Skip to main content

Identity

Basis Theory provides organizations with flexible options to secure access to their data. With features like Multi-Factor Authentication (MFA) and Single Sign-On (SSO), you can enhance security while simplifying the login process for users. See below all the different options available to secure your Basis Theory account and tenants.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to verify their identity through additional methods. Basis Theory supports MFA using One-Time Passwords (OTP).

Setting Up MFA

MFA can be set up by two different ways:

  • Login: Users without MFA will be shown a setup page during login. If chosen to skip the setup, the setup page will only show again after the next 5 logins.
  • Customer Portal: Users can setup, regenerate recovery keys or remove existing MFA from the Customer Portal by clicking on their name and selecting Profile & Security.

Enforcing MFA

As an additional login control for a tenant, MFA can be enforced for all tenant users. When enabled, users will be required to have setup MFA before they can be re-invited and gain access to the tenant.

To enforce MFA in the Customer Portal, navigate to the tenant Settings page from the sidebar, select the Identity tab and enable the Enforce MFA option. Click on Save Changes to confirm.

When enforcing MFA, all users without MFA setup will be removed from the tenant.

Tenant Login Restrictions

Basis Theory provides additional controls to restrict access to a tenant based on the user's login provider or domain. See below the available options and how they can be applied.

Login Provider Restriction

Aside from Enterprise SSO, Basis Theory allows creating accounts using the Basis Theory, Google, and GitHub login providers. You can restrict tenant access to one or more of these providers. They are all enabled by default.

To restrict access to a tenant based on the user's login provider in the Customer Portal, navigate to the tenant Settings page from the sidebar, select the Identity tab and select the allowed providers from the Allowed Login Providers list. Click on Save Changes to confirm.

All users with accounts outside of the selected providers will be removed from the tenant.

Tenant Invitation Domain Whitelist

Alongside the login provider restriction, you can also restrict tenant invitations based on the user's email domain. Domains added to the whitelist will be the only ones allowed to be invited to the tenant.

To add domains to the whitelist in the Customer Portal, navigate to the tenant Settings page from the sidebar, select the Identity tab and add the allowed domains to the Tenant Invitation Domain Whitelist.

All users with email domains not included in the whitelist will be removed from the tenant.

Single Sign-On (SSO)
Enterprise

Basis Theory supports configuring Single Sign-On (SSO) with multiple providers for Enterprise customers.

For more information and how to configure SSO, visit the dedicated SSO page.