Multi Factor Authentication

Mydex supports the use of Multi Factor Authentication (MFA) on the Identity as a Service platform (IDaaS), in order to help members strengthen the security of their account and therefore their personal data stored in their PDS.

Supported MFA types 🔗︎ click to copy

Mydex currently supports the following types of MFA technology:

In all cases, a valid one-time code can only be used once. The event of submission of both valid and invalid codes gets logged in the member's PDS and Mydex's own intrusion detection systems.

In the case of email and SMS methods, the member's MydexID always appears in the message, to demonstrate that the request is legitimate. Never click on a link that purports to be from Mydex but doesn't mention the MydexID.

How to set up MFA 🔗︎ click to copy

Multi Factor Authentication can be enabled as part of the registration process, if the application uses Mydex's OpenIDConnect flow for registration.

MFA setup screen during registration 🔗︎ click to copy

MFA setup screen during registration

Alternatively, MFA can be set up post-registration via the Member Experience Layer (MEL) application under the Settings section of the navigation.

How to manage MFA 🔗︎ click to copy

The Member can manage their MFA settings via the Member Experience Layer (MEL) application under the Settings section of the navigation. In this area, the member can perform the following actions:

The preferred device cannot be disabled or deleted. Instead, a separate MFA device must be added and set as preferred before the original device can be disabled or deleted.

In addition to the backup codes, if a member has multiple, enabled MFA devices, they will be able to request the use of one of those non-preferred devices at login time, should their preferred device be unavailable at that time.

The MFA secrets associated with each device are stored within the member's own PDS.

MFA management screen in the MEL 🔗︎ click to copy

MFA management screen in the MEL

Auditing the use of MFA 🔗︎ click to copy

Members can inspect their Identity Services Log in their PDS, which (in addition to login and logout events) will show the following types of event:

These events will also log the IP address that made the request.

How Subscribers can mandate the requirement for MFA 🔗︎ click to copy

If a Subscriber is developing an application that:

Mydex can accommodate this by adding the mfa:mandated scope to the RP's OIDC Client. The RP must send this scope as part of commencing OIDC journeys to make use of the service.

When this scope is present for a valid OIDC Client, Mydex's Login and Consent Application (LaCa) will enforce that the member must set up (or have already set up) MFA as part of either Registration or Login flows. If the member has not set up MFA, there is no 'Skip MFA for now' option in the MFA setup screen following registration or login, and they will not be able to complete authentication.

(Coming soon) Selective MFA (e.g for specific journeys) 🔗︎ click to copy

Mydex is exploring new innovative ways to make use of MFA in ways that strike the right balance between security and convenience for the member. These include: