Group Based Multi-Factor Authentication
Multi-Factor Authentication is available to all Bitium organizations on the Business Plus plan and above. With the implementation of group based MFA, organization admins are now able to control which users or groups are required to authenticate with MFA when they login to Bitium. More importantly, admins can now reset a user’s MFA if the user were to lose their phone or get a new device.
To enable group based mfa, click “Manage org” at the top, select “Security”, and then click “Multi-Factor Authentication.”
Before specifying which group(s) to enable MFA for, specify the interval at which the user will receive an MFA prompt upon logging into Bitium. To enable MFA for every user in the organization, leave the “Optional” field blank. To enable MFA for specific groups, input the group name(s) in the “Optional” box. Click “Enabled” and “Save Changes” to apply the settings to your organization.
When a new user enrolls in the organization, they will be prompted with the “Setup Two-Factor Authentication” screen where they will attach their authentication app of choice to Bitium.
Admins can manage the specified users devices used for MFA. To remove a device, click the remove button to the right of the device name.
Common MFA Scenarios
If a user is locked out of Bitium due to MFA, an admin can reset it by navigating to that specific user’s account in the “Manage Users” section. Select the user, and click “Reset 2FA” at the top.
In some cases, users may have configured MFA at the account level, which may require them to enter in a 2FA code twice in Bitium, specifically if that user’s organization enabled enforceable MFA as well. In this case, the user would retain two MFA strategies. If a user’s second MFA code isn’t accepted, please contact email@example.com. A user with two MFA strategies will see this screen: