Multi-Factor Authentication

You can Configure Multi-Factor Authentication (MFA) to ensure that each user authenticates using multiple methods (factors) when accessing highly sensitive services and applications. For example, you can force users to enter a login password and then enter a verification code that they receive by phone before allowing access to important financial documents. This approach helps to prevent attackers from accessing every service and application in your network just by stealing passwords. Of course, not every service and application requires the same degree of protection, and MFA might not be necessary for less sensitive services and applications that users access frequently. To accommodate a variety of security needs, you can Configure Authentication Policy rules that trigger MFA or a single authentication factor (such as login credentials or certificates) based on specific services, applications, and end users.
When choosing how many and which types of authentication factors to enforce, it’s important to understand how policy evaluation affects the user experience. When a user requests a service or application, the firewall first evaluates Authentication policy. If the request matches an Authentication policy rule with MFA enabled, the firewall displays a Captive Portal web form so that users can authenticate for the first factor. If authentication succeeds, the firewall displays an MFA login page for each additional factor. Some MFA services prompt the user to choose one factor out of two to four, which is useful when some factors are unavailable. If authentication succeeds for all factors, the firewall evaluates Security policy for the requested service or application.
To reduce the frequency of authentication challenges that interrupt the user workflow, you can configure the first factor to use Kerberos or SAML single sign-on (SSO) but not NT LAN Manager (NTLM) authentication.
You cannot use MFA authentication profiles in authentication sequences.
For end-user authentication via Authentication Policy, the firewall directly integrates with several MFA platforms (Duo v2, Okta Adaptive, PingID, and RSA SecurID), as well as integrating through RADIUS or SAML for all other MFA platforms. For remote user authentication to GlobalProtect portals and gateways and for administrator authentication to the Panorama and PAN-OS web interface, the firewall integrates with MFA vendors using RADIUS and SAML only.
The firewall supports the following MFA factors:
Factor
Description
Push
An endpoint device (such as a phone or tablet) prompts the user to allow or deny authentication.
Short message service (SMS)
An SMS message on the endpoint device prompts the user to allow or deny authentication. In some cases, the endpoint device provides a code that the user must enter in the MFA login page.
Voice
An automated phone call prompts the user to authenticate by pressing a key on the phone or entering a code in the MFA login page.
One-time password (OTP)
An endpoint device provides an automatically generated alphanumeric string, which the user enters in the MFA login page to enable authentication for a single transaction or session.

Related Documentation