Configure Mobile Authenticator MFA redirect for users

This topic describes how to redirect the Mobile Authenticator authentication mechanism to a different user account that you specify. This can be particularly helpful for users that have multiple user accounts and want to share the configured authentication mechanism between the accounts.

The Mobile Authenticator authentication mechanism is available for redirection by default. Other authentication mechanisms are not available.

For example:

A user has two accounts called User A with no device enrolled, and User B with a device enrolled. User A has Mobile Authenticator as one of the MFA options, and the MFA redirect option enabled with User B as the target recipient for notifications. When User A attempts to sign in to their account, the device enrolled under the User B account receives the notification to authenticate User A. When User B approves the MFA notification, User A is signed in to CyberArk Identity.

There are two methods to activate MFA redirect for users:

MFA redirect activation method

Description

System administrator activation from the Admin Portal

 

The system administrator enables Redirect multi factor authentication to a different user account in the Admin Portal > Users > user account profile.

User activation from the User Portal

 

If the Enable users to redirect multi factor authentication to a different user account policy is enabled in the Admin Portal, users can activate MFA redirect for themselves in the User Portal. For more information, refer to Allow users to enable the MFA redirect option from the User Portal and Redirect your Mobile Authenticator MFA notifications.

Refer to Configure local account linking for information on using MFA from a specific directory if a user has an account in two directory services.

Allow users to enable the MFA redirect option from the User Portal

System administrators can enable or disable the MFA redirect policy in the Admin Portal. When the policy is activated, an option in the User Portal is available that allows the end user to activate Mobile Authenticator MFA redirect for themselves. This policy is enabled by default in the Admin Portal. For information on user activation when the policy is enabled, refer to Redirect your Mobile Authenticator MFA notifications.

To change the MFA redirect policy setting

  1. Sign in to the Admin Portal.

  2. In the Navigation pane, click Policies.

  3. Select User Security Policies > User Account Settings.

  4. Click the drop-down menu for Enable users to redirect multi factor authentication to a different user account and select Yes or No.

  5. Click Save.

Enable the MFA redirect option for a user from the Admin Portal

As a system administrator you can configure MFA redirect for the Mobile Authenticator mechanism on behalf of a user, without having to enable the policy for all users.

  1. Sign in to the Admin Portal.

  2. In the Navigation pane, click Users.

  3. In the Users list, click one of the users to open their Account page.

  4. On the Account page, scroll down to Notifications.

  5. Click the check box beside Redirect multi factor authentication to a different user account.

  6. Click Select to open the Select User window.

  7. Enter characters into the search field. Then, click the desired user from the search results.

  8. Click OK.

  9. Click Save.
 

Authentication mechanisms

Redirect your Mobile Authenticator MFA notifications 

Configure local account linking