Ask AI
All Categories
Product Information
Getting Started: Multi-Factor Authentication

Getting Started: Multi-Factor Authentication

Evo Multi-Factor Authentication (MFA) is a core part of our identity suite. It provides a unified layer of multi-factor authentication over top of endpoint logins for Windows and Macs, logins to SAML-integrated web apps, plus RADIUS-enabled logins such as to VPNs and Wi-Fi networks.

This basic guide will help you get started with MFA primarily for Windows logins, plus the Evo Portal itself and also get you started with how to integrate SAML web applications for SSO.

Directories

Connect Your Customer Directories

In order to setup MFA for users, the third-party directory where those users exist needs to be synced to Evo. You can setup Directories in bulk for all of your customers, or you can do it one-by-one as you test and deploy Evo MFA to your customers.

Refer to our Directory Integration articles to complete that process.

Note: You will want to leave the “Automatically Send Welcome Email” option on the Directory turned off for the moment to avoid sending welcome emails prematurely. We will use an Email campaign when we are ready to bulk invite our users, then we will turn the “Automatically Send…” option on after the initial onboarding so that new users going forward are handled automatically.

Licenses & Agents

Deploy Agents

The Evo Endpoint Agent needs to be deployed to each endpoint that needs MFA enforced at the Windows login screen.

Refer to our Windows Agent Deployment article to complete that process.

Configure Licensing

Each user who will use Evo MFA needs to have an Evo MFA license assigned to them.

Licenses can be assigned to Tenants in pools, allowing licenses to be automatically granted to new users attempting to use Evo MFA, simplifying this process. You can configure those pool settings, purchase additional licenses, and manually manage license assignments in the Partner Portal.

Refer to our Billing & Licensing article for additional details. Complete the setup of licensing pools and expansion settings according to your preferences and then continue to the next step. Licenses will be assigned to individual users in the next step.

User Enrollment

Enable Users & Assign Licenses

Enable & License MFA for a Single User

  1. Pick the relevant Tenant from the dropdown at the top of the left navigation menu and navigate to Identities > Users. Select the user you’d like to enable MFA for by clicking on their name.
Notion image
 
  1. Toggle the MFA & SSO License toggle on to assign a license to the user.
  1. Toggle the MFA Status toggle on to enable the Evo MFA feature for the user.
    1. Note: For users that are going to also login to the Evo Partner Portal to administer Evo should also be converted to “Admins” by selecting the option on the upper right. The “Admin” term in this context only means that they will be granted access to the Evo Partner Portal (and even then, their abilities are limited by the Roles & Permissions assigned.) This setting only toggles their ability to get into the Partner Portal at all. Once they are converted and set up, you can send a welcome email to that user.
  1. If the user’s email is a legitimate email, you can just click the option to send the welcome email. If you need to send it to another address, an option to do so is within the window.
Notion image
  1. The user should now receive a welcome email that will look something like this.
    1. Note: Depending on the Password Sync option selected during the tenant creation process, the first item may vary slightly.
Notion image
 
  1. Have the user proceed from the welcome email, setup their password, and select the save option.
    1. Note: Do not log in just yet. Doing so will send a one-time code to your email address as an MFA challenge instead of facilitating the setup of the Evo Mobile app.
  1. Download the Evo Security Mobile App for the appropriate device.
    1. Note: There are options for delivering MFA codes via the Microsoft Authenticator app, SMS, and email. We recommend the Evo mobile app, however, as it supports push notifications as well as other Evo features like Help Desk Verification.
  1. Click the link in the welcome email that references the QR code for the mobile app and use the Evo Mobile app to scan the QR code. If this is the user’s first QR code, they will also be prompted to setup answers to security questions.
Notion image

For a single user, the MFA enrollment process is now completed. If this user logs into the Evo Partner Portal, an endpoint with the Evo Agent properly setup for Evo MFA, or a web-app integrated to Evo via SAML, we will handle MFA for their account in a seamless and unified fashion.

Enable & License MFA for Multiple Users

The basic process of enabling and licensing MFA for multiple users (as in say, a customer’s entire user base) is very similar to the process outlined above for a single user.

The “enrollment” process where the end user has to take actions to setup their password and install and configure the Evo Mobile app is usually considerably different though since we need to get a whole set of people to take steps on their own.

  1. Pick the relevant Tenant from the dropdown at the top of the left navigation menu and navigate to Identities > Users.
  1. Select all of the users for whom you want to deploy MFA using the checkboxes at the left. Then, use the bulk options that appear at the bottom to Assign Licenses > MFA & SSO and MFA > Turn On.
  1. Proceed to the Setup Email Campaign section below to configure a campaign to notify and remind your users to register their accounts and setup their Evo Mobile apps.

Setup Email Campaign

The key to a successful MFA deployment to a larger set of users is getting each of them to setup MFA for their account, ideally including setting up the Evo Mobile app.

We provide the Email Campaign feature to allow you to setup a schedule of Welcome, Reminder, and Final Reminder emails to help structure and automate the process of getting users onboard.

You may want to support that process with things like interactive sessions to help people complete the process, though it is designed to be simple for the user to do on their own.

  1. Navigate to Email Campaigns in the Partner Portal. Click New to create a new Campaign.
  1. Select the relevant Directory, name the Campaign, and set the time zone and excluded users for anyone that shouldn’t be included in the Campaign such as users who are already enrolled, users who won’t have MFA setup for some reason, or VIP users who will have more direct support.
  1. Pick the dates and times for each stage of the Campaign and customize the emails with your preferred verbiage, MSP details, contact information, etc. of however you prefer to position the process to your users.
  1. Click Schedule Emails to save the Campaign and launch your schedule.
 
Did this answer your question?
😞
😐
🤩
How do I update the Logos to match my company brand? (Web Page and Agent) Evo Secure Login for Windows / Troubleshooting Secure Login