Multi-Factor Authentication for Approving Managers

Merchant approving managers are responsible for administering their users for Paymetric services. This also includes multi-factor authentication. See the introduction topic for the high-level steps on Getting Started with MFA.

• Authentication Methods

• Self Enrollment

• Approving Manager Enrollment / Paymetric Enrollment

Authentication Methods

The merchant first needs to decide what type of authentication method (or token type) they are going to implement. There are soft tokens and hard tokens. Token types allow users to self-enroll instead of requiring approving manager submission and enrollment.

Merchants do NOT enroll any devices with Duo directly. The account is through Paymetric for these interfaces.

Self Enrollment

Mobile or Tablet

Using the Duo Mobile application on your mobile or tablet.

• Duo Push - Internet connection is required on non-cellular devices. Duo will send a notification to your device prompting you to acknowledge and authorize the second factor challenge.

• Pass code - Opening the application and clicking on the associated 'key' icon will display a code that can be entered into the Duo prompt.

U2F Tokens

Not Recommended: limited to only Chrome browser and requires hard token purchase.

U2F (Universal 2nd Factor) devices are supported as a method of authentication and can be self-enrolled.

1. Must purchase device

2. Browser requirement or limitation: Chrome 41 minimum

3. System requirements: USB port

4. Suggested option "FIDO U2F Security Key from Yubico" (available from amazon.com, yubico.com)

5. Verify your chosen U2F token is compatible with the Duo platform

Approving Manager Enrollment / Paymetric Enrollment

Hardware Tokens

Not Preferred: Requires hard token purchase and manual enrollment.

OTP (One-Time Passcode) devices are supported as a method of authentication but must be enrolled by creating a ticket with the Paymetric support team.

HOTP - OATH HOTP event based compatible tokens.

• The hardware tokens must be enrolled by Paymetric as they are under the Paymetric Duo account; therefore, you must purchase third-party tokens and submit the information to Paymetric to be enrolled. This process is detailed in Enroll Hardware Token section.

• This also means that Duo tokens cannot be utilized as they do not allow third party enrollment.

• Brand suggestions: Yubikey HOTP compatible tokens, Feitian c100, Hypersecu HYO-160-H41, Vasco.

• Verify your chosen hardware token is compatible with the Duo platform.

• A separate hardware token must be purchased for each environment, QA and PROD, for each user.

TOTP - Not recommended by Duo due to issues with drift and resynchronization.