Multi-Factor Authentication

Strengthen security without introducing friction

Multi-factor Authentication (MFA), also referred to as Two-factor Authentication (2FA) has become the standard for preventing unauthorized access, but the wrong authentication method can create friction for users. PortalGuard offers flexible authentication options, including world-class biometrics, to support all your access policies for remote and on-premises users.

Multi-factor Authentication Demos

Enjoy this brief demo of PortalGuard’s Multi-factor Authentication using biometrics then visit our Sandbox to try it out for yourself.

MFA Overview

New! MobileAuth with PalmPositive

“One method does not fit all … mobile MFA methods (those using a mobile device) are impractical for up to 15% of employees and 50% of customers.”

Gartner, 2020 Authentication Market Guide


Secure All Access Scenarios

Protect access to any application or device for all your users regardless of the authentication methods available to them.

Low Support Costs

Authentication options, such as biometrics, offer flexible, affordable, low maintenance options to fit within your budget.

Friction-Free Experience

Users enjoy adaptive authentication and password-less options that only enforce extra authentication steps when the risk is high.

BIO-key MobileAuth: A Different Way to Authenticate

BIO-key MobileAuthTM with PalmPositiveTM provides fast, touchless, secure access to your accounts from any device. MobileAuth can be used for multi-factor authentication or passwordless workflows that make it easy to sign in even without your password.


MFA for All Access

Use PortalGuard to secure your entire organization:

PortalGuard can also enforce multi-factor authentication when the user is performing self-service password reset, recovery, or account unlock.

Authentication Approaches

There are several multi-factor authentication approaches with various MFA methods for organizations to implement as organizations should not enable a “one-size fits all” approach.

Adaptive Authentication

  • Access and authentication policies, based on the context of each login, are used to adapt the authentication method to match the level of risk
  • PortalGuard uses request parameters in order to determine the veracity of the user’s identity

Step-up Authentication

  • Require multi-factor authentication for specific applications using a direct “cause-effect” methodology as additional access is requested
  • Avoids overwhelming administrators with too much complexity or too many configuration choices

Passwordless Authentication

  • Offering the best of both worlds – a secure authentication method that provides a friction-free user experience
  • PortalGuard supports a range of passwordless authentication options
  • Users can gain access with one-click or one-touch authentication

Supported Authentication Factors

BIO-key MobileAuth with PalmPositive

With an automatic push notification when you are signing into a BIO-key PortalGaurd-protected app from your phone, MobileAuth then uses PalmPositive to scan and match your unique palm details to ensure that only you can access your online identity, not another enrolled user on your phone, not a hacker, nor someone who SIM-swapped your phone number. Only you. PalmPositive uses a simple palm scan as a form of Identity-Bound Biometrics, which is not only touchless and easy to use but confirms you are who you say you are with the highest levels of integrity, availability, security, and accuracy.

Learn more

Biometric Authentication

With 10% of employees and 50% of customers not being able to use phone-based authentication factors, biometrics is a requirement of any IAM strategy. WEB-key is an enterprise-grade biometric-based authentication solution from BIO-key, integrated with PortalGuard for Self-Service and Multi-Factor authentication actions.

Learn more

FIDO2 /Webauthn Factors

FIDO2 (AKA WebAuthn) differs from FIDO U2F in that it is designed for a “password-less” approach to secure authentication. FIDO2 Tokens, like BIO-key’s FIDO-key security keys, support one of two usage types: Click to Authenticate or On-Device Authentication. Click to Authenticate requires a tap/click of the token while On-Device Authentication detects the FIDO2 request and automatically responds, allowing the authentication action to proceed.

FIDO U2F Security Key

FIDO U2F is a standard protocol jointly developed as an alternative form of ‘token’-based Two-Factor Authentication. The use of FIDO U2F requires a supported Security Key, such as BIO-key’s FIDO-key security keys, as well as a supported browser. FIDO U2F Security Keys do not require any additional software, drivers, or client-side installation for use, and act as a strong and secure second factor for authentication.

Push Token

A push token is an ‘out-of-band’ 2nd factor tied to a mobile device. This 2nd factor allows end-users to confirm or deny an authentication request by interacting with their mobile device in real-time. No codes need to be remembered – just tap yes or no on the screen.

Mobile Authenticator

PortalGuard supports the use of multiple Mobile Authenticator Applications. These applications generate a Time-Based One-Time Passcode (TOTP), which can subsequently be utilized during various Self-Service and Multi-Factor Authentication (MFA) Actions throughout PortalGuard.

Hardware Security Keys

PortalGuard supports multiple hardware tokens including BIO-key’s line of FIDO-key security keys and those from providers such as Yubikey and RSA. These are a separate hardware device that generates an OTP and then either displays it or securely transmit it without any additional steps required by the user.


The SMS Delivery Method (often referred to simply as ‘Phone’) involves sending an SMS Text Message to an enrolled Mobile Phone number. This SMS Text Message contains a One-Time Passcode (OTP) to validate the user to the PortalGuard System for a specific action. Administrators have full control over the length, character set, and validity of OTPs utilized by this option. These settings are shared by the ‘Email’ OTP type as well.


The Email Delivery method involves sending an email to an enrolled email address. This email contains an OTP to validate the user to the PortalGuard System for a specific action. Administrators have full control over the length, character set, and validity of OTPs utilized by this option. These settings are shared by the ‘SMS’ OTP type as well.

Challenge Question & Answer

Challenge Answers are the standard, go-to approach to user verification. Users provide answers to previously enrolled questions. This enrollment is completed by either an admin or the user during the first time logging into the system.

By 2024, the use of multifactor authentication (MFA) for application access through Access Management solutions will be leveraged for over 70% of all application access, up from 10% today. 

Gartner, 2019 Magic Quadrant for Access Management

Easy Administration

Self-Service Enrollment

Users can register themselves for both self-service password reset and MFA in one step.

Policy & Settings

Highly configurable policy management that allows authentication to be applied to specific users and/or groups.

Reporting & Auditing

Detailed audit reports of all login activity available to meet security and compliance requirements.


Enhance the PortalGuard solution with integrations from our partners:

Find out what PortalGuard can do for your business.