Multi-Factor Authentication (MFA) in Pega 

Introduction 

Multi-Factor Authentication (MFA) enhances application security by requiring users to present two or more independent credentials — typically, something they know (password) and something they have (a one-time password). Pega Platform supports MFA to ensure that the user login process is more secure and resilient against unauthorized access. 

MFA Support in Pega 

• The Pega Platform supports MFA by sending One-Time Passwords (OTP) via email or SMS to verify user identity during authentication.  

• This MFA mechanism is built-in and can be enabled via Security Policies within the application, ensuring additional validation during login or sensitive operations like password change. 

How to Configure MFA in Pega 

Step 1: Configure Security Policies 

1. In header to dev studio, go to Configure → Authentication → Security Policies 

2. In the Security Policies tab under Multi-factor authentication policies, enable OTP delivery (via email or SMS). 

3. Define policy parameters such as: 

1. Valid duration for the OTP (e.g., 120 seconds). 

2. Email account 

4. Save the policy. 

This setup ensures that, on login, Pega will automatically generate an OTP and deliver it to the user via the chosen channel. 

Step 2: Customize OTP Correspondence (Optional) 

To customize the OTP message: 

• Override the default correspondence rule, pyDefaultOTPCorr, pyForgotPasswordOTPCorr(to send OTP to reset the password), or create a new one. 

• This rule defines the email body or SMS content that carries the OTP. 

Authentication Flow with MFA 

1. Users log in with their username and password. 

2. Pega generates a one-time code (OTP). 

3. OTP is delivered via email or SMS. 

4. The user enters the OTP (within the valid time). 

5. If correct, the user is authenticated and granted access; otherwise, access is denied. 

The “Trouble logging in?” option on the Pega login screen integrates with Security Policies to allow secure password recovery with MFA. 

Flow: 

1. User clicks “Trouble logging in?” on the login page. 

2. The system prompts for the username (operator ID). 

3. Pega validates the account and generates a One-Time Password (OTP). 

4. The OTP is delivered via email or SMS, depending on the policy. 

5. The user enters the OTP on the verification screen. 

6. Once verified, the system allows the user to create a new password. 

7. The user logs in with the new credentials. 

–TEAM ENIGMA