Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Configuring multi-factor authentication policies

Updated on March 15, 2022

To control the behavior of multi-factor authentication, configure the multi-factor authentication policy settings on the Security Policies landing page.

  1. In the Dev Studio header, click ConfigureOrg & SecurityAuthenticationSecurity Policies.
  2. In the Multi-factor authentication policies (using one-time password) section, configure the following required fields:
    1. In the Maximum one-time password failure attempts list, select a value between 1 and 3 to set the number of failed login attempts that your application allows before the one-time password becomes invalid and another one-time password must be generated.
      Setting a lower value helps prevent brute force attacks.
    2. In the Maximum age of one-time password token in seconds field, enter the length of time from when the token is generated to when the user must verify it with your application.
      The maximum age of the one-time password token must be less than the shortlived requestor timeout period, which is defined in minutes in the prconfig setting timeout/requestor/shortlived, and which defaults to 1 minute. If you set the maximum age to be greater than one minute, you must increase the timeout/requestor/shortlived setting.
    3. In the Validity of one-time password confirmation in minutes field, enter how long a user can work in a single session before being logged out.
  3. Define an email account, SMS account, or both to send the one-time password to users:
    1. In the Email account from which one-time password needs to be sent field, press the Down arrow key, and then select the name of an email account.
    2. Optional: To configure an email account, click the Add icon. For more information, see Configuring outbound email in Dev Studio.
    3. In the SMS account from which one-time password needs to be sent field, press the Down arrow key, and then select the name of an SMS account.
    4. To configure an SMS account, click the Add icon. For more information, see Creating an SMS account.
  4. Click Submit.
    Note: Users who log in to the application require an email address and phone number that is configured for their profile to receive the one-time password. For more information, see Defining operator contact information and application access.

    Have a question? Get answers now.

    Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

    Did you find this content helpful?

    Want to help us improve this content?

    We'd prefer it if you saw us at our best.

    Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

    Close Deprecation Notice
    Contact us