MFA (Multifactor Authentication)

In the realm of security, OWL distinguishes itself by offering three robust types of first-level multifactor authentication (MFA), each tailored to enhance the protection of user accounts and sensitive data. These authentication methods—Security Question and Answer, Time-based One-Time Password (OTP), and Facial Recognition—provide varying layers of security, ensuring that access to the OWL platform remains secure and reliable. 

Here’s an expanded look at each type of first-level MFA within OWL:

• Security Question and Answer
• Time-based OTP
• Facial Recognition

Security Question and Answer

The Security Question and Answer method enhances authentication by prompting users to choose from a set of predefined questions and provide corresponding answers during their initial login. This approach introduces an extra layer of protection beyond the standard password, relying on information that is personal and not easily accessible to others. To support this, administrators typically curate a diverse range of questions that reflect various aspects of a user's background or preferences, ensuring a secure and personalized verification process.

If your MFA method is set to Security Question and Answer, follow these steps during your initial login:

1. Initial Login 
   Begin by logging into OWL using your valid username and temporary password.
2. Setup Phase 
   You’ll be redirected to a setup page where you must:
   • Create a new password
   • Provide answers to three randomly selected security questions generated by the OWL system
3. Submit Setup 
   After entering your new password and security answers, click Submit to complete the setup process.
4. Second Login 
   Log in again using your newly created password.

• OWL will present one of the three security questions you previously answered.
• Provide the correct answer to gain access to the platform.

Time-based OTP (TOTP)

Time-based OTP is another first-level MFA method offered by OWL, leveraging the use of OTPs generated at fixed time intervals. Users typically receive OTPs through a designated authentication application or device synchronized with OWL’s system clock. The OTPs are valid for a short duration (usually 30-60 seconds) and provide a time-sensitive second factor for authentication. This method enhances security by requiring possession of the OTP-generating device in addition to knowledge of the password, effectively mitigating risks associated with password theft or replay attacks.

If your MFA method is set to Time-based One-Time Password (TOTP), follow these steps during your initial login:

1. Initial Login 
   Begin by logging into OWL using your username and temporary password provided for first-time access.
2. Setup Phase 
   You’ll be redirected to a setup page where you must:
   • Create a new password
   • Configure your TOTP settings
3. TOTP Configuration 
   During setup, you’ll see a barcode along with instructions to install an external authenticator app such as Authy or Google Authenticator.
   • Install the app on your device
   • Scan the barcode using the app to start generating time-based OTPs (updated every 60 seconds)
4. Complete Setup 
   Enter the OTP generated by the app to complete the TOTP configuration, then click Submit.
5. Second Login 
   Log in again using your new password.
6. You’ll be prompted to enter a valid OTP from your authenticator app to successfully access OWL.

Face Recognition

Facial Recognition represents a cutting-edge authentication method within OWL’s MFA arsenal, utilizing biometric technology to verify user identity based on unique facial features. Users enroll their facial biometrics during initial setup, and subsequent logins require a real-time facial scan for authentication. OWL’s Facial Recognition technology employs sophisticated algorithms to accurately match the user’s live facial scan with stored biometric data, ensuring a high level of security and user convenience. This method offers a seamless authentication experience without the need for additional hardware tokens or OTPs, enhancing user satisfaction while bolstering security measures.

If your MFA method is set to Facial Recognition, follow these steps during your initial login:

1. Initial Login 
   Begin by logging into OWL using your username and temporary password provided for first-time access.
2. Setup Phase 
   You’ll be redirected to a setup page where you must:
   • Create a new password
   • Complete the Facial Recognition setup
3. Facial Capture
   • Enable your system’s camera
   • Align your face within the designated frame
   • Click Submit to capture your image and complete the setup
4. Future Logins
5. Log in using your new password
6. OWL will prompt you to verify your identity via facial recognition using your camera
7. Once verified, you’ll be granted access to the application

How to Configure MFA for Users in Different Levels

OWL security policies are a set of configurable rules designed to help organization admins enhance account security. These policies can be applied at multiple levels, with a hierarchy that determines which settings take precedence:

• Organization Level: This is the default configuration applied to all users unless a more specific setup exists at the Role, Department, or User level.
• Department Level: Policies set at this level apply to all users within the department, provided they don't have Role or User-level configurations.
• Role Level: These policies apply to all users assigned to a specific role within a department, unless overridden by User-level settings.
• User Level: This is the most specific configuration, applied to individual users regardless of their department or role. User-level policies override all other levels.

Update Organization Level MFA 

• By default, the Organization level MFA Type is set to Security Questions and Answer after the onboarding process. Since there were no other level MFA setup was configured, for all the users newly onboarded or created in the organization the Organization level security setup was applied.

• You can view all the users MFA type from the User MFA container inside the security page.
• Initially, all users' MFA Type is coming from the Organization Level.
• If you want to change the Organization Level MFA Type, you can edit the Organization Security setting from the action menu.

1. Click on Edit button. It will open a pop-up window to edit the Organization Security Policy.
2. Select MFA Type from three available options.
3. Once you select a new MFA type and save, the security MFA will be updated for the Organization and the users those are following the Organization level setup.
4. Next time when the users will login to OWL, they need to do the new MFA setup or if they already have the setup, they can just login with the new setup configuration.

Add/Update Department Level MFA 

• Department Level MFA applies to all the selected department users having no role and user level setups.
• To add a new MFA configuration on the department level, open the department MFA container. Click on the Add button.
• Select the Department or Departments you wish to setup. Select the MFA type and click on Add button.

• Now you will see for all these departments there will be new entries added inside the Department MFA container with the MFA setup selected.

• You can further Edit or Delete these MFA setups using the action menu present on each department MFA.

Add/Update Role Level MFA 

• Role Level MFA applies to all the selected roles of specific department users having no user level setups.
• To add a new MFA configuration on the Role level, open the Role MFA container. Click on the Add button.
• Select a Role or Roles you wish to setup. Select the MFA type and click on Add button.

• Now you will see for all these Roles there will be new entries added inside the Role MFA container with the MFA setup selected.
• You can further Edit or Delete these MFA setups using the action menu present on each role MFA.

Add/Update User Level MFA 

• User Level MFA applies to all the selected Users, and this MFA is the primary MFA for all users no other MFA setup cannot override this setup.
• To add a new MFA configuration on the User level, search for the user to whom you need to add new MFA configuration. To find the user you can use the Search field on the Uses container or you can select user by going through page by page.

• If a User does not have any user level setup earlier, then from the action menu you will see the option to +Add User MFA option or if you are updating existing user level MFA then you will see the option to Edit MFA.

• Click on Add User MFA button you will see the pop-up to add MFA. Select the MFA Type and click on Add button.

• You can also Edit the existing User MFA from the action menu Edit option and can delete the MFA.
• If you want to Add/Update multiple users MFA at once, then you can use the Bulk Update option to update each user’s MFA type from the container itself.

Skip MFA

The MFA Skip Days determine how many days the user can log in without triggering MFA. This setup also worked based on the different security levels in the Organization. 

How it Works: When the Skip MFA setting is configured for 3 days for a user, the following login behaviour applies:

1. First-Time Login 
   The user must complete the full authentication process, including their assigned MFA method (e.g., Security Question, TOTP, or Facial Recognition), after entering their username and password.
2. Subsequent Logins (Within 3 Days) 
   For the next logins during the 3-day window starting from the first successful login:
3. The user can access OWL using just their username and password
4. MFA will be temporarily bypassed, streamlining the login experience

After the 3-day period expires, MFA will be required again for login.

How to Configure Skip MFA for Users in Different Levels

OWL security policies are a set of configurable rules designed to help organization admins enhance account security. These policies can be applied at multiple levels, with a hierarchy that determines which settings take precedence:

• Organization Level: This is the default configuration applied to all users unless a more specific setup exists at the Role, Department, or User level.
• Department Level: Policies set at this level apply to all users within the department, provided they don't have Role or User-level configurations.
• Role Level: These policies apply to all users assigned to a specific role within a department, unless overridden by User-level settings.
• User Level: This is the most specific configuration, applied to individual users regardless of their department or role. User-level policies override all other levels.

Organization-Level Skip MFA Setup

1. Click Administration.
2. Click Security within the OWL Admin menu.
3. Go to the Organization MFA container. Click on Edit.
4. An Organization Level MFA pop-up will appear.
5. Add the number of days on the Skip MFA field and click on Update.

• You can see the Skip Days on the Organization MFA container after Update.

Department-Level Skip MFA Setup

1. Click Administration.
2. Click Security within the OWL Admin menu.
3. Go to the Department MFA container. Click on Edit.
4. A Department Level MFA pop-up will appear.
5. Select the department or departments to setup the skip MFA
6. Add the number of days on the Skip MFA field and click on Update.

• You can see the Skip Days on the Department MFA container after Update.
• You can Edit Skip Days from the Edit MFA using the action menu or can-do bulk update all departments by using the Bulk Update option.

Role-Level Skip MFA Setup

1. Click Administration.
2. Click Security within the OWL Admin menu.
3. Go to the Role MFA container. Click on Edit.
4. A Role Level MFA pop-up will appear.
5. Select the Role or Roles to setup the skip MFA
6. Add the number of days on the Skip MFA field and click on Update.

• You can see the Skip Days on the Role MFA container after Update.
• You can Edit Skip Days from the Edit MFA using the action menu or can-do bulk update all Roles by using the Bulk Update option.

User-Level Skip MFA Setup

1. Click Administration.
2. Click Security within the OWL Admin menu.
3. Go to the User MFA container. 
4. Click on the action menu to update any individual users skip MFA.
5. Update User MFA pop-up will open. 
6. Add the number of days on skip MFA and update the user.

• Now, the User MFA table will be updated with new skip MFA.
• To bulk update all users, click on the Bulk Update option.

Secondary MFA (IP Address Validation)

OWL offers an optional IP-based multifactor authentication (MFA) feature that enhances security by validating the user's IP address during login. Access to the application is granted only if the user's IP matches or falls within the IP range defined by the administrator.

Configuration Levels:

IP validation can be configured at four hierarchical levels:

1. User Level
2. Role & License Level
3. Department Level
4. Organization Level

IP Validation Priority:

During login, OWL applies IP validation based on the following precedence:

• If User-level IP configuration exists, it takes priority and overrides all other levels.
• If User-level is not set but Role & License-level and Organization-level are configured, the Role & License-level settings are applied.
• If User-level and Role-level are missing but Department-level and Organization-level are configured, the Department-level settings are used.
• If User-level and Role-level configurations are absent, only the Organization-level IP validation is considered.

How to Configure Secondary MFA for Users in Different Levels

Organization Level IP Validation Setup

1. Click Administration.
2. Click Security within the OWL Admin menu.
3. Go to the Organization MFA container. Click on Edit.
4. An Organization Level MFA pop-up will appear.
5. Enable the Secondary MFA by clicking on the toggle button.
6. Click on +Add button to add IP address. Select Range Type.
7. If selecting the Static IP option, you need to add a single IP address.

• If selecting the Range IP option, you need to add two IP addresses start and end IP addresses. Between these two IP addresses all IP addresses will be considered as valid.
• You can add both types of IP addresses and multiple addresses to a single setup.

You can update the IP address using Edit option in the action menu.  

You can delete the individual IP address using the Delete button from the IP address field.

Only when the Secondary Flag is enabled, then only the validation will apply to users.

Department Level IP Validation Setup

1. Click Administration.
2. Click Security within the OWL Admin menu.
3. Go to the Department MFA container. Click on Add button.
4. A Department Level MFA pop-up will appear.
5. Enable the Secondary MFA by clicking on the toggle button.
6. Click on +Add button to add IP address. Select Range Type.
7. If selecting the Static IP option, you need to add a single IP address.

• If selecting the Range IP option, you need to add two IP addresses start and end IP addresses. Between these two IP addresses all IP addresses will be considered as valid.
• You can add both types of IP addresses and multiple addresses to a single setup.

• You can update the IP address using Edit option in the action menu.  
• You can delete the individual IP address using the Delete button from the IP address field.

• Only when the Secondary Flag is enabled, then only the validation will apply to users.
• Use Bulk update to update the IP addresses for departments.

Role Level IP Validation Setup

1. Click Administration.
2. Click Security within the OWL Admin menu.
3. Go to the Role MFA container. Click on Add button.
4. A Role Level MFA pop-up will appear.
5. Enable the Secondary MFA by clicking on the toggle button.
6. Click on +Add button to add IP address. Select Range Type.
7. If selecting the Static IP option, you need to add a single IP address.

• If selecting the Range IP option, you need to add two IP addresses start and end IP addresses. Between these two IP addresses all IP addresses will be considered as valid.
• You can add both types of IP addresses and multiple addresses to a single setup.

• You can update the IP address using Edit option in the action menu.  
• You can delete the individual IP address using the Delete button from the IP address field.
• Only when the Secondary Flag is enabled, then only the validation will apply to users.

• Use Bulk update to update the IP addresses for departments.

User Level IP Validation Setup

1. Go to the Users MFA container inside the Security Page.
2. Search for the user you want to update IP validation.

3. Click on the action menu and then click on the Edit button.  
4. You will see the Update Security policy pop-up.
5. Toggle the switch to enable Secondary MFA.  
6. Once enabled, the Allowed IP Address button becomes active.  
7. Choose the type of IP validation: Static IP or Range IP.  
8. If you select Static IP, a single IP address field will appear. Enter a valid IP address and click Save.  
9. If you select Range IP, fields for Start IP and End IP will appear. Enter a valid IP range and click Save.  
10. The entered IP address or range will be added to the Allowed IP Address table.

• You can add multiple IP addresses for the secondary validation for each user.
• These IP addresses can be removed or edited from the IP Address table.

User Security Page in User Management:

• You can update the user level MFA from the User Management > Users > Select a User > View user > Security Policy page.