If self-enrollment is not enabled, but the user has a 2FA method enabled and not yet functional due to missing information, they will be unable to log in to a machine protected by ESET Secure Authentication (for example Windows Login protection). The user will need to contact the administrator to generate a Master Recovery Key (MRK) to authenticate.

If self-enrollment is enabled, the user can authenticate using MRK, or enroll by clicking Set up and filling in the missing information.


Enable self-enrollment

1.In the ESA Web Console, navigate to Settings > Enrollment.

2.Click the slider bar to automatically enable authentication options for new users.

3.Click the slider bar in the Self enrollment section.

4.Click Save.


Default authentication types

To assign new users (either imported or created automatically upon first login to an environment protected by ESA) an authentication method by default, enable the desired authentication method in the ESA Web Console in Settings > Enrollment > Default authentication types.


Add another authentication option

If a user is enabled for Hard Token with Mobile Application Push as the second authentication factor, but has been using Hard Token OTP to authenticate so far (they do not have ESA Mobile App installed or provisioned), and now they want to use another 2FA option, self-enrollment allows them to choose (activate) a new option.

1.Log in to a machine protected by ESET Secure Authentication (for example Windows Login protection.

2.When prompted to enter an OTP related to the Hard Token, click Add another authentication method.

3.Enter an OTP related to the Hard Token.

4.Click Setup.

5.Scan the QR code using the ESA Mobile Application by tapping the + icon inside the app and complete the installation and/or provisioning of ESA Mobile Application.

6.The self-enrollment process will require the user to verify the successful registration of the new authentication method by approving the push notifications.