Multifactor Authentication (MFA) during Login

SadanM16854326 · September 14, 2023, 2:06am

Hi there,

We are using PEGA’s OOTB MFA during login - which basically sends OTP on mobile number/email Ids configured on operator’s profile. We have created a new authentication service and disabled */prweb servlet as MFA can’t be applied to this. So all the requests to */prweb gets redirected to a MFA URL configured as part of Authentication service.

We have implemented this and working fine. However, we would like to know is there a way for us to suppress this for a bunch of users (for example - automation test users)? As of now we didn’t find any solution for this so wondering if anyone has implemented this or know the different options to solve this.

There are a couple of options:

Option 1 - Keep both URLs */prweb and */PRAuth/ Open. However, we won’t be able to control which user is using which way to login as both the channels as open. Unfortunately, we can’t restrict users (who are able to get OTP/non-automation users) using “Use external authentication” option on their operator profile as MFA URL */PRAuth/ is still using the basic credentials to validate (using username and password).

Option 2 - Find extension points if available and bypass the MFA for automation users (who don’t get OTPs). Interestingly PEGA handles this for PEGA supplied operator [email protected] - meaning it by passes MFA for this particular user.

I tried tracing unauthenticated requestor to see how PEGA skips MFA for [email protected] - however didn’t find any clues, what I can see from tracer is PEGA calls pzHandleMFA for a normal user for MFA and doesn’t call this activity for [email protected].

There is a property identified which is part of Operator class Data-admin-Operator-Id pyIsPEGASuppliedOperator ; if this is set to True looks like this may skip MFA; however, this doesn’t work always.

So, does anyone know how to suppress MFA for certain sets of users? Or how pega is suppressing MFA for [email protected]? Any loggers which can be enabled to find what’s going on during login and how pega is suppressing MFA for [email protected]?

Appreciate your help!

Thank you.

gergokoppany · January 30, 2024, 9:57am

@SadanM16854326

Hey, did you figure out why the pyIsPEGASuppliedOperator does not work in all cases?

SadanM16854326 · February 6, 2024, 10:43pm

@gergokoppany - thank you for your message. Unfortunately, we didn’t get answer for this. There is limited support on option 2 from PEGA.

However, we end up doing MFA during login through an external provider, we didn’t use PEGA’s OOTB capability.

MarijeSchillern · February 13, 2024, 3:45pm

@SadanM16854326 I can see that the support ticket was also closed with the details you provided above:

After Upgrading to 8.8.3 you made below changes which made it work

1- enabled OOTB platform authentication with the same policies applied as of Client authentication service.

2- So now if log out and login back in the same window using same or a different user, system asks for an OTP.

Please could you mark your reply with Accept Solution if your scenario is now working?

Note that the main MFA documentation can be found here:

Multi-factor authentication with a one-time password

Conversation		Replies	Views
How to enable Multi-Factor Authentication (MFA) for standard logging in (prweb) General security , 8-4-1	5	3746	February 15, 2024
How to enable MFA(Multi-factor authentication ) in MPC General pega-cloud , legacy	2	54	July 11, 2025
MFA does not redirect to login portal when using external service to Send OTP General team-lead , security , communications-and-media , 8-6-6	2	71	March 27, 2024
Changing password with MFA/OTP General lead-system-architect , security , cross-industry , 8-8-4	1	217	February 29, 2024
PRPC Access with MFA Authentication (TOTP) with Third party App General pega-platform , security , installation-and-deployment , 8-8-5	2	137	May 13, 2025

Multifactor Authentication (MFA) during Login

Related topics