Set up OTPs to authenticate to the User Portal

This topic describes how to use mobile-based authenticators (for example, Google Authenticator or the CyberArk Identity mobile app) to authenticate using one-time passcodes (OTPs).

You can use an OTP to log in to the User Portal . You use a third party authenticator (like Google Authenticator) or the CyberArk client application to scan a CyberArk Identity generated QR code and then configure the OTP. CyberArk supports any authenticator app that support the OATH TOTP standard. Refer to https://openauthentication.org/about-oath/ for more information.

If an internet connection is not available, you can also use an offline OTP to log in to the user portal . Users must log in first in online mode before an offline OTP profile is created.

If your system administrator enabled the policy setting, OTPs are automatically configured when you enroll an Android or iOS device with the CyberArk Identity mobile app.

If you have an enrolled Android or iOS device, after you successfully authenticate to your cloud agent--enrolled machine, you can refresh the Passcodes section of the CyberArk Identity mobile app to automatically create an offline OTP code.

Your system administrator must enable these features before you can use them. Refer to Import OATH tokens in bulk and Enable OATH OTP for system administrator set up information.
  1. Log in to the user portal.
  2. Click Account > Authentication Factors > Show QR Code.

    The text associated with the Show QR Code button reflects the text that your systems administrator entered when they configured this feature.

    The QR code displays.

  3. Use a third party authenticator application or the CyberArk client application on your device to scan the QR code.

  4. A passcode is displayed on the third party authenticator application and on the Passcodes page of the CyberArk application.

    You can now enter the passcode to log in to CyberArk Identity. This authentication works across tenants. On the Passcodes page of the CyberArk application, you can tap the relevant code to silently send that code and authenticate for the relevant user/endpoint.

  1. Log in to the user portal.
  2. Click Devices, then select the enrolled device that you want to setup an offline OTP for.

  3. Click Actions > Setup Offline OTP.

    The QR code displays.

  4. Use a third party authenticator application or the CyberArk client application on your device to scan the QR code.

    A passcode is displayed on the third party authenticator application and on the Passcodes page of the CyberArk application.

  5. Enter the verification code generated by the authenticator app, then click Verify.

    You can now enter the passcode to log in to CyberArk Identity when your device is offline.

    On the Passcodes page of the CyberArk mobile application, you can tap the relevant code to silently send that code and authenticate for the relevant user/endpoint.

  1. Click CyberArk Identity icon in the menu bar, then click Setup Offline OTP.

    The QR code appears.

  2. Use a third party authenticator application or the CyberArk client application on your device to scan the QR code.

  3. A passcode is displayed on the third party authenticator application and on the Passcodes page of the CyberArk application.

    You can now enter the passcode to log in to CyberArk Identity when your device is offline.

    On the Passcodes page of the CyberArk mobile application, you can tap the relevant code to silently send that code and authenticate for the relevant user/endpoint.

If your OTP fails, you might need to resynchronize your OTP with CyberArk Identity.

  1. Log in to the user portal.
  2. Click Account > Passcodes, then select the passcode that you need to resync.

  3. Click Actions > Resynchronize.

  4. Follow the directions in the Resynchronize OATH Token window, then click Submit.