When you set up multi-factor authentication (MFA) for your Insight users, you add an extra layer of security that ensures secure access to your Insight products and data.
To configure MFA settings:
- Sign in to the Insight Platform.
- From the left menu, go to the Company Settings page.
- On the Company Settings page, go to the Multi-Factor Authentication tab, which is located under Authentication Settings.
- If the MFA option is not enabled, toggle on the Enable button.
After you enable MFA, you can choose from the following MFA options:
You can also configure additional settings for your users, such as how often they must complete multi-factor authentication.
U2F is only supported on Google Chrome or Mozilla Firefox.
Universal 2nd Factor authentication is the most secure method of multi-factor authentication because it requires that you register a physical Security Key and connect it with your asset by bluetooth or USB.
To do so:
Add U2F as an MFA option
You must be a Platform Administrator to configure authentication settings.
To register your U2F security key:
- Sign in to the Insight platform and navigate to Company Settings > Authentication Settings from the left menu.
- Toggle on the Enable button if MFA is not already enabled.
- Select the Multi Factor Authentication tab.
- Select the “U2F” option as your authentication method.
- Save your changes.
If you are using Mozilla Firefox, you must download and install the appropriate U2F extension for your security key before performing the next steps.
Register your U2F key
Going forward, users who sign in to the Insight platform will see a new screen that prompts them to set up a new U2F.
- Click the Setup button for U2F. The next screen provides instructions for how to physically place your security key.
- When you are ready, click the Register Security Key button.
- Click the physical button on your Security Key to complete the registration. The Insight platform screen will display a green checkmark.
- Click the Finish button. The Insight platform will log you back in.
For each subsequent log in, the Insight platform will prompt you to authenticate with your security key by following the provided instructions.
Add U2F to existing MFA options
If your organization already uses MFA, but you want to add U2F as a new option, you must reset each user’s MFA settings in their user profile. If you do not, users will not be prompted to configure their U2F option and can bypass this option.
To reset a user’s MFA settings:
- From the Insight platform, select the User Management page on the left.
- Find the user in the “Users” table and click the pencil icon to edit.
- In the “User Details” tab, click the Reset MFA link.
During their next login, the Insight platform will require them to complete the configuration for at least one MFA option. You can encourage users to set up U2F, but only one MFA configuration is required.
To make U2F the only MFA option:
- Navigate back to the “Multi-Factor Authentication” page.
- Deselect the boxes for other MFA options until U2F is the only option selected.
- Save your changes.
During their next login, users must configure their U2F security devices.
OKTA Verify is a mobile application that provides a secure second layer of authentication. Follow these instructions to configure the app: https://help.okta.com/en/prod/Content/Topics/Mobile/okta-verify-overview.htm
Google Authenticator is a secure second layer of authentication. It provides several different ways to complete second factor authentication. Follow these instructions to configure it: https://www.google.com/landing/2step/index.html
SMS authentication is the least secure way to authenticate because attackers can intercept SMS messages or spoof your phone number and authenticate to a different phone number.
However, any layer of security is better than having no security at all. If the other MFA options are unavailable to you, SMS authentication is easily configured and sends a single code to your phone to input into a field.
Additional MFA settings
You can choose to apply MFA settings to all users, exclude specific users or include specific users. Search for users to include or exclude from the MFA settings.
The ability to include specific users for MFA can be used in conjunction with your external IDP configuration. Only users with local platform accounts will be prompted for MFA. Users who are provisioned and authenticate via your external IDP will not be prompted for MFA by Rapid7.
Only one MFA setting can apply at any one time
The option to include all, include a selection of users, or exclude a selection of users from MFA are mutually exclusive. Only one option and its list can be enabled at a time.