Configure MFA for certificate-based authentication

Enrolling an endpoint allows users to authenticate to CyberArk Identity without passwords by using certificate-based authentication. In some cases you might want to enforce conditional multi-factor authentication (MFA) challenges on enrolled devices for additional security. For example, you can allow users with a low risk level to continue with certificate-based authentication, but enforce MFA for users with higher risk levels.

To configure MFA for certificate-based authentication

Step 1: Create a role.

The purpose of this role is to facilitate the application of the policy with the Identity Administration portal authentication settings to your users. Skip this step if your users are already in a role.

Go to Core Services > Roles, then click Add Role.

Complete the fields in the Add Role page.

Role fields and descriptions
Field	Description
Name	Enter a unique name for the role.
Description	Enter a description for the role's purpose.
Organization	Select an organization from the drop-down menu. See Manage organizations with delegated administrators for more information about organizations.
Role Type	Select a role type. Static roles require you to manually add members. Dynamic roles evaluate membership based on object attributes. You can create this logic with JavaScript.

Click Save.
Click Members > Add to add members to the role.

The steps to add members to a role are different depending on the type of role.
- Static
- Dynamic
Click Add to add members to the role.

You can add CyberArk Cloud Directory users and external directory service users.
1. Click Administrative Rights, then add appropriate administrative rights.
  
  See Identity Administration portal administrative rights for a description of available administrative rights.
2. Click Assigned Applications, then assign applications to role members.
  
  Assigning applications to a role enables you to automatically deploy a default set of applications to the members of the role.
3. Click Save to finish creating the role.
1. Enter JavaScript in the Custom Logic box to add objects to the role based on attribute values, then click Save.
  
  You can use attributes from either AD or CyberArk Cloud Directory. Examples of attributes that you could use include co (AD attribute for Country), Department, Location, Group membership, and Title.
  
  Click Load Sample to load an example script that you can start with. For example, there is a sample script that adds users with a specific value for the co attribute (AD) or Country attribute (CyberArk Cloud Directory).
  
  The following example shows the sample script that checks for the country code stored for a user.
  
  trace(User.UserType); if(User.UserType == 'AD') { // User is an Active Directory user try { trace('Looking for property: co'); if(User.Properties.Properties.co == 'Aruba') { return true; } } catch (error) { trace('property: co not found'); } } else if(User.UserType == 'CUS') { // User is a cloud directory user try { trace('Looking for additional attribute: country_'); if(User.Properties.Properties['country_'] == 'Aruba') { return true; } } catch (error) { trace('additional attribute: Country not found'); } } return false;
2. Click Test User, then search for the user that you want to add to the role and click Next.
  
  A window displays indicating whether or not the user would be a member based on your custom logic.
  
  Click Administrative Rights, then add appropriate administrative rights.
  
  See Identity Administration portal administrative rights for a description of available administrative rights.
  
  Click Assigned Applications, then assign applications to role members.
  
  Assigning applications to a role enables you to automatically deploy a default set of applications to the members of the role.
  
  Click Save to finish creating the role.

Export dynamic role membership

Click Export Users.

You can choose from the following:

Member set and export type options
Field	Description
Member set
Active users	Users that are logged in with role-based attributes.
All users	All users, active or not active, with roles.
Export type
Excel	You can export data in an Excel file. The Excel format is compact and can contain up to one million records.
CSV	You can export data in a CSV file. The CSV format limitation is 150,000 records.

Click OK to generate the report based on the dynamic role script.

You will receive an email with the report as an attachment.

Due to email restrictions, the attachment size is limited based on the email server. The default is 20 MB.

Step 2: Create an authentication profile, selecting appropriate challenges from the Challenge 1 column.

Optionally, you can select challenges from the Challenge 2 column to create a third authentication factor.

If you set a pass-through duration, user's will be presented with the selected additional authentication challenges if they refresh the Identity Administration portal once the pass-through duration expires. However, users can still click through to other areas of the Identity Administration portal after the pass-through duration expires without re-authenticating .

In the Authentication Rules area, select Add New Profile from the Default Profile drop-down list.
Go to Settings > Authentication, and then click Add Profile.
Enter a unique name for each profile.

Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.

You can't select the same mechanism in both challenge menus. For example, if you select QR code in either of the challenge columns under Multiple Authentication Mechanisms, you can't select it under Single Authentication Mechanism.

RADIUS does not support FIDO2 authentication mechanisms.

Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. Make sure your users complete the configuration requirements for any mechanism you plan to use. Refer to Authentication requirements for more detail.

Authentication set

Authentication set	Description
Multiple Authentication Mechanisms	You can require that the first challenge be the user’s account password, then for the second challenge users can choose between an email confirmation code, security question, or text message confirmation code. See Authentication mechanisms for information about each authentication mechanism. If you have multiple challenges, CyberArk Identity waits until users enter all challenges before giving the authentication response (pass or fail). For example, if users enter the wrong password for the first challenge, CyberArk Identity will not send the authentication failure message until after users respond to the second challenge. If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that CyberArk Identity will not send the SMS/email or trigger the phone call. Contact support to change this configuration.
Single Authentication Mechanism	Single authentication challenges are sufficient for users to log in without any additional challenges, even if you selected challenges from Multiple Authentication Mechanisms. For example: if you select Password for Challenge 1, Security Question(s) for Challenge 2, and QR Code from Single Authentication Mechanism, a user with an enrolled device can scan the QR code with the CyberArk Identity mobile app to log in, bypassing the mechanisms selected from Multiple Authentication Mechanisms. If a user does not have an enrolled device, the user can log in by responding to the challenges selected from Multiple Authentication Mechanisms (Password and Security Question(s) in this example).

Description

Multiple Authentication Mechanisms

You can require that the first challenge be the user’s account password, then for the second challenge users can choose between an email confirmation code, security question, or text message confirmation code. See Authentication mechanisms for information about each authentication mechanism.

If you have multiple challenges, CyberArk Identity waits until users enter all challenges before giving the authentication response (pass or fail). For example, if users enter the wrong password for the first challenge, CyberArk Identity will not send the authentication failure message until after users respond to the second challenge.

If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that CyberArk Identity will not send the SMS/email or trigger the phone call. Contact support to change this configuration.

Single Authentication Mechanism

Single authentication challenges are sufficient for users to log in without any additional challenges, even if you selected challenges from Multiple Authentication Mechanisms.

For example: if you select Password for Challenge 1, Security Question(s) for Challenge 2, and QR Code from Single Authentication Mechanism, a user with an enrolled device can scan the QR code with the CyberArk Identity mobile app to log in, bypassing the mechanisms selected from Multiple Authentication Mechanisms. If a user does not have an enrolled device, the user can log in by responding to the challenges selected from Multiple Authentication Mechanisms (Password and Security Question(s) in this example).

Authentication mechanism

Authentication mechanisms
Authentication mechanism	Description
Something you have
Mobile Authenticator	Enables users to authenticate with either a one-time passcode or by approving a push notification using the CyberArk Identity mobile app installed on their enrolled mobile devices. If devices are connected through the cell network or a wi-fi connection, users can send the passcodes from the devices. If the devices are not connected, users must manually enter the passcodes into the Identity Administration portal or CyberArk Identity user portal sign in prompt. In a policy set, use Endpoint Policies > Common Settings > Mobile Settings > Security Settings > Show Mobile Authenticator by default to control whether users see the Mobile Authenticator in the CyberArk Identity mobile app. The default behavior is to show the Mobile Authenticator. To require number matching for users using the Mobile Authenticator, see Require number matching for Mobile Authenticator. The following video illustrates how to enable users to use the CyberArk Identity mobile app as a mobile authenticator. 3ilyiix0ow
Phone call	When you select this option, CyberArk Identity calls the user using the stored phone number (mobile or land line) and describes an action the user must perform to complete the authentication. The user completes the action from the device to log in. This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism. 9mvwejozsh
OATH OTP Client	This text string is configurable and reflects what you entered during the OATH OTP configuration. When you select this option, users can use a third-party authenticator (like Google Authenticator) to scan a CyberArk Identity generated QR code and get a one-time-passcode (OTP). This authentication mechanism requires additional configurations. See Enable OATH OTP .
Text message (SMS) confirmation code	When you select this option, CyberArk Identity sends a text message to the user’s mobile phone with a one-time confirmation code and/or an authentication link. Depending on the language setting, some languages display only the confirmation code while others display the confirmation code and link. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt. This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism. You can configure the confirmation code length (6 or 8 digits) in Identity Administration portal > Settings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits. The link and confirmation code are valid for five minutes. If a user does not respond within this time period, CyberArk Identity cancels the login attempt. Additionally, you can configure CyberArk Identity to allow users to click a Send SMS again link to request a new SMS text message if the user doesn't receive the initial message in a specified period of time. You can configure this in Identity Administration portal > Core Services > Policies > Authentication Policies > CyberArk Identity > Other Settings. To ensure delivery of SMS messages, CyberArk Identity uses a backup SMS provider and cycles through the providers on SMS retry attempts. x6xchlus1m
Duo	Select this option to use Duo as an authentication factor. For example, if you already use Duo for authentication to other applications, you can continue to use it with CyberArk Identity as well. If you select Duo, the authentication process provides an opportunity for users to configure their devices to use Duo, if they haven't already. You have to configure Duo in your CyberArk Identity tenant before you can select it as an authentication mechanism. Refer to Duo authentication for more information.
Email confirmation code	When you select this option, CyberArk Identity sends a confirmation code and a link to the user’s email address. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt. You can configure the confirmation code length (6 or 8 digits) in Identity Administration portal > Settings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits. The link and confirmation code are valid for five minutes. If a user does not respond within this time period, CyberArk Identity cancels the login attempt. ogsvpsmptv
QR code	Select this option to present users with a Quick Response (QR) code that they can scan with the CyberArk Identity mobile app on an enrolled mobile device. To enable the QR code, go to Settings > Authentication > Platform > Security Settings > Authentication Options, and then select Enable QR code based user identification on login screen. Successfully scanning a QR code bypasses other authentication mechanisms when it's selected under Single Authentication Mechanism. This allows the user to authenticate without entering a username. If you select QR Code for challenge 1 in the authentication profile and the user identifies themselves with a QR code, then the user is identified and authenticated at the same time and proceeds to challenge 2. If you select a different authentication mechanism for challenge 1 and QR Code for challenge 2, then the user must scan a QR code a second time, even if they identified themselves with a QR code. Mac Cloud Agent does not support QR code authentication for Single Authentication Mechanism.
FIDO2 Authenticator(s) (single factor)	FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys. CyberArk leverages the WebAuthn API to enable passwordless authentication to CyberArk Identity using either external or on-device authenticators. Single-factor FIDO2 authenticators are something you have. Examples are external authenticators like security keys that you plug into the device's USB port; for example, a YubiKey. Refer to NIST 800-63b for more information about single-factor cryptographic devices. FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication. zhuzf96qiu
YubiKey OTP	YubiKey one-time password (OTP) is an authentication method hosted by Yubico. YubiKey is a device that generates a one-time password used as a second factor authentication. The YubiKey device is inserted into a USB port or tapped on a device and a unique, one-time password is generated. The password is sent to the device being authenticated, then the device verifies the password. You have to configure YubiKey OTP in your CyberArk Identity tenant before you can select it as an authentication mechanism. See the YubiKey Personalization Tool for more information. Once configured, go to Settings > Authentication > YubiKey Configuration to enable YubiKey OTP. See Enable YubiKey OTP authentication for more information.
Something you are
FIDO2 Authenticator(s) (multi-factor)	FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys. CyberArk leverages the WebAuthn API to enable passwordless authentication to CyberArk Identity using either external or on-device authenticators. Supported multi-factor FIDO2 authenticators are something you are. Popular examples are biometric authenticators integrated into device hardware, such as Mac Touch ID, Windows Hello, and fingerprint scanners. Refer to NIST 800-63b for more information about multi-factor cryptographic devices. FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication. 9twebkegwe
Passkey	A passkey can be used for authenticating an application without using a username or password. Passkeys are stored in a user's device to verify a user's identity and is something you are. A biometric sensor, such as a fingerprint, PIN, facial recognition, etc., unlocks the device and creates a passkey to communicate with an application to ensure access to the authorized user. Passkeys are based on FIDO2 standards. See the FIDO Alliance on Passkeys for more information. To configure a passkey, go to Policies > User Security Policies > User Account Settings and select Yes for Enable passkey authentication. See Enable passkeys for more information.
Something you know
Password	When you select this option, users are prompted for either their Active Directory or CyberArk Identity user password when logging in to the Admin portal.
Security Question(s)	When you select this option, users are prompted to answer user-defined and/or admin-defined security questions. When creating the authentication profile, you can specify the number of questions users must answer. You can also specify the number of user-defined and admin-defined questions available to users. See Enabling multiple security questions. Users create, select, or change the question and answer from their Account page in the user portal. bdvi7g6yzw
Other
3rd Party RADIUS Authentication	When you select this option, we communicate with your RADIUS server to allow for user authentication into CyberArk Identity or an enrolled endpoint. See Configure CyberArk Identity for RADIUS.

(Optional) Select the pass-through duration.

If users have already authenticated using one of the specified mechanism within this duration, then they will not be authenticated again. The default is 30 minutes.

This pass-through option does not apply to Windows or Mac MFA logins, or RADIUS VPN connections; only the User Portal and the Identity Administration portal.
Click OK.

Step 3: Enable the authentication factors that you plan to use.

SMS, Phone

Verify that your users have a mobile phone number associated with their account.
1. Log in to the Identity Administration portal.
2. Click Core Services > Users.
3. Click the relevant user name.

For Active Directory users, you can define custom attributes in Active Directory and map them to the Mobile Number field. Updating the custom attribute in AD also updates the mapped Mobile Number field in the Identity Administration portal. Additionally, when you update the Mobile Number field, the mapped custom attribute field in Active Directory is also updated. To enable this feature and configure the mapping between the custom attribute in Active Directory and the Mobile Number field in CyberArk Identity, contact your CyberArk account representative.

Identity Administration portal Domain administrative accounts have the permission to modify the custom attribute in Active Directory. See Manage domain administrative accounts.

OAUTH OTP

Sign in to the Identity Administration portal.
Go to Core Services > Policies.
Select a policy set or create a new one.
Go to User Security Policies > OATH OTP.
Select Yes in the Allow OATH OTP Integration drop down.
Select Yes in the Enable auto-setup of OATH OTP in Identity app to allow users to automatically configure OATH OTP during device enrollment with the CyberArk Identity mobile app.

This provides a more convenient enrollment experience for users who use the CyberArk Identity mobile app. If you expect users to use a third-party authenticator such as Google Authenticator, select the default value (--) or No.
Click Save.
Enable users to configure an OATH OTP client.
1. Click User Account Settings.
  The User Account Setting window opens.
2. Select Yes in the Enable user to configure an OATH OTP client.
3. Enter a user-friendly name (for example the name of the OTP client used by your organization) in the OATH OTP Display Name text field. This name is what users will see.
4. Select an authentication profile to require users to provide additional authentication before they can access the QR code.
For desktop-based CyberArk Authenticator, do not configure any additional Authentication profiles. This field should be set to --.
Click Save.

Step 4: Enable authentication policy controls and add an authentication rule for Certificate Authentication.

Click Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.
In the Policy Settings tab, change the Policy Assignment to Specified Roles and then add the role created in Create a role.
Click Authentication Policies > the Identity Administration portal.
Select Yes in the Enable authentication policy controls drop-down.
Clear the box for Certificate authentication bypasses authentication rules and default profile so that attempted logins matching the authentication rule are subject to the MFA challenges in your authentication profile.
(Optional) Select Set identity cookie for connections using certificate authentication to set an identity cookie on enrolled devices that typically use ZSO.

You can then use the presence of the identity cookie in your authentication rule as a condition of whether you enforce MFA or a more lenient authentication profile.
(Optional) Select Connections using certificate authentication satisfy all MFA mechanisms to allow certificate authentication to substitute for the authentication profile on step-up challenges, such as requiring additional authentication for access to certain deployed applications.
Click Add Rule to specify conditional access.

The Authentication Rule window displays.
Click Add Filter on the Authentication Rule window.
Select Certificate Authentication from the filter drop-down menu, is used from the condition drop-down menu, and your authentication profile from the Authentication Profile menu.
Click the Add button associated with the filter and condition, then click OK.
Click Save.

Enrolled users using certificate-based authentication (ZSO) will now be challenged by your selected authentication factors before successfully signing in to CyberArk Identity.