Password alone isn’t enough anymore. Multi-factor authentication (MFA) adds a critical protection layer. Paired with a strong password policy and SSO, it forms Illizeo’s authentication base.
Available MFA methods #
| Method | Security | UX |
|---|---|---|
| TOTP app (Authy, Google Authenticator) | High | Good |
| WebAuthn / Passkey | Very high | Excellent |
| SMS OTP | Medium (SIM swap vulnerable) | Medium |
| Email OTP | Weak (compromised mail) | Weak |
| Hardware security key (YubiKey) | Maximum | Excellent for pros |
Step-by-step #
-
Enable MFA #
Security → MFA. Tick allowed methods and the policy: optional, recommended, mandatory.
-
Set password policy #
Minimum 12 chars, complexity, rotation 90 days or never (NIST recommends “never” if MFA enabled).
-
Enable compromised-password detection #
Automatic check against Have I Been Pwned. Rejects leaked passwords.
-
Configure session duration #
30 min idle timeout on web, 7 days on mobile. Forced logout after 12h max.
-
Communicate to employees #
Enrolment email with TOTP QR code. Configure MFA button in profile.
FAQ #
MFA mandatory for whom?
Recommended for all, essential for HR/Admin roles. Targetable per role.
What if the user loses their phone?
Recovery codes generated at enrolment. Admin can also reset MFA.
NIST 800-63: what is it?
Standard recommending 12 chars, no forced complexity, no periodic rotation. Adopted by Illizeo.
SSO + MFA?
If SSO is active, MFA is handled by your IdP. No double entry.
See IP allowlist and restrictions #
Learn to restrict access by IP or geography.
