Create authentication profiles

This topic describes how to create authentication profiles so you can use adaptive multi-factor authentication (MFA) to secure access to resources like CyberArk Identity, enrolled endpoints, sensitive applications, and VPN connections.

The authentication profile is where you define the required authentication mechanisms such as password, email confirmation code, mobile authenticator, QR code, FIDO2, and more. Authentication mechanisms are divided into the following primary categories:

  • Something you have

  • Something you are

  • Something you know

Authentication profiles are selected based on authentication rules. Authentication rules are specific to the resource you want to secure. For example, you can use an authentication rule to apply a stricter authentication profile to users signing in to CyberArk Identity from outside the corporate network.

Three default authentication profiles are available:

Default profile

Description

Default New Device Login Profile

Uses Password for the first challenge and Mobile Authenticator, Text message (SMS) confirmation code, Email confirmation code, or OATH OTP Client for the second challenge with a 12 hours pass-through duration.

Default Other Login Profile

Uses Password for the first challenge and no secondary challenge with a 12 hours pass-through duration.

Default Password Reset Profile

Gives the option for users to use Mobile Authenticator, Text message (SMS) confirmation code, Email confirmation code, or OATH OTP Client for the first challenge with a 12 hours pass-through duration.

Push notifications to 3rd party services such as email, SMS, and phone calls are subject to a delay that is independent of the CyberArk Identity. If the mobile carrier or mail provider causes a delay in receiving notifications that impact login, we recommend you use a none push authentication mechanism such as OATH token, or the CyberArk Identity mobile app's Mobile Authenticator "Enter code" option, which does not rely on a 3rd party service to deliver the message to the device.

Create an authentication profile

You can create new authentication profiles for additional control beyond the included default profiles.

For increased security and MFA compliance, CyberArk recommends selecting mechanisms from different categories. As you select mechanisms, you can see your Authenticator Assurance Level (AAL) minimum and maximum scores in the authentication profile. Selecting multiple mechanisms for users to pick from might result in authentication combinations with a low AAL score. Limit your selections when you want to guarantee a minimum AAL for sensitive resources or applications.

Our AAL related features do not guarantee compliance with NIST guidelines. Refer to https://pages.nist.gov/800-63-3/sp800-63b.html additional detail about NIST guidelines.

NIST guidelines require at least eight characters in the answer for mechanisms in the Something you know category. If you do not require at least 8 characters, those mechanisms are not counted in AAL scoring.

Refer to the following topics to set requirements for mechanisms in the Something you know category.

Watch the video!

To create an authentication profile

  1. Click Settings > Authentication.
  2. Click Add Profile on the Authentication Profiles page.
  3. Enter a unique name for each profile.
  4. Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.

    You can't select the same mechanism in both challenge menus. For example, if you select QR Code in either of the challenge columns under Multiple Authentication Mechanisms, you can't select it under Single Authentication Mechanism.

    RADIUS does not support FIDO2 authentication mechanisms.

    Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. Make sure your users complete the configuration requirements for any mechanism you plan to use. Refer to Secure access with adaptive MFA for more detail.

    Authentication set Description
    Multiple Authentication Mechanisms

    You can require that the first challenge be the user’s account password, then for the second challenge users can choose between an email confirmation code, security question, or text message confirmation code. See Authentication mechanisms for information about each authentication mechanism.

    If you have multiple challenges, the CyberArk Identity waits until users enter all challenges before giving the authentication response (pass or fail). For example, if users enter the wrong password for the first challenge, the CyberArk Identity will not send the authentication failure message until after users respond to the second challenge.

    If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that the CyberArk Identity will not send the SMS/email or trigger the phone call. Contact support to change this configuration.
    Single Authentication Mechanism

    Single authentication challenges are sufficient for users to log in without any additional challenges, even if you selected challenges from Multiple Authentication Mechanisms.

    For example: if you select Password for Challenge 1, Security Question(s) for Challenge 2, and QR Code from Single Authentication Mechanism, a user with an enrolled device can scan the QR Code with the CyberArk Identity mobile app to log in, bypassing the mechanisms selected from Multiple Authentication Mechanisms. If a user does not have an enrolled device, the user can log in by responding to the challenges selected from Multiple Authentication Mechanisms (Password and Security Question(s) in this example).

  5. (Optional) Select the pass-through duration.

    If users have already authenticated using one of the specified mechanism within this duration, then they will not be authenticated again. The default is 30 minutes.

    This pass-through option does not apply to Windows or Mac MFA logins, or RADIUS VPN connections; only the User Portal and the Admin Portal.
  6. Click OK.

    If you have not created an authentication rule, see Create authentication rules to create one and associate this profile to it.

Secure access to user account settings

Authentication profiles are also used to secure user access to user account settings. For example, you can require that before users can modify their personal profile, they must first authenticate using a confirmation code sent through email. The following table describes relevant user account settings.

Setting Description
Change user password See Configure user password change options
Configure an OATH OTP client See Enable OATH OTP.
Create a security question

Using Admin Portal > Core Services > Policies > User Security Policies > User Account Settings > Authentication Profile required to set Security Question drop-down list, you can select an authentication profile with the necessary authentication mechanism defined. This option requires users to authenticate before creating the security question on the User Portal > Account > Security page.

Modify personal profile information

Using Admin Portal > Core Services > Policies > User Security Policies > User Account Settings > Authentication Profile required to modify Personal Profile drop-down list, you can select an authentication profile with the necessary authentication mechanism defined. This option will require users to authenticate before updating anything on the User Portal > Account > Personal Profile page.