Creating an MFA policy

Log in to Yandex Identity Hub.

In the left-hand panel, select Security settings.

Go to the MFA policies tab.

In the top-right corner, click Create policy and in the window that opens:

1. In the Name field, enter a name for the new policy. Follow these naming requirements:

   • It must be from 1 to 63 characters long.
   • It may contain lowercase Latin letters, numbers, and hyphens.
   • It must start with a letter and cannot end with a hyphen.

2. Optionally, enter a policy description in the Description field.

3. If you do not want to activate the policy upon creation, disable Policy active.

4. In the Factor types field, select additional authentication factors required for users from the policy's target groups to verify their identity:

   • Any. This option allows users to select one of the following additional authentication factor standards:

     • WebAuthn (FIDO2). The acceptable additional authentication factors may include hardware keys such as Rutoken or YubiKey, Passkeys authenticators, platform authenticators such as Windows Hello, etc.

       Warning

       Browser extensions with password input control may cause errors when entering additional factors. We recommend disabling such extensions in case of errors.

     • TOTP. This standard enables using one-time codes generated by dedicated authenticator apps as an additional authentication factor.

   • Phishing-resistant. This option enforces the WebAuthn authentication factors as the most secure ones.

5. In the Creation deadline field, specify the period in days during which the user must add a second authentication factor after registration.

6. In the Lifetime field, set the credential validity period, in days.

   Upon expiry of the specified timeout, the user will need to authenticate with the additional factor again.

7. Click Create policy.