Multi-Factor Authentication

Product Overview

Multi-factor authentication (MFA) strengthens access security by requiring multiple methods (also known as factors) to verify the identity of a user during log on. Generally, a factor includes information the user already has (such as a usercode and password), in addition to information obtained through another method (for example, through out-of-band authentication such as registration). A One-Time Passcode (OTP) obtained through an out-of-band transmission is an example of a factor.

Beginning with MCP 20.0, MCP MFA supports the use of the third-party application, Duo Security, to provide additional flexibility when using MFA. You can integrate Duo Security with your MCP authentication process to ensure an additional layer of security is used before providing a user access to MCP resources.

MFA provides both of the following methods to verify the identity of the user attempting log on:

  • A push factor that provides a user with the ability to approve or deny an access request.

    When integrated with Duo Security, an MFA user that attempts to authenticate receives a push notification on a configured mobile device that provides the ability to allow or deny the authentication request.

  • A pull factor that provides a user with a passcode that must be entered to complete log-on.

    When integrated with Duo Security, an MFA user that attempts to authenticate must enter a passcode that is generated from the Duo Security application. Alternatively, if you have not integrated your MCP authentication process with Duo Security but have the MFAPROTOCOL attribute set to EMAIL, an OTP is sent to the email address associated with the usercode that attempts to authenticate. The user must then enter the OTP before access to the system is granted.

The security administrator can both specify if two-factor authentication is required for logging on to the system and designate which usercodes require an additional authentication factor. Both MARC and CANDE support multi-factor authentication.

General Features

If a usercode is configured to require a second authentication factor, the method for how they authenticate depends on how MFA is configured for your system. If you integrate your MCP authentication process with Duo Security, a user receives either a push factor (on a configured mobile device) to allow or deny the authentication request, or a pull factor that requires the user to enter a OTP that is generated from the Duo Security application. The type of factor the user receives when your MCP authentication process is integrated with Duo Security is dependent on the setting of the MFAPROTOCOL attribute.

Alternatively, if you do not integrate with a third-party security application to authenticate users but still want to use MFA, you can set the MFAPROTOCOL attribute to EMAIL. When a user attempts to authenticate, an OTP provided out-of-band must be supplied during log on. Once the usercode, accesscode, and chargecode are validated, a numeric, OTP is sent to the email address associated with the usercode attempting to log on. The OTP must be entered in MARC or CANDE, verified, and authenticated before the user is logged on.

Note: Users required to use two-factor authentication for log on to MARC are not required to enter an additional authentication factor when the station is transferred to CANDE.

Limitations

Multi-factor authentication has the following limitations:

  • Only MARC and CANDE support two-factor authentication.

  • EMAILSUPPORT must be configured in the MCP Environment for transmission of the OTP.

  • Duo Security is the only supported third-party application for MFA. You must integrate your MCP authentication process with Duo Security if you want to use the MFA features that it provides.

Ordering Information

Multi-factor authentication is included as part of the operating environment. Source code or an SDK is not available for this product.

Product Information

Refer to the following documents for more information:

  • CANDE Operations Reference Manual (8600 1500)

  • GETSTATUS/SETSTATUS Programming Reference Manual (8600 0346)

  • MCP Security Overview and Implementation Guide (8205 7498)

  • Menu-Assisted Resource Control (MARC) Operations Guide (8600 0403)

  • System Administration Guide (8600 0437)

  • System Commands Reference (8600 0395)

  • System Software Utilities Operations Reference Manual (8600 0460)

Prev  Up  Next
Unisys Locum SecureAudit  Home  Operating Environment Encryption Option