[Developers]

Tenant MFA Policy Management

Security administrators need different authentication rules for different operating environments. A national security tenant may require passkeys and step-up verification for every privileged action, while a local author

Category: ManagementLast Updated: Jun 26, 2026
managementcompliance

Overview#

Security administrators need different authentication rules for different operating environments. A national security tenant may require passkeys and step-up verification for every privileged action, while a local authority may need a simpler policy that still enforces strong authentication for administrators and remote workers. Tenant MFA Policy Management gives each organisation its own governed policy without forcing every tenant into the same authentication posture.

The module lets administrators define multi-factor authentication requirements, recovery rules, passkey preferences, session prompts, and exception handling at the organisation level. Policy changes are recorded in the audit trail and synchronised to the identity layer so enforcement stays consistent across web, mobile, and service workflows.

Key Features#

  • Per-Organisation MFA Policy: Define authentication requirements per tenant, including required factors, accepted factor types, grace periods, and enforcement mode.
  • Passkey and Security Key Support: Prefer phishing-resistant passkeys and hardware security keys for high-risk roles while keeping other approved factors available where policy allows.
  • Step-Up for Sensitive Actions: Require fresh verification before administrator actions such as user creation, MFA reset, passkey changes, privileged exports, and policy changes.
  • Recovery Governance: Configure recovery paths with administrator approval, expiry windows, and audit evidence so account recovery does not become a weak point.
  • Role-Aware Enforcement: Apply stricter requirements to administrators, system integrators, investigators, dispatch supervisors, and other roles that handle sensitive data.
  • Policy Audit History: Record every policy change with actor, timestamp, previous value, new value, and reason so security teams can reconstruct how authentication controls evolved.
  • Fail-Closed Synchronisation: If policy synchronisation fails, privileged workflows continue to require the most restrictive valid rule rather than falling back to a weaker state.

Use Cases#

  • Government Shared Services: A central platform hosts multiple agencies, each with its own MFA posture and recovery rules, while administrators still manage policies from one console.
  • Critical Infrastructure Operations: Control-room users authenticate with standard strong factors, while operators making high-impact configuration changes must complete step-up verification.
  • Managed Service Providers: A systems integrator manages tenants with different risk profiles and can prove which MFA policy applied to each customer at any point in time.
  • Incident Response Hardening: After a suspected credential compromise, administrators tighten policy for a tenant immediately and review the audit trail to confirm enforcement.
  • Regulated Healthcare and Public Safety: Organisations align user verification with the sensitivity of PHI, CJIS, emergency dispatch, or investigative data.

Integration#

Tenant MFA policies connect to the identity service, user management, role-based access control, session lifecycle controls, and the immutable audit trail. The policy record is organisation-scoped and is enforced consistently across web sessions, mobile sessions, privileged administration, and sensitive workflow approvals. External identity providers can remain in place, with the platform applying tenant policy before access to protected capability areas is granted.

Open Standards#

  • FIDO2 / WebAuthn: Passkey and hardware security key verification follows the W3C Web Authentication and FIDO2 standards for phishing-resistant authentication.
  • TOTP, RFC 6238: Time-based one-time password factors follow the standard TOTP algorithm for compatibility with common authenticator applications.
  • OAuth 2.0 and OpenID Connect: Token-based sign-in and federation flows align with widely adopted identity standards.
  • NIST SP 800-63B: Authentication assurance, authenticator lifecycle, and recovery controls map to NIST digital identity guidance.
  • ISO/IEC 27001:2022: MFA policy management supports access control, privileged access, identity lifecycle, and logging controls in Annex A.

Last Reviewed: 2026-06-26 Last Updated: 2026-06-26

Ready to Build?

Get started with our APIs or contact our integration team for support.