Multi-factor authentication

When you set up multi-factor authentication (MFA) for your Rapid7 Command Platform users, you add an extra layer of security that ensures secure access to your Rapid7 products and data.

To configure MFA settings:

  1. From the left menu of the Platform Home page, click the Administration link.
  2. In the left menu of the Administration page, click Settings.
  3. Click the Multi-Factor Authentication tab in the Authentication Settings section.
  4. If the MFA option is not enabled, toggle on the Enable button.

After you enable MFA, you can choose from the following MFA options:

You can also configure additional settings for your users, such as how often they must complete multi-factor authentication.

U2F is only supported on Google Chrome or Mozilla Firefox.

U2F

Universal 2nd Factor authentication is the most secure method of multi-factor authentication because it requires that you register a physical Security Key and connect it with your asset by bluetooth or USB.

To do so:

  1. Choose U2F as an MFA option.
  2. Register your U2F Security Key

For organizations that already have MFA configured, you can add U2F to existing MFA options, or make U2F the only MFA option.

Add U2F as an MFA option

You must be a Platform Administrator to configure authentication settings.

To register your U2F security key:

  1. From the left menu of the Platform Home page, click the Administration link.
  2. In the left menu of the Administration page, click Settings.
  3. Click the Multi-Factor Authentication tab in the Authentication Settings section.
  4. If the MFA option is not enabled, toggle on the Enable button.
  5. Select the “U2F” option as your authentication method.
  6. Save your changes.

If you are using Mozilla Firefox, you must download and install the appropriate U2F extension for your security key before performing the next steps.

Register your U2F key

Going forward, users who sign in to the Command Platform will see a new screen that prompts them to set up a new U2F.

  1. Click the Setup button for U2F. The next screen provides instructions for how to physically place your security key.
  2. When you are ready, click the Register Security Key button.
  1. Click the physical button on your Security Key to complete the registration. The Command Platform screen will display a green checkmark.
  1. Click the Finish button. The Command Platform will log you back in.

For each subsequent log in, the Command Platform will prompt you to authenticate with your security key by following the provided instructions.

Add U2F to existing MFA options

If your organization already uses MFA, but you want to add U2F as a new option, you must reset each user’s MFA settings in their user profile. If you do not, users will not be prompted to configure their U2F option and can bypass this option.

To reset a user’s MFA settings:

  1. From the left menu of the Platform Home page, click the Administration link.
  2. From the left menu of the Administration page, click User Management.
  3. Find the user in the “Users” table and click the pencil icon to edit.
  4. In the “User Details” tab, click the Reset MFA link.

During their next login, the Command Platform will require them to complete the configuration for at least one MFA option. You can encourage users to set up U2F, but only one MFA configuration is required.

To make U2F the only MFA option:

  1. Navigate back to the “Multi-Factor Authentication” page.
  2. Deselect the boxes for other MFA options until U2F is the only option selected.
  3. Save your changes.

During their next login, users must configure their U2F security devices.

OKTA Verify

OKTA Verify is a mobile application that provides a secure second layer of authentication. Follow these instructions to configure the app: https://help.okta.com/en/prod/Content/Topics/Mobile/okta-verify-overview.htm

Google Authenticator

Google Authenticator is a secure second layer of authentication. It provides several different ways to complete second factor authentication. Follow these instructions to configure it: https://www.google.com/landing/2step/index.html

SMS authentication

SMS authentication is the least secure way to authenticate because attackers can intercept SMS messages or spoof your phone number and authenticate to a different phone number.

However, any layer of security is better than having no security at all. If the other MFA options are unavailable to you, SMS authentication is easily configured and sends a single code to your phone to input into a field.

Additional MFA settings

You can choose to apply MFA settings to all users, exclude specific users or include specific users. Search for users to include or exclude from the MFA settings.

The ability to include specific users for MFA can be used in conjunction with your external IDP configuration. Only users with local platform accounts will be prompted for MFA. Users who are provisioned and authenticate via your external IDP will not be prompted for MFA by Rapid7.

Only one MFA setting can apply at any one time

The option to include all, include a selection of users, or exclude a selection of users from MFA are mutually exclusive. Only one option and its list can be enabled at a time.