Authentication mechanisms

Something you have

When you select this option, Identity Administration calls the user using the stored phone number (mobile or land line) and describes an action the user must perform to complete the authentication. The user completes the action from the device to log in.

This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.

This text string is configurable and reflects what you entered during the OATH OTP configuration. When you select this option, users can use a third-party authenticator (like Google Authenticator) to scan a Identity Administration generated QR code and get a one-time-passcode (OTP). This authentication mechanism requires additional configurations. See How to configure OATH OTP.

When you select this option, Identity Administration sends a text message to the user’s mobile phone with a one-time confirmation code and/or an authentication link. Depending on the language setting, some languages display only the confirmation code while others display the confirmation code and link. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.

You can configure the confirmation code length (6 or 8 digits) in Identity Administration portal > Settings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

Additionally, you can configure Identity Administration to allow users to click a Send SMS again link to request a new SMS text message if the user doesn't receive the initial message in a specified period of time. You can configure this in Identity Administration portal > Core Services > Policies > Authentication Policies > CyberArk Identity > Other Settings.

Select this option to use Duo as an authentication factor. For example, if you already use Duo for authentication to other applications, you can continue to use it with Identity Administration as well. If you select Duo, the authentication process provides an opportunity for users to configure their devices to use Duo, if they haven't already.

You have to configure Duo in your Identity Administration tenant before you can select it as an authentication mechanism. Refer to Enable Duo authentication for more information.

When you select this option, Identity Administration sends a confirmation code and a link to the user’s email address. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

You can configure the confirmation code length (6 or 8 digits) in Identity Administration portal > Settings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

The link and confirmation code are valid for five minutes. If a user does not respond within this time period, Identity Administration cancels the login attempt.

Select this option to present users with a Quick Response (QR) code that they can scan with the CyberArk Identity mobile app on an enrolled mobile device.

To enable the QR code, go to Settings > Authentication > Platform > Security Settings > Authentication Options, and then select Enable QR code based user identification on login screen.

Successfully scanning a QR code bypasses other authentication mechanisms when it's selected under Single Authentication Mechanism. This allows the user to authenticate without entering a username.

FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

CyberArk leverages the WebAuthn API to enable passwordless authentication to Identity Administration using either external or on-device authenticators.

Single-factor FIDO2 authenticators are something you have. Examples are external authenticators like security keys that you plug into the device's USB port; for example, a YubiKey.

Refer to NIST 800-63b for more information about single-factor cryptographic devices.

FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

YubiKey one-time password (OTP) is an authentication method hosted by Yubico. YubiKey is a device that generates a one-time password used as a second factor authentication. The YubiKey device is inserted into a USB port or tapped on a device and a unique, one-time password is generated. The password is sent to the device being authenticated, then the device verifies the password.

You have to configure YubiKey OTP in your Identity Administration tenant before you can select it as an authentication mechanism. See the YubiKey Personalization Tool for more information.

Once configured, go to Settings > Authentication > YubiKey Configuration to enable YubiKey OTP. See Enable YubiKey OTP authentication for more information.

Something you are

FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

CyberArk leverages the WebAuthn API to enable passwordless authentication to Identity Administration using either external or on-device authenticators.

Supported multi-factor FIDO2 authenticators are something you are. Popular examples are biometric authenticators integrated into device hardware, such as Mac Touch ID, Windows Hello, and fingerprint scanners.

Refer to NIST 800-63b for more information about multi-factor cryptographic devices.

FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

A passkey can be used for authenticating an application without using a username or password. Passkeys are stored in a user's device to verify a user's identity and is something you are. A biometric sensor, such as a fingerprint, PIN, facial recognition, etc., unlocks the device and creates a passkey to communicate with an application to ensure access to the authorized user.

Passkeys are based on FIDO2 standards. See the FIDO Alliance on Passkeys for more information.

To configure a passkey, go to Policies > User Security Policies > User Account Settings and select Yes for Enable passkey authentication. See Enable passkeys for more information.

Something you know

When you select this option, users are prompted for either their Active Directory or Identity Administration user password when logging in to the Admin portal.

When you select this option, users are prompted to answer user-defined and/or admin-defined security questions. When creating the authentication profile, you can specify the number of questions users must answer. You can also specify the number of user-defined and admin-defined questions available to users. See Enable and configure Security Questions. Users create, select, or change the question and answer from their Account page in the user portal.

Other