Configure MFA for CyberArk Identity

This topic describes how to configure MFA for either all users, or users in specific Roles.

You can require users to always authenticate, regardless of connection factors or conditions. For example, if you create an authentication profile with only the password mechanism selected and assign it to the Default Profile option, then all users (regardless of the log in computer’s IP address and browser identity cookie) will be asked to enter passwords.

Configure MFA for all users

The following procedure describes how to configure MFA for all users, regardless of their Role.

To configure MFA for all users

Step 1: Add a new policy set

  1. Log in to the Admin Portal.

  2. Go to Core Services > Policies and click Add Policy Set to create a new one.

  3. Name the policy set and select All users and devices.

Step 2: Enable authentication policy controls

  1. Go to Authentication Policies > CyberArk Identity.

  2. Select Yes in the Enable authentication policy controls drop-down.

Step 3: Create an authentication profile

  1. In the Authentication Rules area, select Add New Profile from the Default Profile drop-down list.

  2. Enter a unique name for each profile.
  3. Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.

    You can't select the same mechanism in both challenge menus. For example, if you select QR Code in either of the challenge columns under Multiple Authentication Mechanisms, you can't select it under Single Authentication Mechanism.

    RADIUS does not support FIDO2 authentication mechanisms.

    Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. Make sure your users complete the configuration requirements for any mechanism you plan to use. Refer to Secure access with adaptive MFA for more detail.

    Authentication set Description
    Multiple Authentication Mechanisms

    You can require that the first challenge be the user’s account password, then for the second challenge users can choose between an email confirmation code, security question, or text message confirmation code. See Authentication mechanisms for information about each authentication mechanism.

    If you have multiple challenges, the CyberArk Identity waits until users enter all challenges before giving the authentication response (pass or fail). For example, if users enter the wrong password for the first challenge, the CyberArk Identity will not send the authentication failure message until after users respond to the second challenge.

    If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that the CyberArk Identity will not send the SMS/email or trigger the phone call. Contact support to change this configuration.
    Single Authentication Mechanism

    Single authentication challenges are sufficient for users to log in without any additional challenges, even if you selected challenges from Multiple Authentication Mechanisms.

    For example: if you select Password for Challenge 1, Security Question(s) for Challenge 2, and QR Code from Single Authentication Mechanism, a user with an enrolled device can scan the QR Code with the CyberArk Identity mobile app to log in, bypassing the mechanisms selected from Multiple Authentication Mechanisms. If a user does not have an enrolled device, the user can log in by responding to the challenges selected from Multiple Authentication Mechanisms (Password and Security Question(s) in this example).

  4. (Optional) Select the pass-through duration.

    If users have already authenticated using one of the specified mechanism within this duration, then they will not be authenticated again. The default is 30 minutes.

    This pass-through option does not apply to Windows or Mac MFA logins, or RADIUS VPN connections; only the User Portal and the Admin Portal.
  5. Click OK.

    If you have not created an authentication rule, see Create authentication rules to create one and associate this profile to it.

Configure MFA for service users

Enforce MFA for users accessing specific services by applying the policy set to users in a service-specific Role.

To configure MFA for all users

Step 1: Add a new policy set

  1. Log in to the Admin Portal.

  2. Go to Core Services > Policies and click Add Policy Set to create a new one.

  3. Name the policy set and select Specified Roles.

  4. Add the service-specific Roles to the list of Specified Roles.

Step 2: Enable authentication policy controls

  1. Go to Authentication Policies > CyberArk Identity.

  2. Select Yes in the Enable authentication policy controls drop-down.

Step 3: Create an authentication profile

  1. In the Authentication Rules area, select Add New Profile from the Default Profile drop-down list.

  2. Enter a unique name for each profile.
  3. Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.

    You can't select the same mechanism in both challenge menus. For example, if you select QR Code in either of the challenge columns under Multiple Authentication Mechanisms, you can't select it under Single Authentication Mechanism.

    RADIUS does not support FIDO2 authentication mechanisms.

    Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. Make sure your users complete the configuration requirements for any mechanism you plan to use. Refer to Secure access with adaptive MFA for more detail.

    Authentication set Description
    Multiple Authentication Mechanisms

    You can require that the first challenge be the user’s account password, then for the second challenge users can choose between an email confirmation code, security question, or text message confirmation code. See Authentication mechanisms for information about each authentication mechanism.

    If you have multiple challenges, the CyberArk Identity waits until users enter all challenges before giving the authentication response (pass or fail). For example, if users enter the wrong password for the first challenge, the CyberArk Identity will not send the authentication failure message until after users respond to the second challenge.

    If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that the CyberArk Identity will not send the SMS/email or trigger the phone call. Contact support to change this configuration.
    Single Authentication Mechanism

    Single authentication challenges are sufficient for users to log in without any additional challenges, even if you selected challenges from Multiple Authentication Mechanisms.

    For example: if you select Password for Challenge 1, Security Question(s) for Challenge 2, and QR Code from Single Authentication Mechanism, a user with an enrolled device can scan the QR Code with the CyberArk Identity mobile app to log in, bypassing the mechanisms selected from Multiple Authentication Mechanisms. If a user does not have an enrolled device, the user can log in by responding to the challenges selected from Multiple Authentication Mechanisms (Password and Security Question(s) in this example).

  4. (Optional) Select the pass-through duration.

    If users have already authenticated using one of the specified mechanism within this duration, then they will not be authenticated again. The default is 30 minutes.

    This pass-through option does not apply to Windows or Mac MFA logins, or RADIUS VPN connections; only the User Portal and the Admin Portal.
  5. Click OK.