Multi-factor authentication

Most Helix Core servers are behind a secure firewall and require user passwords.

MFA in general

Multi-factor authentication (MFA) adds an additional layer of security in case a user password is compromised. MFAis a method of confirming a user's claimed identity. A user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism, such as:

  • knowledge (something they and only they know)
  • possession (something they and only they have)
  • inheritance (something they and only they are)

MFA with Helix Authentication Service

If you are using the Helix Authentication Service (HAS) and you want multi-factor authentication, use the MFA solution that your IdP provides. For information about HAS, see Helix Authentication Service Administrator Guide.

The only use case for installing the Helix MFA app with the Helix Authentication Service is to use a MFA service that is separate from your IdP.

MFA trigger support

Not all products interfacing with the Helix Authentication Service support MFA triggers. Check the relevant product guides to see if and how they support MFA triggers.

Helix MFA app

Helix MFA app:

  • should only be used when your password store and your MFA service are separated, such as using LDAP as your password store with Okta as your MFA service.

  • supports the most common factors:
    • One Time Password (OTP) codes
    • Third party or external prompts, such as a mobile app authentication

For an example of how the Helix Core Server can support MFA in conjunction with a cloud-based identity provider, see:

  • the Perforce Okta MFA trigger in the Swarm Workshop at okta-mfa.rb

  • Triggering for multi-factor authentication (MFA), which:
    • explains the three types of triggers necessary for Helix MFA (auth-pre-2fa, auth-init-2fa, and auth-check-2fa)
    • shows an example of an auth-check-2fa trigger that Perforce has validated with Okta. To find out more about Okta and the factors it supports, contact your Okta administrator or see https://support.okta.com/help
    • includes comments intended to make this example a starting point for working with the API of other services that support MFA