MFA Management

BastionZero uses two roots of trust to authenticate users in your organization. The first is your SSO provider. The second is an independent BastionZero MFA.

All new BastionZero organizations are created with BastionZero MFA enabled by default. BastionZero MFA is organization-wide and cannot be disabled for the entire organization. However, administrators within that organization are able to enable/disable an individual user's MFA. Please note that in order to do this, the user must first log in. Only after the account has been established can an administrator disable, re-enable, or reset the individual MFA.

To verify that organization-wide MFA is enabled, access the Security Settings page by choosing the gear icon in the top right corner of the web app. Navigate to "System Controls" underneath "Security."

Thus all BastionZero clients must submit the BastionZero factor before the authenticated SSO user is granted access to the BastionZero service.

This creates a true MFA authentication system where your user's credentials is one factor, BastionZero's is a second, and assuming you have your SSO factor enabled (which we do as a security best practice) is a third.

Configure your organization's MFA duration

For organizations with global MFA enabled, administrators can specify how frequently users need to provide MFA to BastionZero. The duration can be as short as 1 hour and as much as 1 week (168 hours). Changes take effect immediately and are enforced at the user's next MFA refresh. Admins can modify the MFA duration in the security settings in the web app or via API.