If multi-factor authentication is enabled (that is, if the security option MFA is enabled) and the MFAREQUIRED usercode attribute is set, a second authentication factor is required when logging on once the usercode, accesscode, and chargecode are validated. The second authentication factor uses a push or pull method, depending on the configuration of MFA. A push factor provides a user with the ability to approve or deny an access request on their mobile device. A pull factor provides a user with a one-time passcode that must be entered to complete logging on. The passcode is provided by an out-of-band transmission, either using the email address associated with the usercode or through a third-party application, depending on the configuration of MFA. The numeric, one-time password must be entered at the CANDE prompt.
| Note: | If you completed multi-factor authentication during a Transaction Server log on, you do not need to reauthenticate your usercode when using CANDE through a Transaction Server window. |
If the third-party security platform Duo Security is configured at the MFA provider for your system and the MFAPROTOCOL is a push method (for example, DUOPUSH or DUOPHONE), a usercode that is not enrolled in Duo Security but attempts to authenticate receives the following error message and the authentication fails:
MULTIFACTOR AUTHENTICATION FAILED AS THE USERNAME IS NOT ENROLLED WITH THE MFA PROVIDER. USE THIS ENROLLMENT URL: <URL>
The user should use the provided URL to enroll their usercode with the MFA provider and then retry authentication.
If the MFAPROTOCOL is DUOPULL and the usercode attempting to authenticate is not enrolled in Duo Security, the authentication also fails; however, the user is not prompted with a URL to enroll in Duo Security.
As a best practice, Unisys recommends that usercodes are enrolled in Duo Security before attempting to authenticate. Usercodes that attempt to authenticate but are not enrolled in Duo Security are logged.
