Authentication Methods
SecTrail MFA offers over 11 different authentication methods, providing solutions suitable for every use case. Verification can be performed with any number of multiple factors.
Available Authentication Methods
Primary Authentication
LDAP/Active Directory
Active Directory integration with corporate directory verification.
- Use Case: Corporate users, first-factor authentication
- Features: Group synchronization, attribute-based policies
- Advantages: Utilizes existing infrastructure, central management
Local User
User management using a local database.
- Use Case: Non-LDAP environments
- Features: User/group management, import/export
- Advantages: Independent operation, easy setup
Second Factor Authentication
SMS OTP
Sending a one-time password via SMS.
- Use Case: Universal, users with phone access
- Features: Multiple SMS providers, international support
- Advantages: Widespread usage, easy adaptation
Email OTP
Sending an authentication code via email.
- Use Case: Alternative second factor
- Features: Custom mail servers, HTML templates
- Advantages: Internet access is sufficient, cost-effective
Push Notification
Instant approval via a mobile application.
- Use Case: User-friendly, quick approval
- Features: One-tap approval, biometric verification
- Advantages: High security, enhanced user experience
TOTP (Soft OTP)
Time-based token (SecTrail Authenticator compatible).
- Use Case: Standard, offline use
- Features: QR code enrollment, TOTP standard
- Advantages: Does not require internet, universal compatibility
Advanced Methods
WebAuthn
Hardware security keys and platform authenticators.
- Use Case: Highest security requirements
- Features: Windows Hello, Touch ID support
- Advantages: Phishing protection, hardware-based security
Approved OTP (Manager Approved)
Authentication via a hierarchical approval system.
- Use Case: Critical access, manager control
- Features: Multi-level approval, email notifications
- Advantages: Additional layer of control, auditability
QR Login
Passwordless login with a QR code.
- Use Case: Fast, mobile-first authentication
- Features: Dynamic QR codes, mobile app integration
- Advantages: Passwordless, user-friendly
Mail Auth
Click-to-authenticate via email.
- Use Case: Simple click-to-authenticate
- Features: Time-limited links, secure tokens
- Advantages: Easy to use, no extra software required
LDAP + OTP
Combination of LDAP password and OTP in one step.
- Use Case: Seamless two-factor security
- Features: Single prompt, unified verification
- Advantages: Improved user experience, one step
Method Comparison
| Method | Offline | Hardware | Ease of Use | Security Level |
|---|---|---|---|---|
| LDAP/AD | ❌ | ❌ | ⭐⭐⭐ | Medium |
| SMS OTP | ❌ | ❌ | ⭐⭐⭐⭐ | Medium |
| Email OTP | ❌ | ❌ | ⭐⭐⭐ | Medium |
| Push | ❌ | ❌ | ⭐⭐⭐⭐⭐ | High |
| TOTP | ✅ | ❌ | ⭐⭐⭐ | High |
| WebAuthn | ✅ | ✅ | ⭐⭐⭐⭐ | Very High |
| Approved OTP | ❌ | ❌ | ⭐⭐ | High |
| QR Login | ❌ | ❌ | ⭐⭐⭐⭐⭐ | High |
| Mail Auth | ❌ | ❌ | ⭐⭐⭐⭐ | Medium |
| LDAP+OTP | ❌ | ❌ | ⭐⭐⭐ | High |
| Local User | ❌ | ❌ | ⭐⭐⭐ | Medium |
Configuration
The necessary steps for each authentication method:
- Method Setup: Configure the verification service/provider
- Profile Creation: Define how the method will be used
- Policy Assignment: Apply to applications/users
Multi-Factor Chains
SecTrail MFA allows you to combine multiple methods in authentication chains:
- LDAP → SMS OTP: Traditional 2FA
- LDAP → Push: Modern 2FA
- LDAP → TOTP → WebAuthn: Triple-factor authentication
- QR Login: Passwordless single step
For optimal security, use a combination of "something you know" (password) and "something you have" (phone, token).
Related Pages
- Application Profiles - Connect factor chains to applications
- Access Control - Additional security policies for authentication
- User Management - Management of users and groups