Adding MFA to Compromised Users
  • 13 May 2022
  • 1 Minute to read
  • Dark

Adding MFA to Compromised Users

  • Dark

Article Summary

How to Add MFA to Compromised Users

RapidIdentity SafeID automatically identifies user accounts in RapidIdentity whose email address and associated password have been found in known data breaches.

To assure the security of those compromised accounts, administrators can easily add multi-factor authentication methods to be required when the user logins in to RapidIdentity providing an additional level of security.

Administrative Privileges Required

You must be a Tenant Administrator to manage users in the Compromised Accounts delegation and MFA Authentication Policies.

To add a multi-factor authentication method or methods to the compromised user accounts, follow these simple steps:

  1. Create a new Authentication Policy in RapidIdentity.

    1. Navigate to Configuration > Policies > Authentication Policy.

    2. Select the + symbol from the option menu at the bottom of the current Authentication Policies to create the new policy.
      Auth Policy Arrows Add.jpg

    3. On the General Tab:

      1. Give your policy a meaningful name such as Authentication Policy for Compromised Credentials.
      2. Do not make your policy a Forgot Password policy, leave the check box unchecked.
      3. Give your policy a meaningful description.
      4. Leave Always Fail and Insecure QR ID Scans Enabled unchecked.
      5. Enable the policy when you are ready for it to be used
    4. On the Criteria Tab:

      1. Check the Enabled checkbox.
      2. Enter the following LDAP Filter:
        idautoPersonSafeIdCompromisedDate = * 
      3. Leave the Match the Built-in Admin Account checkbox unchecked.
        Modify only the LDAP Filter

        Only the LDAP Filter tab needs to be updated, leave the remaing Criteria sub tabs un-modified.

    5. On the Authentication Methods Tab:

      1. Choose the Authentication Methods you want users with Compromised Credentials to use for additional security and configure them accordingly.


        Don't forget to Enable the chosen methods and arrange them in the order you want.

    6. Save the Policy.

    7. Use the ordering icons from the menu options at the bottom of the authenticatino policies list to move your new Authentication Policy for Compromised Credentials to the top of the list so that it will be applied to users with compromised credentials first.
      Auth Policy Arrows.jpg

That's it! Once these steps are complete, all users in the Compromised Accounts delegation will have to meet the authentication challenges you've chosen in the Authentication Policy for Compromised Credentials.


If you have checked Enable authentication policy choices in the Authentication Options configuration section, you will need to set up another policy with the Always Fail option.
Learn How

Was this article helpful?

What's Next