Multi-factor authentication policy
MFA turns every sign-in into "something you know + something you have". The AxisSynapse policy lets you decide whether MFA is required for everyone, which factor families are acceptable (e.g. only phishing-resistant), how long new users have to enroll before they're blocked, and what counts as recovery. Once the policy is set, the platform enforces it on every sign-in — through SSO, password, or passkey — without per-module rewiring.
TL;DR — Open Settings → Security → MFA policy, turn Require MFA on, pick Allow any factor for general workforces or Phishing-resistant only for executives + admin roles, give new users a 14-day grace period, click Save. Users get a soft prompt to enroll today and a hard requirement at the end of grace.
Before you start
- You must be a Workspace admin.
- Decide your acceptable factor set:
- Allow any factor (TOTP, hardware key, passkey, recovery code) — friendliest, weakest.
- Phishing-resistant only (passkey / hardware key) — strongest, requires every user to have a passkey or a YubiKey-class device.
- TOTP + WebAuthn — middle ground.
- Decide your grace period: how many days a new user has between first sign-in and being blocked for not having MFA enrolled. Most workspaces pick 14 days; high-security workspaces pick zero.
- Have a rollout plan: communicate ahead of time to give users a chance to enroll before the policy hardens.
No SMS factor
AxisSynapse does not support SMS as an MFA factor. SMS is phishable, SIM-swappable, and rejected by every regulator that's taken a position. Authenticator apps (TOTP), hardware keys, and passkeys are the supported families.
Set the MFA policy
Open Settings → Security → MFA policy
From the workspace nav, click Settings, then Security, then MFA policy. The page shows the current policy + a preview of what users will see on their next sign-in.
Toggle "Require MFA"
Off → users may enroll voluntarily but are not blocked. On → users must enroll within the grace period or be blocked from signing in.
Pick the acceptable factor set
Choose from Allow any factor, Phishing-resistant only, TOTP + WebAuthn, or Recovery codes excluded. Each option shows a one-line description of which user behaviours change.
Set the grace period
Slide between 0 and 30 days. The default is 14. The number applies to every newly created user — existing users are not subject to a fresh grace.
Optionally bypass for certain roles
Expand Advanced. Add roles that are exempt (e.g. break-glass accounts). Exemptions are audited and surfaced in Security Console.
Click "Save"
The new policy takes effect immediately. Active sessions stay alive; the next sign-in evaluates the new policy.
Acceptable factor sets
| Field | What it does | Accepted values / default |
|---|---|---|
| Allow any factor | TOTP, hardware key, passkey, recovery code all satisfy MFA. | Friendliest. Recommended only when the workforce mix prevents requiring phishing-resistant. |
| Phishing-resistant only | Only WebAuthn-backed factors (passkey, hardware key) satisfy MFA. | Strongest. Requires every user to enroll a passkey or hardware key — verify supply before flipping on. |
| TOTP + WebAuthn | Authenticator apps and WebAuthn satisfy MFA; recovery codes do not satisfy as primary factor. | Common balance. Recovery codes still exist for emergencies. |
| Recovery codes excluded | Recovery codes do not satisfy the policy on routine sign-in. | Used by workspaces that consider recovery codes a break-glass mechanism, not steady-state. |
The grace period
When a new user is provisioned (via invite, SCIM, or SSO JIT) and the policy requires MFA, AxisSynapse counts the days from their first sign-in. During grace, the user sees a soft banner on every post-sign-in surface encouraging enrollment; on the day grace expires, the next sign-in is gated by an enrollment wall.
| Field | What it does | Accepted values / default |
|---|---|---|
| 0 days | Hard requirement from day one. | Recommended only for high-security workspaces or short-lived contractors. |
| 7 days | Tight grace. | Reasonable for security-focused workforces. |
| 14 days (default) | Balanced default. | Two reminder cycles before the wall. |
| 30 days | Generous grace for large rollouts. | Pair with proactive communication. Audit reports flag pending users daily. |
Every field, explained
| Field | What it does | Accepted values / default |
|---|---|---|
| Require MFA | Toggle the workspace-wide requirement on or off. | Off (voluntary) / On (required after grace). |
| Acceptable factors | Which factor families satisfy the policy. | One of the four sets in the table above. |
| Grace period | Days new users have between first sign-in and the enrollment wall. | 0-30 days. Default 14. |
| Exempt roles | Roles whose users are not subject to the policy. | Use sparingly. Break-glass accounts are the canonical use case. |
| Force re-enrollment on policy change | When you tighten the policy (e.g. switch from any-factor to phishing-resistant-only), require existing users to re-enroll the new factor. | Off by default. Turn on after announcing the change. |
| Allow recovery code generation | Whether users can generate the one-time recovery codes that bypass MFA in emergencies. | On by default. Some workspaces turn off and rely on admin-assisted recovery instead. |
What appears in the audit log
TENANT_MFA_POLICY_UPDATED— every policy change.TENANT_MFA_ACCEPTED_FACTORS_UPDATED— the factor set was changed (e.g. switched to phishing-resistant only).TENANT_MFA_GRACE_GRANTED/..._EXPIRED— per-user grace lifecycle events; aggregate to dashboard cards.ACCOUNT_MFA_DEVICE_ENROLLED/..._REVOKED— every user-level factor change.ACCOUNT_MFA_DISABLE_BLOCKED— a user tried to disable MFA but policy refused. Investigate clusters of this code — they may indicate user confusion or attempted bypass.ACCOUNT_MFA_RECOVERY_CODE_USED— a recovery code was redeemed. Always review.
Common gotchas
- "Turning on Phishing-resistant only locked out my legacy accounts." Existing users with only TOTP enrolled don't have a valid factor anymore. Turn the policy back to TOTP + WebAuthn, give the team a deadline to enroll a passkey or hardware key, then tighten the policy after.
- "The grace timer didn't reset when I changed the policy." Grace is per-user, anchored on the user's first sign-in. Policy changes don't re-anchor it; if you want to give the team a fresh grace, use Force re-enrollment on policy change instead.
- "A user reports their authenticator app is out of sync." TOTP is time-bound. Have them resync the device's clock against network time (most apps have a sync option in their settings). Reissuing recovery codes is the last-resort fix.
- "We rotated MFA on a leaving employee, but they still signed in via SSO." SSO is authentication; MFA is a layered check. Disable the SSO account at your IdP as well, or rely on SCIM to deactivate the user.
- "The exemption list is growing — should I be worried?" Yes. Exemptions are operational tech-debt. Review the list quarterly and remove any account that doesn't need to be exempt.
Troubleshooting
| Error code | What it means | Fix |
|---|---|---|
| MFA_REQUIRED_NO_FACTOR | Policy requires MFA; user has no enrolled factor. | Sign in via the enrollment-required URL and follow the wizard. |
| MFA_FACTOR_NOT_ALLOWED | The user's factor doesn't satisfy the current acceptable set. | Enroll a factor that does (passkey for phishing-resistant-only). |
| MFA_RECOVERY_CODES_EXHAUSTED | All recovery codes have been used. | Regenerate a fresh batch from Account → Security. |
| MFA_GRACE_EXPIRED | The grace window elapsed with no enrollment. | Re-grant grace from the user's row in Settings → Members, or the user enrolls now. |
Related