With mamori you can access resources using identities defined in
- mamori's built-in directory
- one or more integrated AD/LDAP directories
- one or more integrated cloud directories
Any identity from any directory can be multifactored with
- mamori's built-in multifactor
- integrated 3rd-party multifactor
When mamori receives a connection, it first validates the connection with the directory. If the connection is valid, then mamori sends the configured multifactor request for the user.
Mamori built-in multifactor includes
- mobile push notifications via the mamori.io mobile application
- push totp via a web browser
Both of these methods work from standard tools accessing all resources types (web, ssh, db and ip resources).
User Multifactor Configuration
When a user logs into the mamori portal if their multifactor is not configured, then a QRCode will be displayed. To complete the registration process the user needs to scan the QRCode with the appropriate mobile application.
logins from standard tools will fail if a user has not configured their multifactor. They must login to the mamori portal at least once to configure it.
With Mobile push multifactor the user accepts or denies the access request on their mamori mobile application. This is the recommended form of multifactor as it is easy for users to work with.
Mamori mobile application installed on user's device
IOS : search for mamori.io 2FA
Android : search for mamori.io
Mamori server requires internet access to https://fcm.googleapis.com/fcm/send
Timed One-Time Passwords
With Timed One-Time Passwords a user starts a web mamori authenticator session and enters the one-time token when it is requested. This is the recommended form of multifactor when the mamori server has no internet access.
Any Authorization App installed on a user's device that scans one-time password QR codes.
No internet access required