you want to require all users with email addresses from @company.com to use only the authenticator app code option).


To control what MFA options are available to your external users, complete the following steps:

  1. Navigate to Apps > Administration > Domain Settings > Authentication.
  2. Scroll down to the bottom of the page and select Manage Authentication Groups to open the Authentication Groups page.
  3. In the Authentication Groups section, click Add.
  4. Enter a Name. You can use something like "Authenticator code" or "Email Verification" or another name of your choosing.

  5. The Provider Type field defaults to "Kahua". Enter a Description as desired.
  6. Select MFA Enabled. Once enabled, you can make any or all of the following MFA methods available to your users:
    • Authenticator app code - Select this option to allow users to use the Time-based One-Time Password (TOTP) method for authentication. Users will be required to use an authenticator app such as Microsoft Authenticator or Google Authenticator to generate a new code to use each time they log in to Kahua.
    • Email - Select this option to allow users to use email verification for authentication. Users will be sent an email containing a code to use each time they log in to Kahua.
    • Passkey - Select this option to allow users to use a passkey for authentication. Passkeys allow users to prove their identity by logging in from a supported device, rather than by using a password. For general information on passkeys, refer to this link.
  7. Click Save. The new authentication group is saved and appears in the list of authentication groups.
  8. To apply an authentication group to all your external users, or to a set of users based on the email address they use to log in to Kahua, you can set up Authentication Group Criteria
    1. In the Authentication Group Criteria section, select Add

    2. Select the Authentication Group you want to apply to these users. 
    3. To apply this setting to all external users, leave Username Suffix field blank. 

      To apply this setting to users from a specific email domain, enter the appropriate email suffix in the Username Suffix field (e.g., "@company.com").

    4. Select the External Users toggle to apply this selection to external users in your domain.
    5. Click Done when you are finished.
    6. Click Save in the section to save your changes. 

  9. When you are done, click the Close icon in the upper right corner to close the Authentication Settings page and return to the Authentication page. If you receive a warning about unsaved changes, confirm that you clicked Save in the Authentication Group Criteria section.
  10. To apply a different authentication group to an individual user, navigate to the Users app (Apps > Administration > Users) and select that user's profile. Select the appropriate Authentication Group on their user profile and click Save.


Reset MFA for a user

If a user loses access to the authenticator app (lost phone, deleted app, etc.) the basic steps to resolve the problem are the following:

  1. Open the Users app and select their user profile to open the detail pane.
  2. In the Multi-Factor Authentication (MFA) section, select Un-enroll. This will remove their current multifactor authentication configuration. 
  3. Have the user attempt to log in to Kahua. They will be required to re-enroll in MFA.


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.