Configure MFA for Identity Administration

This topic describes how to configure MFA for either all users, or users in specific Roles.

You can require users to always authenticate, regardless of connection factors or conditions. For example, if you create an authentication profile with only the password mechanism selected and assign it to the Default Profile option, then all users (regardless of the log in computer’s IP address and browser identity cookie) will be asked to enter passwords.

Configure MFA for all users

The following procedure describes how to configure MFA for all users, regardless of their Role.

To configure MFA for all users

Step 1: Add a new policy set

  1. Log in to the Identity Administration Portal.

  2. Go to Core Services > Policies and click Add Policy Set to create a new one.

  3. Name the policy set and select All users and devices.

Step 2: Enable authentication policy controls

  1. Go to Authentication Policies > Identity Administration.

  2. Select Yes in the Enable authentication policy controls drop-down.

Step 3: Create an authentication profile

  1. In the Authentication Rules area, select Add New Profile from the Default Profile drop-down list.

  2. Enter a unique name for each profile.
  3. Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.

    You can't select the same mechanism in both challenge menus. For example, if you select QR code in either of the challenge columns under Multiple Authentication Mechanisms, you can't select it under Single Authentication Mechanism.

    RADIUS does not support FIDO2 authentication mechanisms.

    Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. Make sure your users complete the configuration requirements for any mechanism you plan to use. Refer to Authentication requirements for more detail.

    Authentication set

    Authentication set Description

    Multiple Authentication Mechanisms

    You can require that the first challenge be the user’s account password, then for the second challenge users can choose between an email confirmation code, security question, or text message confirmation code. See Authentication mechanisms for information about each authentication mechanism.

    If you have multiple challenges, Identity Administration waits until users enter all challenges before giving the authentication response (pass or fail). For example, if users enter the wrong password for the first challenge, Identity Administration will not send the authentication failure message until after users respond to the second challenge.

    If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that Identity Administration will not send the SMS/email or trigger the phone call. Contact support to change this configuration.

    Single Authentication Mechanism

    Single authentication challenges are sufficient for users to log in without any additional challenges, even if you selected challenges from Multiple Authentication Mechanisms.

    For example: if you select Password for Challenge 1, Security Question(s) for Challenge 2, and QR Code from Single Authentication Mechanism, a user with an enrolled device can scan the QR code with the CyberArk Identity mobile app to log in, bypassing the mechanisms selected from Multiple Authentication Mechanisms. If a user does not have an enrolled device, the user can log in by responding to the challenges selected from Multiple Authentication Mechanisms (Password and Security Question(s) in this example).

    To see the authentication options available for your service, see MFA options in Shared Services.

    Authentication mechanism

    Authentication mechanisms
    Authentication mechanism

    Description

    Something you have

    Mobile Authenticator

    Enables users to authenticate with either a one-time passcode or by approving a push notification using the CyberArk Identity mobile app installed on their enrolled mobile devices.

    If devices are connected through the cell network or a wi-fi connection, users can send the passcodes from the devices. If the devices are not connected, users must manually enter the passcodes into the Identity Administration Portal or Identity Administration user portal sign in prompt.

    In a policy set, use Endpoint Policies > Common Settings > Mobile Settings > Security Settings > Show Mobile Authenticator by default to control whether users see the Mobile Authenticator in the CyberArk Identity mobile app. The default behavior is to show the Mobile Authenticator.

    To require number matching for users using the Mobile Authenticator, see Require number matching for Mobile Authenticator.

    The following video illustrates how to enable users to use the CyberArk Identity mobile app as a mobile authenticator.

    Phone call

    When you select this option, Identity Administration calls the user using the stored phone number (mobile or land line) and describes an action the user must perform to complete the authentication. The user completes the action from the device to log in.

    This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.

    OATH OTP Client

    This text string is configurable and reflects what you entered during the OATH OTP configuration. When you select this option, users can use a third-party authenticator (like Google Authenticator) to scan a Identity Administration generated QR code and get a one-time-passcode (OTP). This authentication mechanism requires additional configurations. See How to configure OATH OTP.

    Text message (SMS) confirmation code

    When you select this option, Identity Administration sends a text message to the user’s mobile phone with a one-time confirmation code and/or an authentication link. Depending on the language setting, some languages display only the confirmation code while others display the confirmation code and link. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

    This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.

    You can configure the confirmation code length (6 or 8 digits) in Identity Administration PortalSettings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

    The link and confirmation code are valid for five minutes. If a user does not respond within this time period, Identity Administration cancels the login attempt.

    Additionally, you can configure Identity Administration to allow users to click a Send SMS again link to request a new SMS text message if the user doesn't receive the initial message in a specified period of time. You can configure this in Identity Administration Portal > Core Services > Policies > Authentication Policies > CyberArk Identity > Other Settings.

    To ensure delivery of SMS messages, Identity Administration uses a backup SMS provider and cycles through the providers on SMS retry attempts.

    Duo

    Select this option to use Duo as an authentication factor. For example, if you already use Duo for authentication to other applications, you can continue to use it with Identity Administration as well. If you select Duo, the authentication process provides an opportunity for users to configure their devices to use Duo, if they haven't already.

    You have to configure Duo in your Identity Administration tenant before you can select it as an authentication mechanism. Refer to Duo authentication for more information.

    Email confirmation code

    When you select this option, Identity Administration sends a confirmation code and a link to the user’s email address. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

    You can configure the confirmation code length (6 or 8 digits) in Identity Administration PortalSettings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

    The link and confirmation code are valid for five minutes. If a user does not respond within this time period, Identity Administration cancels the login attempt.

    QR code

    Select this option to present users with a Quick Response (QR) code that they can scan with the CyberArk Identity mobile app on an enrolled mobile device.

    To enable the QR code, go to Settings > Authentication > Platform > Security Settings > Authentication Options, and then select Enable QR code based user identification on login screen.

    Successfully scanning a QR code bypasses other authentication mechanisms when it's selected under Single Authentication Mechanism. This allows the user to authenticate without entering a username.

    If you select QR Code for challenge 1 in the authentication profile and the user identifies themselves with a QR code, then the user is identified and authenticated at the same time and proceeds to challenge 2.

    If you select a different authentication mechanism for challenge 1 and QR Code for challenge 2, then the user must scan a QR code a second time, even if they identified themselves with a QR code.

    Mac Cloud Agent does not support QR code authentication for Single Authentication Mechanism.

    FIDO2 Authenticator(s) (single factor)

    FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

    CyberArk leverages the WebAuthn API to enable passwordless authentication to Identity Administration using either external or on-device authenticators.

    Single-factor FIDO2 authenticators are something you have. Examples are external authenticators like security keys that you plug into the device's USB port; for example, a YubiKey.

    Refer to NIST 800-63b for more information about single-factor cryptographic devices.

    FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

    YubiKey OTP

    YubiKey one-time password (OTP) is an authentication method hosted by Yubico. YubiKey is a device that generates a one-time password used as a second factor authentication. The YubiKey device is inserted into a USB port or tapped on a device and a unique, one-time password is generated. The password is sent to the device being authenticated, then the device verifies the password.

    You have to configure YubiKey OTP in your Identity Administration tenant before you can select it as an authentication mechanism. See the YubiKey Personalization Tool for more information.

    Once configured, go to Settings > Authentication > YubiKey Configuration to enable YubiKey OTP. See Enable YubiKey OTP authentication for more information.

    Something you are

    FIDO2 Authenticator(s) (multi-factor)

    FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

    CyberArk leverages the WebAuthn API to enable passwordless authentication to Identity Administration using either external or on-device authenticators.

    Supported multi-factor FIDO2 authenticators are something you are. Popular examples are biometric authenticators integrated into device hardware, such as Mac Touch ID, Windows Hello, and fingerprint scanners.

    Refer to NIST 800-63b for more information about multi-factor cryptographic devices.

    FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

    Something you know

     

    Password

    When you select this option, users are prompted for either their Active Directory or Identity Administration user password when logging in to the Admin portal.

    Security Question(s)

    When you select this option, users are prompted to answer user-defined and/or admin-defined security questions. When creating the authentication profile, you can specify the number of questions users must answer. You can also specify the number of user-defined and admin-defined questions available to users. See Enabling multiple security questions. Users create, select, or change the question and answer from their Account page in the user portal.

    Other

    3rd Party RADIUS Authentication

    When you select this option, we communicate with your RADIUS server to allow for user authentication into Identity Administration or an enrolled endpoint. See Configure Identity Administration for RADIUS.

  4. (Optional) Select the pass-through duration.

    If users have already authenticated using one of the specified mechanism within this duration, then they will not be authenticated again. The default is 30 minutes.

    This pass-through option does not apply to Windows or Mac MFA logins, or RADIUS VPN connections; only the User Portal and the Identity Administration Portal.
  5. Click OK.

    If you have not created an authentication rule, see Creating authentication rules to create one and associate this profile to it.

Configure MFA for service users

Enforce MFA for users accessing specific services by applying the policy set to users in a service-specific Role.

To configure MFA for all users

Step 1: Add a new policy set

  1. Log in to the Identity Administration Portal.

  2. Go to Core Services > Policies and click Add Policy Set to create a new one.

  3. Name the policy set and select Specified Roles.

  4. Add the service-specific Roles to the list of Specified Roles.

Step 2: Enable authentication policy controls

  1. Go to Authentication Policies > Identity Administration.

  2. Select Yes in the Enable authentication policy controls drop-down.

Step 3: Create an authentication profile

  1. In the Authentication Rules area, select Add New Profile from the Default Profile drop-down list.

  2. Enter a unique name for each profile.
  3. Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.

    You can't select the same mechanism in both challenge menus. For example, if you select QR code in either of the challenge columns under Multiple Authentication Mechanisms, you can't select it under Single Authentication Mechanism.

    RADIUS does not support FIDO2 authentication mechanisms.

    Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. Make sure your users complete the configuration requirements for any mechanism you plan to use. Refer to Authentication requirements for more detail.

    Authentication set

    Authentication set Description

    Multiple Authentication Mechanisms

    You can require that the first challenge be the user’s account password, then for the second challenge users can choose between an email confirmation code, security question, or text message confirmation code. See Authentication mechanisms for information about each authentication mechanism.

    If you have multiple challenges, Identity Administration waits until users enter all challenges before giving the authentication response (pass or fail). For example, if users enter the wrong password for the first challenge, Identity Administration will not send the authentication failure message until after users respond to the second challenge.

    If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that Identity Administration will not send the SMS/email or trigger the phone call. Contact support to change this configuration.

    Single Authentication Mechanism

    Single authentication challenges are sufficient for users to log in without any additional challenges, even if you selected challenges from Multiple Authentication Mechanisms.

    For example: if you select Password for Challenge 1, Security Question(s) for Challenge 2, and QR Code from Single Authentication Mechanism, a user with an enrolled device can scan the QR code with the CyberArk Identity mobile app to log in, bypassing the mechanisms selected from Multiple Authentication Mechanisms. If a user does not have an enrolled device, the user can log in by responding to the challenges selected from Multiple Authentication Mechanisms (Password and Security Question(s) in this example).

    To see the authentication options available for your service, see MFA options in Shared Services.

    Authentication mechanism

    Authentication mechanisms
    Authentication mechanism

    Description

    Something you have

    Mobile Authenticator

    Enables users to authenticate with either a one-time passcode or by approving a push notification using the CyberArk Identity mobile app installed on their enrolled mobile devices.

    If devices are connected through the cell network or a wi-fi connection, users can send the passcodes from the devices. If the devices are not connected, users must manually enter the passcodes into the Identity Administration Portal or Identity Administration user portal sign in prompt.

    In a policy set, use Endpoint Policies > Common Settings > Mobile Settings > Security Settings > Show Mobile Authenticator by default to control whether users see the Mobile Authenticator in the CyberArk Identity mobile app. The default behavior is to show the Mobile Authenticator.

    To require number matching for users using the Mobile Authenticator, see Require number matching for Mobile Authenticator.

    The following video illustrates how to enable users to use the CyberArk Identity mobile app as a mobile authenticator.

    Phone call

    When you select this option, Identity Administration calls the user using the stored phone number (mobile or land line) and describes an action the user must perform to complete the authentication. The user completes the action from the device to log in.

    This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.

    OATH OTP Client

    This text string is configurable and reflects what you entered during the OATH OTP configuration. When you select this option, users can use a third-party authenticator (like Google Authenticator) to scan a Identity Administration generated QR code and get a one-time-passcode (OTP). This authentication mechanism requires additional configurations. See How to configure OATH OTP.

    Text message (SMS) confirmation code

    When you select this option, Identity Administration sends a text message to the user’s mobile phone with a one-time confirmation code and/or an authentication link. Depending on the language setting, some languages display only the confirmation code while others display the confirmation code and link. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

    This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.

    You can configure the confirmation code length (6 or 8 digits) in Identity Administration PortalSettings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

    The link and confirmation code are valid for five minutes. If a user does not respond within this time period, Identity Administration cancels the login attempt.

    Additionally, you can configure Identity Administration to allow users to click a Send SMS again link to request a new SMS text message if the user doesn't receive the initial message in a specified period of time. You can configure this in Identity Administration Portal > Core Services > Policies > Authentication Policies > CyberArk Identity > Other Settings.

    To ensure delivery of SMS messages, Identity Administration uses a backup SMS provider and cycles through the providers on SMS retry attempts.

    Duo

    Select this option to use Duo as an authentication factor. For example, if you already use Duo for authentication to other applications, you can continue to use it with Identity Administration as well. If you select Duo, the authentication process provides an opportunity for users to configure their devices to use Duo, if they haven't already.

    You have to configure Duo in your Identity Administration tenant before you can select it as an authentication mechanism. Refer to Duo authentication for more information.

    Email confirmation code

    When you select this option, Identity Administration sends a confirmation code and a link to the user’s email address. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

    You can configure the confirmation code length (6 or 8 digits) in Identity Administration PortalSettings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

    The link and confirmation code are valid for five minutes. If a user does not respond within this time period, Identity Administration cancels the login attempt.

    QR code

    Select this option to present users with a Quick Response (QR) code that they can scan with the CyberArk Identity mobile app on an enrolled mobile device.

    To enable the QR code, go to Settings > Authentication > Platform > Security Settings > Authentication Options, and then select Enable QR code based user identification on login screen.

    Successfully scanning a QR code bypasses other authentication mechanisms when it's selected under Single Authentication Mechanism. This allows the user to authenticate without entering a username.

    If you select QR Code for challenge 1 in the authentication profile and the user identifies themselves with a QR code, then the user is identified and authenticated at the same time and proceeds to challenge 2.

    If you select a different authentication mechanism for challenge 1 and QR Code for challenge 2, then the user must scan a QR code a second time, even if they identified themselves with a QR code.

    Mac Cloud Agent does not support QR code authentication for Single Authentication Mechanism.

    FIDO2 Authenticator(s) (single factor)

    FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

    CyberArk leverages the WebAuthn API to enable passwordless authentication to Identity Administration using either external or on-device authenticators.

    Single-factor FIDO2 authenticators are something you have. Examples are external authenticators like security keys that you plug into the device's USB port; for example, a YubiKey.

    Refer to NIST 800-63b for more information about single-factor cryptographic devices.

    FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

    YubiKey OTP

    YubiKey one-time password (OTP) is an authentication method hosted by Yubico. YubiKey is a device that generates a one-time password used as a second factor authentication. The YubiKey device is inserted into a USB port or tapped on a device and a unique, one-time password is generated. The password is sent to the device being authenticated, then the device verifies the password.

    You have to configure YubiKey OTP in your Identity Administration tenant before you can select it as an authentication mechanism. See the YubiKey Personalization Tool for more information.

    Once configured, go to Settings > Authentication > YubiKey Configuration to enable YubiKey OTP. See Enable YubiKey OTP authentication for more information.

    Something you are

    FIDO2 Authenticator(s) (multi-factor)

    FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

    CyberArk leverages the WebAuthn API to enable passwordless authentication to Identity Administration using either external or on-device authenticators.

    Supported multi-factor FIDO2 authenticators are something you are. Popular examples are biometric authenticators integrated into device hardware, such as Mac Touch ID, Windows Hello, and fingerprint scanners.

    Refer to NIST 800-63b for more information about multi-factor cryptographic devices.

    FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

    Something you know

     

    Password

    When you select this option, users are prompted for either their Active Directory or Identity Administration user password when logging in to the Admin portal.

    Security Question(s)

    When you select this option, users are prompted to answer user-defined and/or admin-defined security questions. When creating the authentication profile, you can specify the number of questions users must answer. You can also specify the number of user-defined and admin-defined questions available to users. See Enabling multiple security questions. Users create, select, or change the question and answer from their Account page in the user portal.

    Other

    3rd Party RADIUS Authentication

    When you select this option, we communicate with your RADIUS server to allow for user authentication into Identity Administration or an enrolled endpoint. See Configure Identity Administration for RADIUS.

  4. (Optional) Select the pass-through duration.

    If users have already authenticated using one of the specified mechanism within this duration, then they will not be authenticated again. The default is 30 minutes.

    This pass-through option does not apply to Windows or Mac MFA logins, or RADIUS VPN connections; only the User Portal and the Identity Administration Portal.
  5. Click OK.