Open navigation

Managing Multifactor Authentication in your domain

This article outlines the steps a domain administrator can take to set up and manage multifactor authentication in your Kahua domain.  For information on the steps a user will take to set up their multifactor authentication, refer to Multifactor Authentication.


Establish a default authentication group


Authentication Groups allow you to manage authentication settings at a group level, rather than applying changes to each user individually. Additionally, you can create a default group with settings that are applied to all users by default.  You can still create additional authentication groups to manage named users with different authentication needs.  


To create a default authentication group that uses TOTP (Time-based One Time Password) or emailing of codes for authentication, complete the following steps:

  1. Navigate to Apps > Domain Settings > Authentication.
  2. Scroll down to External User Authentication.
  3. Select Manage Authentication Groups.
  4. Click Add to open the new group page.
  5. Enter a Name.  You can use something like "Default TOTP" or "Default Email Verification" to indicate this is the default authentication group, or another name of your choosing.
  6. In the Provider Type field, select Kahua.
  7. Select Mfa Enabled.
  8. In the Mfa Type field, select one of the two available options:
    • TOTP - Select this option to use the TOTP method for authentication. Users will be required to use an authenticator app to generate a new code to use each time they log into Kahua.
    • Email - Select this option to use email verification for authentication.  Users will be sent an email containing a code to use each time they log into Kahua. 
  9. Click Save.  The new authentication group is saved and appears in the list of authentication groups. 
  10. IMPORTANT:  If you want this to be the default authentication method for your users, you must assign the new group as the default in your domain.  To do this, in the Domain User Authentication field at the bottom of this page, select the newly created group.
  11. Click Update.  The settings in the newly created group are now the default that will be applied to any user signing into your domain who is not a member of another authentication group.


What to do when a TOTP user needs MFA reset


If a user loses access to the authenticator app (lost phone, deleted app, etc.) you can go to their user profile and un-enroll them from multifactor authentication. This will remove their current multifactor authentication configuration. They will be required to re-enroll the next time they attempt to log in to Kahua.  


To un-enroll a user from MFA, complete the following steps.

  1. Navigate to Apps > Users.
  2. Select the user.
  3. In the Enable Multifactor Authentication section, click Un-Enroll.
  4. They have now been unenrolled from MFA.  They will be required to re-enroll the next time they attempt to log in to Kahua.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.