Multi-factor

This feature is only available for Devolutions Server versions 2022.1 or later.

Configure multi-factor authentication (MFA) in Devolutions Server to add an extra layer of security to the application.

Devolutions Server supports multiple types of MFA. You can configure a default MFA type for your entire organization or configure MFA user by user. When MFA is configured, users log in with their username/password as well as an MFA product.

Configure Multi-Factor Authentication From the Web Interface

  1. To access the MFA configuration, navigate to Administration – Server Settings – Multi-factor.
  2. The first option is to choose how you want to enforce multi-factor authentication. To do so, click on the information icon next to MFA usage to go to the Conditional Access Policies section.
    MFA usage
    MFA usage
  3. Select a Target (Login or MFA).
    Target
    Target
  4. If you chose the MFA in the last step, select a Default action when no policy matches between the following:
    • MFA Required: MFA is enforced for all users. A default MFA type is set for all users.
    • MFA Skipped: MFA is not enforced.
    • MFA Optional per User: MFA is enforced on an individual basis. The administrator chooses who uses MFA and what product or technology they use. Choose this option if not all users are set up for multi-factor authentication.

When MFA usage is set to MFA Optional per User, the MFA method must be configured in Administration – Users for each user. Edit or add a user, then go to the Multi-factor section to configure it. You can also set an MFA type on the user if they are using a product different than the default method. See Multi-factor (Edit User).

Default action when no policy matches
Default action when no policy matches

  1. Back to the Multi-factor section, choose who to send the reset email to between Administrator(s) or a Specific email (in which case you must specify the email in the Specific email field).
    Send reset email to & Specific email
    Send reset email to & Specific email
  2. Check the boxes next to the supported authenticators that you want to enable. You can choose as many as necessary.

The currently supported multi-factor authenticators are Authenticator (TOTP), Yubikey, Email, SMS, Duo, and Radius. You must configure them separately using the instructions next to them. Emails need to be configured beforehand in Devolutions Server for the Email and SMS (without Twilio) MFAs.

Supported MFA
Supported MFA

  1. Select the Default MFA between the ones you enabled in the previous step.
  2. Select alternate ways to log in between Email and Backup codes. These options will be offered when users do not have access to their usual method.
    Default and Alternate MFA
    Default and Alternate MFA
  3. Click Save.