Genesys Cloud - Main

 View Only

Discussion Thread View
  • 1.  UI change: Additional Multi-Factor Authentication (MFA) device options

    GENESYS
    Posted 09-04-2024 06:46
    Edited by David Murray 09-04-2024 06:54

    Later this year, we will be providing users with the ability to register and use additional device types for Multi-Factor Authentication (MFA) when logging in natively to Genesys Cloud.  At present, users can register time-based generators / Authenticator Apps (e.g. Microsoft Authenticator or Google Authenticator) which are installed on their mobile phone and use the codes provided by these apps to satisfy the MFA requirement.  Based on the feedback we have received, we know that Authenticator Apps can't be used in all environments, so we are expanding the range of device types to include biometrics (e.g. fingerprint readers) and physical security tokens (e.g. Yubikey).  

    To achieve this, we are going to leverage the WebAuthn Framework (more on this below) and there will be some client UI changes, both when registering an MFA device and then subsequently when logging in using MFA.  There are no Admin UI changes associated with this enhancement, at this stage.  There is also no impact on MFA devices already registered.  These will continue to operate normally. 

    This post describes the UI changes that will result from this enhancement.

     

    Register a new MFA device - current UI workflow

    Select My Account tile from Logon Splash Screen to access MFA settings.  Note that if the administrator has enabled the setting to Require Multi-Factor Authentication, this step will be skipped.

     

    Select "Add MFA Device" to register a new device

     

    Add a name for the new MFA device

     

    Install an Authenticator App on your mobile phone, scan the QR code using this App and enter the code provided via the App to complete the registration

    The device/app is now registered and will be available for use on next login

      

    Register a new MFA device - updated UI workflow

    On the "Add Name" screen, in addition to adding a name for the device, the user will now be provided with a choice between adding a time-based generator (i.e. the existing Authenticator App option) or creating a passkey.

     

    If the user selects the time-based generator, the registration continues as per the current UI workflow.  If the user selects the create passkey option, they are then presented with options for adding a passkey, which will vary depending on parameters such as the user's operating system (e.g. Windows OS or macOS) and the available hardware options (e.g. if fingerprint reader is available).  The following is an example for Windows OS:

     

    In this example, selecting "Windows Hello or external security key" results in a Windows Hello confirmation dialog being presented, such as the following:

     

    Alternatively, selecting "Use a phone, tablet, or security key" would result in a request to scan a QR code with a camera on the device to be used for MFA, such as the following:

     

    Once the user completes these steps, their device is then registered and can be used to satisfy the MFA requirement when logging in.   

     

     

    MFA login experience - current UI workflow

    Login natively to Genesys Cloud via the login screen

     

    If the user has registered an MFA device (Authenticator App), they are presented with a dialog requesting the user to enter a one-time code from their registered app.  Once they enter the code provided, the login process completes.

     

    MFA login experience - updated UI workflow

    Once the user has entered their credentials on the login screen, they will then be presented with a challenge which aligns with the MFA device they have registered.  In the following example, the user previously registered using Windows Hello.  Once the user scans their fingerprint on the fingerprint reader, the login process completes.

     

    So, in summary, this enhancement will provide more MFA options, including support for biometric scanners and physical security keys.  We are leveraging the WebAuthn framework to deliver this enhancement.  There is no impact to users logging in via Single Sign-On (SSO).  This enhancement applies to native logins only and is incremental to existing MFA capabilities.  In other words, if users have already registered MFA devices, these can still be used to complete the MFA login process.  Finally, there are no Admin UI changes associated with this enhancement.  This is client-side only.

     

    What is WebAuthn?

    WebAuthn is a credential management API built into modern web browsers allowing web applications to strongly authenticate users.  It is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users using public key cryptography instead of a password.  WebAuthn allows servers to integrate with the strong authenticators now built into devices, like Windows Hello or Apple's Touch ID. Instead of a password, a private-public keypair (known as a credential) is created for a website. The private key is stored securely on the user's device; a public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to prove the user's identity.  WebAuthn credentials are referred to as passkeys.

    For more information refer to the Guide to Web Authentication


    #Roadmap/NewFeatures
    #Security

    ------------------------------
    David Murray
    Principal Product Manager
    Genesys Cloud
    ------------------------------



  • 2.  RE: UI change: Additional Multi-Factor Authentication (MFA) device options
    Best Answer

    GENESYS
    Posted 09-04-2024 09:03

    This is an awesome enhancement. Looking forward to it. 



    ------------------------------
    Cameron Tomlin
    Online Community Manager/Moderator
    Genesys - Employees
    ------------------------------



Need Help finding something?

Check out the Genesys Knowledge Network - your all-in-one access point for Genesys resources