Xpress Password supports multi-factor authentication for all users, at no extra cost. This is typically done by combining multiple credentials, as follows:
- If the user connects from the Extranet, start with a CAPTCHA.
- Next, prompt for the user’s login ID.
- Prompt for user verification which may be any of the following:
- If the user has been activated to use a third party 2FA technology, such as a one time password token,Google Authenticator prompt the user to enter the code.
- If the user had previously enrolled their mobile phone number, send a PIN to the user’s phone, via SMS and prompt the user to enter it
- If the user had previously enrolled their personal e-mail address, send a PIN to that address, on the assumption that the user has e-mail access on their phone.
- Users may be prompted to select one of several 2FA options, or one of several alternatives for the same option (e.g., send a PIN via SMS to one of multiple mobile numbers or e-mail addresses).
- Based on the user verification policy, prompt the user to enter it or answer a series of security questions.