Multi-Factor Authentication (MFA)

The Deep Security Manager provides the option to use Multi-Factor Authentication (MFA). If you enable MFA, when you sign in to the Deep Security Manager, you will need to provide:

• Your user name and password
• An authentication code from an MFA device (such as your cell phone)

Enabling Multi-Factor Authentication

To enable MFA:

1. In the Deep Security Manager, click your user name in the upper-right corner of the window and the click User Properties.
2. Under Multi-Factor Authentication (MFA), click Enable MFA. This will open the "Enable Multi-Factor Authentication" wizard, which guides you through the rest of the process.
3. The first screen of the wizard reminds you to install a compatible virtual MFA application. You can install a supported MFA application for your smartphone from your smartphone's application store. Supported MFA applications for your smartphone can be installed from the application store that is specific to your smartphone type. Deep Security Manager supports these combinations:
   • Android: Google Authenticator, Duo
   • iPhone: Google Authenticator, Duo
   • Blackberry: Google Authenticator
   When you have a supported MFA application installed, click Next.
4. If your device supports scanning QR codes, use your camera to configure your MFA application. Otherwise, select My device does not support scanning QR codes. Show secret key for manual time-based configuration to display a code that you can enter in your MFA application. Click Next.
   If you use the manual entry option with Google Authenticator, you will need to choose the Time Based option in Google Authenticator.
5. On your device, the authentication code for Deep Security will be between Deep Security (at the top) and your user name (at the bottom). For example:
6. In the wizard, Enter the Deep Security authentication code (without spaces) from your MFA application and click Finish.
7. If the authorization code is correct, MFA will be enabled for your account and you will be required to enter a new MFA code each time you sign in to the Deep Security Manager.

Disabling Multi-Factor Authentication

To disable MFA for your own account:

1. In the Deep Security Manager, click your user name in the upper-right corner of the window and the click User Properties.
2. Under Multi-Factor Authentication (MFA), click Disable MFA. Click OK on the confirmation screen to disable MFA.
3. Your user properties screen displays with a note to indicate the changes to MFA. Click OK.

To disable MFA for another administrator who has lost their phone:

1. In the Deep Security Manager, click Administration > User Management > Users.
2. Select the administrator's name and click Properties.
3. On the General tab, click Disable MFA. Click OK on the confirmation screen to disable MFA.

You can also use the dsm_c -unlockout command to disable MFA for yourself or another user. For details, see Command-Line Utilities.

Signing in to Deep Security Manager with MFA

To sign in with MFA:

1. On the Deep Security Manager Sign In Screen, enter your Username and Password, then select Use Multi-Factor Authentication.
2. On your MFA device, get a valid authentication code.
3. In Deep Security Manager, enter the authentication code (without spaces) and click Sign In.
The Deep Security Manager is configured to allow only a limited number of incorrect sign-in attempts before locking out the user. Entering an invalid MFA code counts as an incorrect sign-in attempt.