Notify users of a failed MFA challenge

This topic describes how to change policy settings to control whether users are notified after their first failed MFA challenge.

You can either immediately notify users after a failed challenge, or allow users to step through all required MFA challenges before notifying them of a failed challenge.

These settings apply to CyberArk Identity as well as enrolled endpoints.

To control when users are notified of failed MFA challenges:
  1. Go to Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.
  2. Go to Authentication Policies > CyberArk Portal.
  3. Configure the following policy settings based on your desired behavior, then click Save.

    • Authentication Policies > CyberArk Identity > Continue with additional challenges after failed challenge

    • Authentication Policies > CyberArk Identity > Do not send challenge request when previous challenge response failed

    The following table describes how these options impact failed challenge notifications.

    Examples for notifying users of failed challenges

    Scenario

    Description

    Policy setting values

    Immediately notify users of a failed challenge

    If your authentication policy is configured to use password and email confirmation code, and a user enters an incorrect password, we immediately notify the user of the failed challenge.

    • Continue with additional challenges after failed challenge = False

    • Do not send challenge request when previous challenge response failed = n/a

    Hide the failed challenge

    If your authentication policy is configured to use password and email confirmation code, then even if users enter the wrong password, we still send the email confirmation code. After the last required MFA challenge, we notify users of their failed authentication without identifying the failed challenge.

    This makes it more difficult for bad actors to gain access; however, it can also make authentication more difficult for your users. CyberArk Identity security is robust, so hiding the failed challenge is not necessary.

    • Continue with additional challenges after failed challenge = True

    • Do not send challenge request when previous challenge response failed = True

    Hide challenge types that send information back to the user

    If your authentication policy is configured to use password and the next authentication challenge requires CyberArk Identity to send information back to the users (for example, email, SMS, or phone call), then users don't receive the necessary information and the authentication session fails. Users must wait until the authentication session times out and try again.

    • Continue with additional challenges after failed challenge = True

    • Do not send challenge request when previous challenge response failed = False