Multi-Factor Authentication (MFA) is enforced at the space level. It can be requested via a support request. A space in PTV OptiFlow represents a logical group of users who collaborate on shared data while remaining isolated from other spaces.
When MFA is enabled for a space, it applies to all local users within that space. Local users being PTV OptiFlow accounts with credentials managed by the PTV OptiFlow IAM solution. Once MFA has been enabled, user will have to register an MFA device upon their next login.
The platform currently supports MFA using Time-based One-Time Passwords (TOTP, e.g. Google Authenticator, ...). Other authentication mechanisms, including WebAuthn-based authentication (such as passkeys or hardware security keys like YubiKey), are not supported at this time.
MFA challenges do not support remember-me functionality. Users must provide their MFA code for each authentication session, regardless of recent successful authentications. There is no option to bypass MFA verification for a specified period (e.g., a week or month).
Recovery codes are not provided. If a user loses access to their MFA device, they must submit a support request to have the device removed. After removal, the user is required to register a new MFA device upon their next login.
In spaces where both Single Sign-On (SSO) users and local users exist, MFA is only enforced for local users. SSO users authenticate via their own Identity Provider (IdP), where security controls such as MFA are expected to be managed externally.