6.3 Authentication Part 2 (Multi-factor Authentication)

After a user authenticates to Retain by entering a correct username and password, Retain must then determine whether additional authentication is required before granting access to its archives and administrative functions.

Figure 6-2 illustrates how Retain determines additional authentication requirements and provides a high-level overview of how and when processes happen.

Figure 6-2 Authentication - Part 2

Table 6-2 Authentication - Part 2

Letter	Explanation
	All other users start the authentication process by entering a Username and Password.
	After the request is validated as illustrated in Figure 6-1, Retain accesses the user’s configuration settings to determine whether there are MFA requirements. User settings always override group settings.
	If a user’s MFA setting Is Blank (not set): Retain checks the Configuration Group’s MFA setting, as explained in H below.
	If a user’s MFA setting is Enabled: Retain displays the MFA prompts defined in the applicable NetIQ Advanced Authentication configuration. For more information about configuring Retain to interface with NetIQ Advanced Authentication, see Configuring Retain for NetIQ Advanced Authentication MFA Support in Retain 4.10: Configuration and Administration.
	If a user’s MFA setting is disabled: Retain verifies the username and password and logs the user in.
	If a user’s MFA setting is blank (C), Retain uses the applicable Configuration Group’s setting as follows: If the Group’s MFA Setting Is Blank or Disabled: Retain authenticates the user. If the Group’s MFA Setting Is Enabled: Retain displays the MFA prompts defined in the applicable NetIQ Advanced Authentication configuration.
	If the user completes the MFA requirements successfully, Retain recognizes the authentication as valid.
	If the user fails the MFA requirements, Retain rejects the authentication request and notifies the user

See the following sections for more information on Multi-factor Authentication in Retain: