Authentication security options

You can configure additional authentication security setting in the Admin Portal. The following configuration options are available from Settings > Authentication > Security Settings:

Option Description
Enable QR code based user identification on login screen

Present users with the option to log in by scanning a Quick Response (QR) Code that they can scan with version 20.7 or later of the CyberArk Identity mobile app on an enrolled mobile device.

After scanning the QR code, users advance to the next authentication challenge configured in the relevant authentication profile. If no additional challenges are required, users log in immediately.

In addition, you can configure authentication profiles to allow either QR code login or present users with authentication challenges.

Refer to Create authentication profiles for more information about authentication profiles.

Securely capture users’ passwords at login

Capture user passwords using strong encryption.

After this option is enabled, CyberArk Identity captures user passwords (using symmetric encryption with AES algorithm) the next time they log in. By default, CyberArk Identity does not capture user passwords. However, you might want to capture user passwords to support account mapping options for user password applications or to provision user passwords for supported applications. Unless capturing user passwords is required for a specific feature, CyberArk recommends leaving this feature disabled.

Enable forgot username self-service at login

Allow users to retrieve their forgotten username. Users will be prompted to enter an email address to which the username will be sent if a CyberArk Identity account is found that matches the email address. Refer to Customize portal and login windows for more information about customizing the email message sent to users when they try to retrieve their username(s).

Send email notification to users when password is changed

Send an automated email after users reset their CyberArk Identity password via the forgot password process.

Don't use certificates for authentication on Android if prompt is required

Deselect this option to enable certificate-based authentication for the User Portal, the Admin Portal, and applications launched in a browser (not supported by Firefox).

Certificate-based authentication is an additional path to achieving zero sign-on ("ZSO") after first attempting ZSO by communicating with the CyberArk app. Certificate-based authentication for Android is disabled (option selected) by default. If you enable this feature, users are prompted to select a certificate at their first authentication attempt if ZSO through the CyberArk app fails. The certificate presented must be either issued by CyberArk by enrolling the device or issued by a trusted certificate authority. If certificate-based authentication fails, users see the login window.

Email and SMS passcode length

Configure the confirmation code length to six or eight digits. The default value is eight digits.

Number of consecutive failed login attempts allowed before showing a CAPTCHA

Set a number of failed log in attempts allowed before presenting users with a CAPTCHA challenge. Refer to Enable CAPTCHA for more information.

Additional Attributes for MFA

Configure additional attributes (such as other mobile phone, other home phone, other office phone and other email addresses) for multi-factor authentication (MFA). See Configure additional attributes for MFA.

Specify trusted DNS domains for API calls

Use the option to specify trusted domain names (for example your company domain, internet service provide domains like AT&T, etc.) that can make calls to CyberArk Identity APIs. If calls are made from domains not listed here, the call will fail.