...
When enabling MFA user has to test whether email client (If MFA type is Email or all) or call setup (If MFA type is call or all) is working or not by sending a test mail / by making a test call
Ref : PBX Email setup validator Ref : PBX Call setup validator
| Info |
|---|
All email's from address would be <AMPUSERMANEMAILFROM> All email' subject will have PBX brand and the configured server details. (FREEPBX_SYSTEM_IDENT) |
...
Type of MFA :
If the MFA type is set to "Email" - an OTP will be sent to the user via email.
If the MFA type is set to "Call" - a call will be made to the extension which is associated with the user and the user has to receive the call and should press the "#" key to authenticate.
When enabling MFA via Call, admin has to validate that the PBX extension setup is good by making a test call. Ref : PBX Call setup validator
If the MFA type is set to "Authenticator Apps" - an OTP is generated from the linked authenticator app. Users have to use these OTP every time they log in. We recommend using authenticator apps such as Microsoft Authenticator / Google Authenticator Apps.
If the MFA type is set to "All" - all the MFA authentication methods will be displayed to the user during login and the user can pick one of the methods to verify their identity.
...
Type of Users : Enable / Disable MFA for all users / only for all admins (Including ucp users who had administrator GUI access) / only for all UCP users.
Email Settings : This setting will be visible only when the MFA type is set to Email, App, or All. Email settings are used for re-designing emails related to MFA. Here are some steps you can follow to use email templates:
Enable custom email settings. Default email templates will be used if this setting is disabled (Default email templates are OTP Email Template and Steps are OTP Email Template and Steps to configure Authenticator app Template Template )
After enabling Custom Email Template, admin can re-design email templates for OTP verification email and steps to configure authenticator app email
Admin can include predefined variables inside the Subject and Body. The predefined variables will be replaced with specific values when the template is used. For example, you might use a variable like "{{displayname}}" to represent the recipient's full name.
...
If the administrator users are not linked with extension, then admin can manually enable each user by entering the admin's extension as shown in the below screenshots.
If the userman users are not linked with extension, then admin has to link extension to that user from userman module before enabling MFA.
Admin can enable / disable multiple users
Admin MFA and UCP MFA can also be enabled for the users in userman module
| Info |
|---|
Note To enable administrator MFA, FreePBX Administration GUI must be enabled for that user and should have MFA admin license pack |
...
If users can't get codes or OTP by email, call, or by any authenticator app due to some connectivity or delivery issues, then they can use 1 set of 6-digit backup code to sign in to the PBX.
Administrator can create / refresh set of 10 backup codes for each users from MFA settings page or Userman users can generate / regenerate / delete / download backup codes from UCP Settings. When a new set of codes is created, the old set is automatically removed.
Once the user uses a backup code to sign in, that code becomes inactive.
| Info |
|---|
Note To use backup codes, MFA must be enabled. |
...
Admin can reset MFA settings for the users using the refresh icon next to backup codes or Userman users can reset MFA from UCP Settings.
After resetting the MFA the affected user will no longer be able to use backup codes that are saved and are currently used for authentication. New backup codes have to be generated and saved for this user.
If this user has previously configured the authenticator app, then they will receive the authenticator app configuration mail again the next time they sign in.
...