icon-zslogin.svg
ZIdentity

Configuring Authentication Methods

Authentication is the process to ensure that only users with the right roles and permissions are allowed to access the resources and applications within your organization. This helps protect your resources from unauthorized access, external attacks and prevent data breach.

ZIdentity supports multi-factor authentication (MFA) for enhanced security, and it is required by default for all admins. Zscaler strongly recommends keeping MFA enabled. You can authenticate users with a password, password and a second factor, such as SMS one-time passcode (OTP), email OTP, time-based OTP (TOTP), and fast identity online (FIDO) authentication. In addition, you can configure passwordless authentication by setting up FIDO2 as the primary authenticator.

You can set up the required authentication method as the primary authentication method for your organization's users with locally created accounts in the ZIdentity Admin Portal. You can also use external identity providers (IdPs) for user authentication, if required. To learn more, see About External Identity Providers.

Zscaler strongly recommends that all users are configured with a valid and active email address. In case users forget their password or lose an MFA authenticator, Email OTP authentication allows users to recover their password or MFA authenticator.

To set up the authentication methods:

  1. Go to Administration > Authentication > Authentication Methods.

  2. On the Authentication Methods page:

    • Enable Multi-Factor Authentication (MFA) for Service Enrollment: You can choose to disable this option for your users when required. This option is shown only when the User Single Sign-On (SSO) feature is enabled for your tenant.

    • Allow FIDO2 as Primary Authenticator: Enable this option to allow users to configure a passwordless authentication method for their ZIdentity account. When you enable this option, users can skip the password and configure any of the Fast Identity Online 2 (FIDO2) methods available on their device in the subsequent log-in attempt.

      The following scenarios occur when you disable FIDO2 authentication method as your primary authenticator:

      • If MFA is enabled, users are required to log in using their MFA credentials. If not already configured, users can request the password reset option and set up MFA.

      • If MFA is disabled, users are required to log in using only their passwords. If a user doesn't remember the password or never configured a password-based authentication, they can click the Password Reset option and add a new password.

    Enable MFA or FIDO2Close

  3. Click Save.
Related Articles
Configuring Authentication MethodsConfiguring MFA TypesConfiguring the Authentication SessionManaging Device Token AuthenticationUsing ZIdentity as an Identity ProviderUnderstanding Step-Up AuthenticationConfiguring Authentication LevelsSkipping Two-Factor Authentication