Hanzo
PlatformHanzo IAMUsers

MFA / 2FA

Secure your account with MFA / 2FA

About multi-factor authentication

MFA (Multi-Factor Authentication) is a security measure that can enhance the security of users and systems. It requires users to provide two or more factors of authentication to verify their identity when logging in or performing sensitive operations.

Hanzo IAM supports multiple second-factor authentication methods including SMS codes, email codes, TOTP authenticator apps, and RADIUS authentication.

Once you enable MFA, Hanzo IAM requires an authentication code every time someone attempts to sign in to your account. The only way someone can sign in to your account is if they know both your password and have access to the authentication code.

Configuring MFA

  1. On the user profile page, open the multi-factor authentication section. If it is missing, ensure the organization has added the MFA item in the account items table. mfa_config
  2. Click the "setup" button. mfa_setup
  3. Type your password and click "Next Step". mfa_check_password

Configuring multi-factor authentication using a TOTP mobile app

A time-based one-time password (TOTP) application automatically generates an authentication code that changes after a certain period of time. We recommend using:

:::tip

To configure authentication via TOTP on multiple devices, during setup, scan the QR code using each device at the same time. If 2FA is already enabled, and you want to add another device, you must reconfigure your TOTP app from the user profile page.

:::

totp

When you add your account to an authenticator app, the account name will show the organization's display name (or organization name if no display name is set). This helps you identify which organization the TOTP code belongs to when managing multiple accounts.

  1. In the "Verify Code" step, do one of the following:
    • Scan the QR code with your mobile device's app. After scanning, the app displays a six-digit code that you can enter on Hanzo IAM.
    • If the QR code cannot be scanned, copy the secret and enter it manually in the TOTP app.
  2. The TOTP mobile application saves your account on Hanzo IAM and generates a new authentication code every few seconds. On Hanzo IAM, type the code into the "Passcode" field and click "Next Step".
  3. Above the "Enable" button, copy your recovery codes and save them to your device. Save them to a secure location because your recovery codes can help you regain access to your account if you lose access. mfa_enable

:::caution

Each recovery code can only be used once. If you use a recovery code to sign in, it will become invalid.

:::

Configuring multi-factor authentication using text messages

If you have added your mobile phone number, Hanzo IAM will use it to send you a text message.

mfa_bound

If you have not added your mobile phone number, add it in your account first.

mfa_binding

  1. Select your country code and enter your mobile phone number.
  2. Check if your information is correct and click "Send Code".
  3. Enter the security code from the text message in Enter your code and click Next Step.
  4. Above the "Enable" button, copy your recovery codes and save them to your device. Save them to a secure location because your recovery codes can help you regain access to your account if you lose access.

Configuring multi-factor authentication using email

Configuring email as your multi-factor authentication method is similar to using text messages.

  1. Use your current email or enter your email address and click "Send Code".
  2. Then enter the code into the "Enter your code" field and click "Next Step".
  3. Above the "Enable" button, copy your recovery codes and save them to your device. Save them to a secure location because your recovery codes can help you regain access to your account if you lose access.

Configuring multi-factor authentication using RADIUS

RADIUS MFA allows you to authenticate against an external RADIUS server for the second authentication factor. This is useful when integrating with existing authentication infrastructure.

Before using RADIUS MFA, your administrator must configure a RADIUS provider in the application. Once configured:

  1. Enter your RADIUS username when prompted during setup.
  2. Enter your RADIUS password to verify the setup. This password will be verified against the configured RADIUS server. During subsequent logins, you'll enter this same RADIUS password as your second factor.
  3. Above the "Enable" button, copy your recovery codes and save them to your device. Save them to a secure location because your recovery codes can help you regain access to your account if you lose access.

:::note

The RADIUS authentication communicates with the external RADIUS server configured by your administrator. Make sure you have the correct username and password for your RADIUS account.

:::

Changing your preferred MFA method

Multiple MFA methods can be added; only the preferred one is used at sign-in.

If you want to set a preferred MFA method, click the "Set preferred" button.

preferred_mfa_method

A "Preferred" label will be displayed on your preferred method.

Disabling multi-factor authentication

If you want to disable multi-factor authentication, click the "Disable" button. All your multi-factor authentication settings will be deleted.

disable_mfa

How is this guide?

Last updated on

User permissions

Assign permissions to users and roles; use the Permissions API.

User impersonation

Sign in as another user for support and testing without knowing their password.

On this page

About multi-factor authentication
Configuring MFA
Configuring multi-factor authentication using a TOTP mobile app
Configuring multi-factor authentication using text messages
Configuring multi-factor authentication using email
Configuring multi-factor authentication using RADIUS
Changing your preferred MFA method
Disabling multi-factor authentication