Multi-factor Authentication
This page explains how to enable and configure multi-factor authentication (MFA) for xAssets. MFA adds a second verification step after the username and password, significantly reducing the risk of unauthorised access from compromised credentials.
Note: This section applies to database authentication only. If you use Single Sign-On (SSO), MFA should be configured in your identity provider (Azure AD, Okta, etc.) rather than in xAssets. See the Single Sign-On chapter for details.
MFA Methods
xAssets supports two MFA methods. You can enable one or both:
| Method | Setting Name | How It Works |
|---|---|---|
AUTHENTICATIONMFAEMAIL |
A one-time code is sent to the user's email address on file (from their Custodian record). The user enters the code to complete login. | |
| Authenticator App | AUTHENTICATIONMFA |
The user scans a QR code with an authenticator app (Google Authenticator, Microsoft Authenticator, Authy, etc.) during initial setup. On subsequent logins, they enter the time-based code from the app. |
Tip: Email MFA is simpler to deploy since it requires no app installation, but it depends on the user having a valid email address in their Custodian record and being able to access their email at login time. Authenticator app MFA is more secure and works offline.
MFA Modes
Both MFA settings accept one of two values:
| Value | Mode | Behaviour |
|---|---|---|
| 1 | Risk-based | MFA is triggered only when the system detects a change -- a new browser, different browser type, different IP address, or when the configured time interval has elapsed. This balances security with convenience. |
| 2 | Always | MFA is required on every login, regardless of whether anything has changed. Use this for high-security environments. |
Set the value to 0 (or leave the setting blank) to disable that MFA method.
Enabling MFA
- Navigate to Admin > Settings.
- Search for the setting
AUTHENTICATIONMFA(for authenticator app) orAUTHENTICATIONMFAEMAIL(for email). - Set the value to 1 (risk-based) or 2 (always).
- Save the setting.
- The next time a user logs in, they will be prompted to complete the MFA step.
For authenticator app MFA, the first login after enabling will present a QR code that the user must scan with their authenticator app to pair it with their xAssets account.
Time Interval Setting
The setting AUTHENTICATIONMFATIME controls how many hours can pass before MFA is required again in risk-based mode (value 1).
- Default: 720 hours (30 days)
- After this period, the user will be prompted for MFA even if no suspicious signals are detected.
- Set a shorter value (e.g., 24 or 168) for higher security environments.
- This setting has no effect when MFA mode is set to 2 (always).
Common Configuration Scenarios
| Scenario | AUTHENTICATIONMFA | AUTHENTICATIONMFAEMAIL | AUTHENTICATIONMFATIME |
|---|---|---|---|
| No MFA | 0 | 0 | -- |
| Email MFA on every login | 0 | 2 | -- |
| Authenticator app, risk-based, 7-day interval | 1 | 0 | 168 |
| Both methods, always required | 2 | 2 | -- |
Warning: If you enable email MFA, ensure all users have a valid email address on their Custodian record. Users without an email address will be unable to complete the MFA step and will be locked out.
Related Articles
- Users — managing user accounts and linking Custodian records
- Securing the Web Server — choosing authentication methods
- Settings — where MFA settings are configured
- Single Sign-On — SSO-based MFA via external identity providers