Multi-Factor Authentication

Multi-factor authentication (MFA) can be used to provide an additional layer of user authentication and security for your employees. When MFA is required, employees are prompted for, and must enter, both of the following at login:

  • Password.
  • An MFA Token. This is a one-time password (OTP) generated by a hardware token or virtual MFA device (for example, an app like Google Authenticator) that you provide. The device must comply with TOTP standard RFC 6238 or HOTP standard RFC 4226.

You can require MFA for some employees and not others. MFA requirements are set up in login authenticators and these are assigned to different roles. Therefore, you might have a login authenticator that requires MFA assigned to a role for administrators, and a login authenticator that does not require MFA assigned to a role for agents.

MFA Secrets

An MFA secret pairs the employee account in CXone with the hardware or virtual MFA device that employee uses to generate the OTP. CXone allows you to either generate an MFA secret in either of the following ways:

  • Manually — You can type an alphanumeric value into the MFA Secret field. For example, some MFA devices provide a value (often called a "key") for this purpose. If you type your own MFA Secret, the value must be either 16, 26, or 32 characters and encoded in Base32. Base32 allows you to use a 32-character set comprised of the uppercase letters A-Z and the numerals 2-7. The MFA Secret must be RFC 6238-compliant.
  • Automatically — You can automatically generate a value in the MFA Secret field when you enable MFA authentication for an employee. You would then pass this value to the employee, who would use it to set up a virtual MFA device. For example, the employee can install Google Authenticator on a mobile device and turn on two-step verification (search Google's support site for keyword authenticator).

    As of now, scanning the QR code/barcode is not supported and the employee can use only manual setup for turning on the 2-step authentication using a virtual MFA device.

Enable MFA Authentication for an Employee

Image of Create New Employee page, showing the MFA fields in the Security tab.

  1. In CXone, click the app selector and select Admin

  2. Select the employee profile you want to edit, or click Create Employee if you're creating a new profile.

  3. On the Security tab:

    1. Enter an MFA Token Period. The value must be between 15 and 300 seconds, and compatible with the virtual or hardware MFA device your employees use. For example, Google Authenticator only allows a value of 30 seconds.

    2. Click Edit next to the MFA Secret field and then either manually type a value or click Generate to automatically generate a value.

    3. Click Save to save the MFA Secret. The Save button is located on the top right of the employee profile window. After you save, the MFA Secret disappears, but it is still assigned to the employee's profile.

    4. Click Save/Create to save or create the employee profile.

  4. Enable Require Multi Factor Authentication for a login authenticator applied to the employee's role.

  5. If you are not using hardware MFA devices, make sure affected employees set up their virtual MFA device using their MFA Secret and CXone username.