Multi-Factor Authentication

Multi-Factor Authentication (MFAClosed Multifactor Authentication - an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism.) is an additional layer of security for the Infinity Portal. With MFA, Infinity Portal users must use an authentication app or SMS code to confirm their identities before they get access to the Infinity Portal. All new Infinity Portal accounts are created with MFA enabled.

Organizations can configure and manage MFA as part of Single Sign-On (SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications.) with an Identity ProviderClosed A system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. Acronym: IdP or IDP.. For example, an organization requires MFA as part of user authentication through Microsoft Entra ID (formerly Azure AD). Infinity Portal users who log in through Microsoft Entra ID authenticate themselves with MFA according to the policy configured by the organization's Microsoft Entra ID administrator.

Creating and Editing MFA Configurations for Your User Account

This video shows you how to verify your phone number for the Infinity Portal and configure MFA using an authenticator app.

Watch the Video

 

 

 

 

\\\\\

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. In the Infinity Portal, click your user name in the upper-right corner to open the Profile Settings page.

  2. In the Phone verification section, select your country from the list.

  3. Enter your mobile phone number.

  4. Click Send code.

    Check Point sends an SMS to your phone with a six-digit code.

  5. Enter the code in the Code field.

  6. Click Verify.

  1. Download one of these authenticator applications to your mobile phone:

    • Google Authentication

    • Microsoft Authenticator

    • Authy

  2. In the Infinity Portal, open the Profile Settings page. In the upper-right corner:

    • Click the user name, or

    • Click the arrow next to the user name > Profile Settings.

    The Profile Settings window opens.

  3. Toggle the Enforce Multi-Factor Authentication switch to ON.

    The Enforce Multi-Factor Authentication configuration wizard opens.

  4. Follow the on-screen instructions to connect the authentication app to the Infinity Portal.

    Note - If you did not verify your phone number in the Profile Settings window, you must verify it in the Multi-Factor Authentication configuration wizard.

  5. If you want to require yourself to use MFA for all Infinity Portal accounts, keep the toggle on. If you want to use MFA only when required by a Primary Administrator of an account, switch the toggle to off.

  6. Click Finish to close the wizard.

If your organization uses SSO authentication and does not enable MFA as part of it, you can require yourself to use MFA every time you log in to the Infinity Portal. This is valid even when the Primary Administrator of the Infinity Portal account does not require MFA.

Configuring MFA for your account:

  1. In the Infinity Portal, open the Profile Settings page. For this, in the upper-right corner:

    • Click the user name, or

    • Click the arrow next to the user name and select Profile Settings.

    The Profile Settings window opens.

  2. Toggle the Multi-Factor Authentication (MFA) switch to ON.

    If you do not have an authentication app configured, the Multi-Factor Authentication (MFA) configuration wizard opens. Follow the steps in the wizard to configure an authentication app or to require MFA through SMS.

    Note - If you did not verify your phone number in the Profile Settings window, you must verify it in the Multi-Factor Authentication (MFA) configuration wizard.

  3. Click Finish.

Managing MFA for Infinity Portal Users

This video shows you how to manage MFA for Infinity Portal users. 

Watch the Video

An Infinity Portal Primary Administrator, Admin, or User Admin can view and reset a user's MFA configuration.

In the Infinity Portal, click > Users.

The 2FA configured column of the table shows one of these 2FA configurations for each user:

Icon

MFA Configuration

The user does not have MFA configured.

By app

The user has MFA configured with an authenticator app.

By phone

The user has MFA configured with SMS.

App and phone

The user has MFA configured with an authenticator app and with SMS.

The MFA table row shows you the MFA authentication method(s) that the user configured for themselves in Profile Settings. This table row is not related to the MFA enforcement policy for the account.

Reset a user's phone number in these scenarios:

  • The user gets a new phone with a new number.

  • The user's phone is lost or stolen.

  • The user has a problem using MFA with SMS.

To reset the user phone number:

  1. In the Infinity Portal, click > Users.

  2. Click the table row with the name of the user.

  3. Click Edit.

    The Edit User window opens.

  4. In the Phone number field, enter a phone number for the user.

  5. Click Save.

Reset an authentication app for a user when the user gets a new phone (with the same phone number) or has a problem with the app.

After the reset, if MFA is required for account login, Check Point sends an SMS with an authentication code to the user's verified phone number. Then, the user can log in to the Infinity Portal and create a new authenticator app configuration (see Configure an authentication app for MFA).

To reset a MFA application:

  1. In the Infinity Portal, click > Users.

    The 2FA configured column of the table shows one of these MFA configurations for each user:

    Icon

    MFA Configuration

    The user does not have MFA configured.

    By app

    The user has MFA configured with an authenticator app.

    By phone

    The user has MFA configured with SMS.

    App and phone

    The user has MFA configured with an authenticator app and with SMS.

  2. Select a user from the table and click Reset MFA.

  3. To see updated user information, click Refresh.

Enforcing MFA Policy for All Users

A Primary Administrator must set up a MFA policy for all users who log in to the Infinity Portal account with their username and password.

Notes:

  • Multi-Factor Authentication is required for all Infinity Portal accounts where users log in with a username and password. If you previously disabled MFA, you must re-enable and enforce it for those users.

  • For users who log in with SSO, MFA is optional.

This video shows you how to enforce MFA for all users of an Infinity Portal account.

Watch the Video

MFA enforcement settings on the Identity & Access page apply to all users of this Infinity Portal account. Only a Primary Administrator can change these settings.

  1. In the Infinity Portal, click > Identity & Access.

  2. In the Multi-Factor Authentication (MFA) section, select when to enforce MFA:

    • Enforce MFA for all logins, including SSO - Users must use MFA to log in with username and password and for login with SSO through an Identity Provider (IdP).

    • Enforce MFA for login with username and password - This option is selected by default.

    A confirmation window opens.

  3. In the confirmation window, click Enforce.

A Primary Administrator can allow Infinity Portal users to bypass the MFA verification for 14 days after they successfully sign in to the Infinity Portal with a trusted device.

  1. In the Infinity Portal, click > Identity & Access.

  2. In the Multi-Factor Authentication (MFA) section, select Allow trusted devices to skip MFA for 14 days.

When users enter their verification code on their login to the Infinity Portal, they can select the option Remember this device for 14 days.

Enforcing MFA Policy for Child Accounts using API

Because MFA is mandatory for all accounts that use a username and password to log in, primary administrators must enforce the MFA policy for all child accounts. These are Customer accounts managed by MSSPs and Customer accounts managed in a large enterprise by a Customer Parent.

Primary administrators that manage multiple accounts may need access to the child accounts that use API automation. To get access, the primary administrator needs an Account API key to create new API keys for child accounts. For more information, see API Keys.