NinjaOne MFA: Multi-Factor (2-Factor) Authentication

Topic

This article explains how to set up multi-factor authentication (MFA) for your users in NinjaOne.

Environment

NinjaOne Platform

Description

Multi-factor authentication provides an additional layer of security for your NinjaOne account. It requires multiple forms of verification before granting access to specific features, product areas, or administrative actions. It is required for all NinjaOne users both at login and when performing administrative actions. NinjaOne supports text-based (SMS) and time-based authentication, as well as security keys.

We do not currently support Chilean mobile numbers (+56) for SMS MFA. You must set up an alternative MFA method.

Index

Select a category to learn more:

Set up Primary MFA for Your NinjaOne User
Change Authentication Method
Configure Global Administrative Idle Time
Additional Resources

Set up Primary MFA for Your NinjaOne User

NinjaOne will prompt all users to enable MFA upon first login after accessing NinjaOne through the emailed account invitation. Once you enter your NinjaOne login credentials for the first time, the system will prompt you to set up a primary MFA method.

You must choose whether you want to use time-based, SMS-based, or hardware-based security key authentication as a primary MFA method and then continue through the required set-up steps.

Figure 1: Select your preferred MFA method on your first login

To learn about time-based authentication, refer to the following section of this article titled Setting up an Authenticator App for Primary MFA.
To learn about SMS-based authentication, refer to the section of this article titled Setting up SMS for Primary MFA.
To learn about hardware-based security key authentication, refer to the section of this article titled Adding Hardware-based Keys or Additional Primary Authentication Method.

Setting up an Authenticator App for Primary MFA

To set up an authenticator app for your primary MFA, perform the following steps:

Download an authenticator app on an easily accessible endpoint, such as a local computer or mobile device. Any Time-Based One-Time Password (TOTP) application that supports QR code scanning and generates six-digit pins may work. NinjaOne has tested and confirmed the following applications will work and are supported:
- Google
- Apple "Passwords" (for iOS 18)
- Authy
- 2-Factor Authentication
Browser plug-ins or desktop applications are also supported for time-based authentication.
Select "Authenticator App" from the Select MFA method drop-down menu. Then, scan the barcode with the device that has the authenticator app downloaded, or manually enter the code listed under the barcode to configure MFA.

Figure 2: Authenticator app QR code

Save the code listed underneath the barcode on this screen. This may be used to set up time-based MFA on another device in the case that you no longer have access to your current device.

Use the QR code or number in the authenticator app to set up the codes.
Most authenticator apps will provide one code for several seconds and then refresh to provide another code. Enter the first code provided into the Authentication Code 1 field and then wait for the second code to appear. Enter the second code into the Authentication Code 2 field.
Click Sign In to complete the set-up process.

Setting up SMS for Primary MFA

For a list of phone numbers that NinjaOne uses to send SMS messages, refer to NinjaOne SMS Phone Numbers. If NinjaOne has disabled SMS in your environment, the option will not be available.

As soon as you select SMS as your primary authentication method, we will send an SMS message to the phone number currently associated with your user account. Enter the code into the available text field and click Sign In to complete set-up.

If the user does not have access to the phone number set up for them, you can update it on their NinjaOne account configuration page or by clicking Change phone on the MFA Setup modal. You will be prompted to enter the correct phone number and send a code to this number.

Figure 3: SMS MFA setup → Enter verification code or change phone

If you receive a prompt indicating your phone country code is not supported for SMS MFA, choose an alternative MFA option. MFA setup includes restrictions so users cannot register SMS MFA if they have a phone number with a country code that NinjaOne cannot support. For a full list of these restrictions, refer to NinjaOne SMS Phone Numbers.

Adding Hardware-based Keys or an Additional Primary Authentication Method

We recommend setting up a secondary backup MFA option to account for potential compatibility or implementation issues that may arise with the hardware key. For example, the hardware-based security key will not work if the user replaces their laptop and attempts to use the same NinjaOne account.

Select "Hardware-Based Security Key" from the Select MFA method drop-down menu.
Enter a unique identifier in the Security key name field.

Figure 4: Hardware-based security key MFA setup → Security key name

Click Sign in.
The default option for Fingerprint may display if your device is compatible. If your device does not have a fingerprint reader or you prefer to use an alternative method, select PIN or Use another device. Otherwise, follow the on-screen prompts.

Figure 5: Hardware-based security key MFA setup → Select security key type

If you have a branded website configured, you must set up the U2F (Universal Second Factor) security key separately for this instance. This is because part of the security key configuration involves the URL, which is different between branded and non-branded sites. You can add your U2F security key to your branded site by logging in to your branded site and following these same steps. To learn more about branded websites, refer to NinjaOne Platform: Branding: Customizing NinjaOne With Your Own Domain and Branding.

Change Authentication Method

If a user cannot log in due to errors with their MFA, you can change the authentication method in the NinjaOne console. To do so, perform the following steps:

Navigate to Administration → Accounts → All users.
Select the checkbox for the technician or end user and then click Actions.
Select Change authentication and then select the applicable option from the modal.

Figure 6: Reset MFA for a technician or end user in NinjaOne

The next time the user logs in, they will be prompted to select a new MFA method.

The NinjaOne console will log the user out of all open sessions when:

Configuring self-MFA
Resetting password
Configuring email
Configuring phone number

Configure Global Administrative Idle Time

The global administrative idle time refers to the interval of time to pass before a user is prompted to re-authenticate their MFA when attempting to perform an administrative task, which includes initiating remote connections to devices. Idle time will determine how often technicians are prompted to re-authenticate.

For example, if you set the global administrative idle time to 5 minutes and a user logs in (and therefore authenticates their MFA) at 0900 UTC, the system will prompt them to re-authenticate their MFA at 0905 UTC. However, if the user attempts to perform an administrative action at 0904 UTC, they will not have to re-authenticate their MFA.

Your global administrative idle time applies to all users in your NinjaOne environment, and a system administrator can configure it by following these steps:

Navigate to Administration → Accounts → Security Settings.
Click Edit in the MFA global administrative idle time widget.

Figure 7: Edit MFA global administrative idle time

Select your preferred idle time from the drop-down menu and then click Save.

Additional Resources

For a list of frequently asked questions about MFA in NinjaOne, refer to: Multi-Factor Authentication: FAQ.