Multi-Factor Authentication (MFA) for Sensitive Operations

Nirmata Control Hub (NCH) supports Multi-Factor Authentication (MFA) to secure critical workflows. MFA is required for specific high-impact operations and helps ensure that only authorized users can perform them.

NOTE: Only Admin users can configure MFA settings.

MFA Settings

Admins can enforce MFA for the following sensitive operations:

  • Removing API keys for any or all users
  • Deleting policy sets in a cluster
  • Approving policy exception requests

Once enforced, any user (including Admins) performing these actions will be required to verify their identity using MFA.

Go to Settings>MFA for Operations and toggle MFA requirements for the listed operations as necessary. By default, MFA is enabled for all operations.

image

How it Works

  1. When a user attempts an MFA-protected operation for the first time, and they have not set up MFA, the system prompts them to set up MFA.
  2. After setup, the user will be prompted to enter a valid MFA token (from an authenticator app) before the operation proceeds.
  3. If MFA is already configured, the user will be asked for their token directly.

NOTE: Users only need to set up MFA once. Subsequent operations will require a token but not a re-setup.

User MFA Setup Flow

When a non-Admin user attempts a protected action and MFA is required:

  1. They will be guided through a one-time MFA setup using a TOTP-based authenticator app (e.g., 2FAS Auth, Google Authenticator).
  2. They’ll scan a QR code and enter a verification code from their app.
  3. Once setup is complete, they can proceed with the operation by verifying with an MFA token.