You can require multi-factor authentication by registered user class. You can also exempt users individually.

  • Require multi-factor authentication controls. SETTINGS > Security Policies > User Auth > Multi-Factor Authentication
  • Exempt individual users from policy. USERS > username > User Profile - User Settings - User Authentication - Multi-Factor Authentication
Note: It is best practice to notify users of any security policies that alter the sequence of steps or information needed at sign on before you apply these controls.

Tip: Require multi-factor authentication according to risk and the level of access for a specific user class. For example, information system best practices and regulatory compliance typically require the use of these controls for administrator accounts --based on the business value and range of resources they manage.

Require/Enforce MFA on a User Class

This setting enables you to require a specific class of user (Administrators, for example) validate their identity with another means such as mobile authenticator or email. It is an organization-wide setting for each user class you select.

Important: If you enforce Email-only MFA on a user class and a user from that class has no email address associated with his account, enforcing Email-only MFA limits his availability to sign-on until the account has a valid email address.
Table 1. User Class Access Level Summary

Registered User Class

Level of Access/Function

Administrators

SysAdmins and Administrators

  • User account creation.
  • Organization/business group creation.
  • Security policy settings.
  • Other admin tasks...

File Administrators
  • Daily administration.
  • Folder creation.
  • File upload/download.

Users

Regular users or users designated as GroupAdmins for a particular group.

  • Users can elect alternate verification methods in user settings.
  • Admins can allow users to remember verified devices as part of sign in.
Note: Users tend to be the largest pool of users, so using this control to apply MFA to the entire user class means that number of users will need to verify their identity at next sign-on unless exempted.

Note: Unless you need to take contingency measures for a security incident, consider making MFA for regular users optional at first for a period of time before you require it as policy.

Temp Users
  • Temporary users receiving Ad Hoc package notifications.
  • Ad Hoc transfer or Secure Folder Sharing must be configured for the current organization for this user class to be available.