Product Q&As
ForgeRock Identity Platform
ForgeRock Identity Cloud

Does the ForgeRock solution offer multi-factor authentication (MFA)?

Last updated Mar 14, 2022

Yes. You can implement MFA by configuring a user journey with authentication methods from different categories of authentication. The ForgeRock solution includes a wide range of built-in authentication methods, known as nodes, with additional authentication nodes available from the ForgeRock Marketplace.


Overview

The ForgeRock solution provides excellent support for multi-factor authentication (MFA) through the wide range of built-in authentication nodes, third-party supported authentication nodes, and nodes that require scripted configuration to work with third-party providers who are not yet part of the ForgeRock Trust Network.

MFA identifies the user through more than one category of authentication. A common definition of categories of authentication describes them as: 

  • a knowledge factor (something you know)
  • a possession factor (something you have)
  • an inherence factor (something you are)

To implement MFA, you can simply configure an authentication journey with at least one authentication node from two of these three categories. 

ForgeRock authentication methods

ForgeRock's wide range of built-in authentication nodes include username, password, one-time passcode (OTP) via email or SMS, LDAP, OAuth 2.0, push notification, WebAuthn (FIDO2 support), and social identity provider. For OTP and push notifications, ForgeRock provides a native authentication app for iOS and Android devices. 

In addition to the built-in authentication nodes, ForgeRock hosts many more authentication methods for MFA on the ForgeRock Marketplace. These include nodes provided by our Trust Network Technology Partners and the ForgeRock community.

The ForgeRock authentication service is designed to be easily extended, so custom authentication nodes can be created using either a simple scripted language such as JavaScript or Groovy, or in Java. Please note that Groovy scripting is not available with Identity Cloud.

The ForgeRock SDKs (iOS, Android and JavaScript) also support different types of MFA, including time and counter-based OTP and push notification.

Note

Marketplace nodes are not currently available with Identity Cloud deployments.

Strong Customer Authentication (SCA) 

Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) which aims to add extra layers of security by ensuring that electronic payments are performed with MFA.

ForgeRock user journeys address the balance between the need for administration of more secure, risk-aware authentication scenarios, while still maintaining a friction-free login experience for users.

The ForgeRock solution includes authentication nodes covering a wide range of factors (including user inputs, contextual, user profile, and external data feeds), together with decision and choice nodes, strong factors (such as one-time passcodes, or push notification), and more. For many organizations, push notification authentication provides an excellent balance of strong authentication and simple user experience, but many other factors are available.

See Also

About Multi-Factor Authentication

Authentication Nodes Configuration Reference

Journeys


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.