To enable users with more than one authentication method to define a default multi-factor authentication (MFA) method, you must enable the User-selected default option. See Configuring MFA settings.

Note:

A user might not be able to use their default device for various reasons, such as:

  • If a user tries to authenticate from a mobile device and device authorization is allowed, then the device authorization occurs.
  • If a user has a FIDO device with an active session, this device is used to authenticate the user even if the user changes their default device.
  • If policy rules disallow the default device.

You can add different devices, such as a security key or phone biometrics for authentication. You can also add multiple authentication methods that use the same physical device. For example, you could set up MFA using SMS, voice, FIDO2 biometrics, and an authenticator app on a single mobile device. The devices available are defined by your organization.

Note:

You should add at least two MFA methods. The methods listed are defined by your administrator, and might vary between environments.

  1. Go to your profile, click the My Profile tab, and then click the Authentication tab.
  2. Click Add Method.

    The Select Method window opens, listing the methods available for you to add.


    Select method window showing a list of available authentication methods.
  3. Select the authentication method you want to add and follow the instructions to pair that authentication method:
    • Authenticator app: Use a third-party authenticator application, such as Google Authenticator. Open the authenticator application and scan the QR code or enter the passcode. Click Next. Enter the passcode from the authenticator application to complete the device pairing.
    • Text message: Use a text message (SMS) with a one-time passcode (OTP) to authenticate. Enter the phone number and click Next. Enter the passcode you received to complete the device pairing.
    • Voice: Receive a voice call with a one-time passcode to authenticate. Enter the phone number and click Next. Enter the passcode you received to complete the device pairing.
    • Email: Use an email message with a one-time passcode to authenticate. Enter an email address and click Next. Enter the passcode you received to complete the device pairing.
    • Mobile: Use an application on your mobile device to authenticate. Select the mobile app for pairing your mobile device. Scan or enter the pairing key in the mobile app.
    • FIDO2 biometrics: Use FIDO2 biometrics on compatible devices to authenticate. On your device, sign on or enter your password to complete pairing.
    • Security key: Use a FIDO2 or U2F security key to authenticate. You will be prompted to authenticate with the security key.

    The authentication method is listed on the Authentication tab in the Your Authentication Methods section. Repeat this step to add another authentication method, if required.


    Authentication tab showing a list of the authentication methods paired with a user's account.
  4. After adding an authentication method, you can optionally do the following:
    OptionDescription
    Set a default authentication methodIf you added more than one MFA method, to define your default method, click the hamburger menu next to the relevant MFA method and then click Set As Default.
    Note:

    The devices available for authentication depend on your company policy, therefore your default device might not always be available for authentication.

    Rename an authentication methodClick the hamburger menu next to the authentication method you want to set as default, and then click Edit Name. Enter a meaningful name for the authentication method, and click the checkmark. Names of up to 100 characters are supported.
    Remove an authentication methodClick the hamburger menu next to the authentication method you want to remove, and then click Remove.
    Important:

    Ensure that you leave at least one authentication method. If you remove all authentication methods, you might lock yourself out of the application.