Objective
Configuring and using multi-factor authentication (MFA) in 8x8 X Series.
Applies To
- 8x8 X Series
- Login Security
Procedure
Enabling Multi-factor authentication
Multi-factor authentication adds an extra layer of security to protect your 8x8 user accounts. 8x8 supports e-mail, SMS, and authenticator apps (e.g., Google Authenticator, Authy, Okta Verify) as second authentication factors.
Customer administrators can opt to make multi-factor authentication mandatory for their users.
Note: Making this change will enable multi-factor authentication for all users, company wide. It is not possible to enable it for individual users.
- In the Admin Console, click Identity and Security.
- Enable Multi-factor authentication for all users and save changes.
- All users will now be required to configure a second factor during the next login.
This configuration only applies to logins using the 8x8 Authentication. Users logging in with organizational credentials via Single Sign-on Integration (e.g, Okta, AzureAD) are not prompted for 8x8 multi-factor.
Tip: To avoid user confusion and improve security, consider whether you need both 8x8 and 3rd party authentication enabled. Administrators always have access to 8x8 authentication as a back-up in the event of a misconfiguration with 3rd party SSO.
Using Multi-factor Authentication
User Login
- During their first login after multi-factor authentication is enabled, users will be prompted to configure their second factor. Users can choose from SMS, e-mail, or authenticator apps.
- Once configured, users are logged in as normal. During the subsequent login, users can choose to not be prompted for the second factor on the same device for 90 days.
Note: Using a different browser, clearing browser cookies, or using incognito mode will prompt for multi-factor authentication even if the box was checked.
Changing multi-factor authentication and getting backup codes
- From the Application Panel (apps.8x8.com), click on the User Profile menu (top-right) and choose Application Password MFA.
- From there, you can add/change/remove authentication methods. Please note that once enabled by an administrator, users must have at least one method enabled at all times.
To ensure continued access, even in the event that a user loses access to their second factor, it is recommended that users get Backup Codes and store them somewhere secure. These one-time-use codes can be entered during the login flow in place of SMS, E-mail, or Authentication App. To enable these, click + Add another and choose Backup Codes.
Note: It is not recommended for Backup Codes to be the only authentication method a user has configured.
Resetting users’ multi-factor authentication
In the event that a user is unable to access their second factor, an administrator can reset the user’s second factor. In the Admin Console Users list, click on the option menu and choose Reset user multi-factor authentication.
This can also be done for multiple users at once by checking multiple users and choosing Reset users multi-factor authentication from the More menu.
Additional Information
It is possible to have the same phone number and email address configured to multiple different logins to receive Multi-Factor Authentication codes.