Multi-factor authentication with ArcGIS

Multi-factor authentication (MFA) refers to the use of multiple methods, credentials, or factors to validate the identity of a user or client who is attempting to authenticate to a system. In contrast, single-factor authentication may rely on a single authentication method, such as a password. Multi-factor authentication can be used to ensure that a stolen credential or secret is not itself sufficient information to impersonate a user.

A factor can by any securable, verifiable piece of data. Most simply, it represents a password, but includes other forms, such as:

  • Personal identification numbers or PINs
  • Security questions – A user provided answer that is validated during login (and initially specified by the user)
  • Biometric factors – Including a retina or fingerprint representation
  • A soft token – Most often, a software-based random number generator that is seeded with a specific input to prove that the device running the software is the only device able to generate it properly.
  • A hard token – Often a software device such as a key chain that is built to display a string of characters or numbers that are uniquely identifiable to that device, to prove that the user has the device in their possession.
  • Password less authentication devices and technology like FIDO2
  • SMS-based MFA – A code is texted to a known phone number, which the user then provides to verify access to the mobile device receiving the SMS.
  • Software-based MFA – Another app, usually running on a mobile device, receives a push notification that the user verifies before access is granted.
  • Smart cards – Also commonly known as personal identity verification cards, which often contain a specific client certificate.

MFA can be enforced in any, or all steps of an authentication process. It is often used during initial authentication or verification, after which the system does not prompt for re-authentication for a certain period of time. This is used to ease user access and prevent frustration with the MFA system, which may lead users to turn off the additional factors if that option is available.

Usually, multiple authentication factors are required when first logging in through a certain identity provider or system, especially when using unrecognized hardware such as a public PC or a new mobile device. Once identity is established, many systems use a cookie or a combination of device information, location, or IP address, to bypass MFA requirements for future logins from that device or system.

Common MFA patterns

While the implementation of MFA can take many forms, common patterns for enterprise systems include:

  • Most commonly, MFA requirements are enforced at the Identity Provider (IdP) level. An IdP provides SAML or Open ID Connect-based logins for ArcGIS Enterprise or ArcGIS Online.
    • In this scenario, a user is prompted for their additional factor during the SAML or ODIC login flow. This can occur at a site or interface that is served by the IdP and the ArcGIS software is unaware of the MFA requirement. It is exclusively required and verified by the IdP.
  • MFA for built-in ArcGIS Enterprise accounts
    • This option can be enabled for built-in ArcGIS Enterprise accounts. It provides built-in users with the option to set up MFA using an existing application such as Google Authenticator. See Multifactor authentication in ArcGIS Enterprise for more information.
  • MFA for built-in ArcGIS Online accounts
    • As with the example above, MFA can be enabled with built-in ArcGIS Online accounts. See Multifactor authentication in ArcGIS Online for more information.

Considerations when implementing MFA

  • ArcGIS relies on an OAuth-based authentication process for app-based logins, including Field Maps or ArcGIS Pro. This means that the MFA prompt from an identity provider or from ArcGIS itself is handled directly during that login process in an embedded or external web browser launched from the app itself. The user’s session is established and continues without further prompts until they re-authenticate. This login flow generally runs within an embedded or separate browser window, which can handle cookies, redirects, and the many flavors of browser-based MFA for SAML and OIDC providers.
  • For any workflow that involves either regular headless requests (such as a scripted process, or a workflow automation system) or backend server-to-server communication, be careful to not implement MFA in a way that causes these requests to fail, as this may disrupt communications or automation unexpectedly.
  • MFA that is enabled for workflows such as a connection to a database are likely to only be successful with ArcGIS where they are explicitly supported, check the ArcGIS release notes and requirements for your database system to verify whether support may exist.

In summary, there are many different definitions of MFA and different ways that it can be configured in various software packages, but from the ArcGIS perspective, MFA is commonly configured, and fully supported, at the Identity Provider level for enterprise login patterns, or added to built-in login processes with ArcGIS Enterprise or ArcGIS Online.