Reference Guide

Multi-Factor Authentication

Kron PAM’s Multi-Factor Authentication (MFA) is available in offline modes with  Kron PAM Mobile Client Application, hard token, and SMS verification.
The MFA screen can be managed by Admin-type users, but it can also be assigned to users with newly defined role definitions. According to the newly defined functions, administrator rights will be granted on the MFA screens. Additionally, users will be able to manage changes for all users on the MFA screen. New portal functions for managing and viewing all users will be added.
Role Name
MFA Admin
Function
mfa.allow.users.manage.otp
Description
With the MFA Admin role, users who are not system admins can be granted the MFA Admin function group in the Portal Function, allowing them to have full authority on the MFA screens. (Both the authority to see all screens under MFA and the authority to perform operations on the screens)
Role Name
MFA User Token Viewer
Function
mfa.user.token.viewer
Description
For other users who do not have this function, if they are given the MFA User Token Viewer function group, they will be able to view information related to their token user under the User Token Management section in the MFA screen and will only be able to perform actions related to their user.
Role Name
MFA User Group Viewer
Function
mfa.user.group.viewer
Description
The MFA User Group Viewer grants permission to view the User Group Management screen in the MFA and allows the user to perform actions only related to their group.
Create new function groups for each related function.
Function Definition for Each MFA Group
﻿
Function Definition for Each MFA Group
﻿
Function Definition for Each MFA Group
﻿
Create a Realm for each User group and assign it to a Function Group and User Group.
﻿
MFA Group and User Group Matching Definition Screen
﻿
MFA Group and User Group Matching Definition Screen
﻿
After the Portal Function definitions are completed, access and modification rights for token information on the Multi-Factor Authentication screens will be granted according to the assigned functions. Users with admin rights will be able to access other users' information.
Access and management rights for other users will be determined according to the defined system configuration parameter. This parameter controls whether token information can be accessed from the MFA screen. 

Role Name	MFA Admin
Function	mfa.allow.users.manage.otp
Description	With the MFA Admin role, users who are not system admins can be granted the MFA Admin function group in the Portal Function, allowing them to have full authority on the MFA screens. (Both the authority to see all screens under MFA and the authority to perform operations on the screens)

Role Name	MFA User Token Viewer
Function	mfa.user.token.viewer
Description	For other users who do not have this function, if they are given the MFA User Token Viewer function group, they will be able to view information related to their token user under the User Token Management section in the MFA screen and will only be able to perform actions related to their user.

Role Name	MFA User Group Viewer
Function	mfa.user.group.viewer
Description	The MFA User Group Viewer grants permission to view the User Group Management screen in the MFA and allows the user to perform actions only related to their group.

Vault Agent

Sending the MFA QR Code to Users