home

Mobile Endpoint Security

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Page Sections

Using Multifactor Authentication for Local Administrators

Lookout has stepped up MES security by requiring MFA (multifactor authentication) for local administrator authentication to access the MES console. After entering their username and password, local administrators must enter a one-time passcode generated by a mobile authenticator app.

While Google Authenticator is the preferred authenticator for MES, any authenticator that generates standard TOTP (time-based one time passwords) codes should work. Once set up, you must use MFA for any tenant to which you have access.

External administrators who access the console using SAML or SSO authentication from an IdP (identity provider) can only use MFA that is provided by their IdP. External admins using Intune Azure Active Directory integrations use their Intune AAD groups to assume MES administrative roles for Full Access, Restricted Access, and Read-Only Access. You created these mappings when first creating your tenant. If you need to change the AAD groups associated with each access level, contact Lookout Enterprise Support.

Set up and Use MFA

Local administrators must have a compatible authenticator app on their mobile device. When setting up your authenticator app, the console generates 12 single-use recovery codes for use if you lose or misplace your authenticator. Be ready to save the recovery codes to a safe location such as a password manager.

Follow these steps to set up and use your authenticator.

  1. Sign in with username and password.
  2. Follow the prompts to set up MFA with your authenticator app.
  3. Download the recovery codes and store them securely.
  4. Sign out then sign back in using MFA to validate success.

Recover from a Lost or Misplaced Authenticator

In cases where an administrator loses or misplaces their authenticator:

  • Authenticate using one of the 12 recovery codes issued when you registered for MFA.
  • If you accidentally delete or lose the authenticator app, an administrator can reset your MFA.

Reset MFA for an Administrator

  1. Sign in to the MES console.
  2. Navigate to System > Manage Admins.
  3. Find the affected administrator in the list.
  4. Click Reset MFA.

At the next sign-in, MES challenges the user to set up MFA.