Configure MFA for the User Portal

You can specify what authentication mechanisms your users must provide to access CyberArk Identity, as well as if and when multi-factor authentication is required. For example, you can specify that users logging in from a certain country provide additional authentication.

To define MFA for User Portal access

Step 1: Create an authentication profile.

This is where you specify the authentication mechanisms.

  1. In the Authentication Rules area, select Add New Profile from the Default Profile drop-down list.

  2. Go to Settings > Authentication, and then click Add Profile.
  3. Enter a unique name for each profile.
  4. Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.

    You can't select the same mechanism in both challenge menus. For example, if you select QR Code in either of the challenge columns under Multiple Authentication Mechanisms, you can't select it under Single Authentication Mechanism.

    RADIUS does not support FIDO2 authentication mechanisms.

    Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. Make sure your users complete the configuration requirements for any mechanism you plan to use. Refer to for more detail.

    Authentication set Description
    Multiple Authentication Mechanisms

    You can require that the first challenge be the user’s account password, then for the second challenge users can choose between an email confirmation code, security question, or text message confirmation code. See Authentication mechanisms for information about each authentication mechanism.

    If you have multiple challenges, the CyberArk Identity waits until users enter all challenges before giving the authentication response (pass or fail). For example, if users enter the wrong password for the first challenge, the CyberArk Identity will not send the authentication failure message until after users respond to the second challenge.

    If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that the CyberArk Identity will not send the SMS/email or trigger the phone call. Contact support to change this configuration.
    Single Authentication Mechanism

    Single authentication challenges are sufficient for users to log in without any additional challenges, even if you selected challenges from Multiple Authentication Mechanisms.

    For example: if you select Password for Challenge 1, Security Question(s) for Challenge 2, and QR Code from Single Authentication Mechanism, a user with an enrolled device can scan the QR Code with the CyberArk Identity mobile app to log in, bypassing the mechanisms selected from Multiple Authentication Mechanisms. If a user does not have an enrolled device, the user can log in by responding to the challenges selected from Multiple Authentication Mechanisms (Password and Security Question(s) in this example).

    Authentication mechanism

    Description

    Something you have

    Mobile Authenticator

    Enables users to authenticate with a one-time passcode displayed on the CyberArk Identity mobile app installed on their enrolled mobile devices, if Mobile Authenticator is part of their authentication profile.

    If devices are connected via the cell network or a wi-fi connection, users can send the passcodes from the devices. If the devices are not connected, users must manually enter the passcodes into the Admin Portal or CyberArk Identity user portal sign in prompt.

    In a policy set, use Endpoint Policies > Common Settings > Mobile Settings > Security Settings > Show Mobile Authenticator by default to control whether users see the Mobile Authenticator in the CyberArk Identity mobile app. The default behavior is to show the Mobile Authenticator.

    To mitigate security risks due to user push fatigue, you can require users to match one of three two-digit numbers displayed on the Mobile Authenticator to a number displayed on the sign in page to unlock the Mobile Authenticator. Enable this feature with the Endpoint Policies > Common Settings > Mobile Settings > Security Settings > Require number matching for mobile authenticator to prevent accidental approvals policy setting.

    This mechanism requires users to have CyberArk Identity mobile app installed on an enrolled device.

    The following video illustrates how to enable users to use the CyberArk Identity mobile app as a mobile authenticator.

    Phone call

    When you select this option, CyberArk Identity calls the user using the stored phone number (mobile or land line) and describes an action the user must perform to complete the authentication. The user completes the action from the device to log in.

    This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.

    OATH OTP Client

    This text string is configurable and reflects what you entered during the OATH OTP configuration. When you select this option, users can use a third party authenticator (like Google Authenticator) to scan a CyberArk Identity generated QR code and get a one-time-passcode (OTP). This authentication mechanism requires additional configurations. See Enable OATH OTP .

    Text message (SMS) confirmation code

    When you select this option, CyberArk Identity sends a text message to the user’s mobile phone with a one-time confirmation code and/or an authentication link. Depending on the language setting, some languages display only the confirmation code while others display the confirmation code and link. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

    This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.

    You can configure the confirmation code length (6 or 8 digits) in Admin PortalSettings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

    The link and confirmation code are valid for five minutes. If a user does not respond within this time period, the CyberArk Identity cancels the login attempt.

    Additionally, you can configure CyberArk Identity to allow users to click a Send SMS again link to request a new SMS text message if the user doesn't receive the initial message in a specified period of time. You can configure this in Admin Portal > Core Services > Policies > Authentication Policies > CyberArk Identity > Other Settings.

    To ensure delivery of SMS messages, CyberArk Identity uses a backup SMS provider and cycles through the providers on SMS retry attempts.

    Duo

    Select this option to use Duo as an authentication factor. For example, if you already use Duo for authentication to other applications, you can continue to use it with CyberArk Identity as well. If you select Duo, the authentication process provides an opportunity for users to configure their devices to use Duo, if they haven't already done so.

    You have to configure Duo in your CyberArk Identity tenant before you can select it as a authentication mechanism. Refer to Duo authentication for more information.

    Email confirmation code

    When you select this option, CyberArk Identity sends a confirmation code and a link to the user’s email address. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

    You can configure the confirmation code length (6 or 8 digits) in Admin PortalSettings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

    The link and confirmation code are valid for five minutes. If a user does not respond within this time period, the CyberArk Identity cancels the login attempt.

    QR Code

    Select this option to present users with a Quick Response (QR) Code that they can scan with the CyberArk Identity mobile app on an enrolled mobile device.

    Successfully scanning a QR Code bypasses other authentication mechanisms when it's selected under Single Authentication Mechanism.

    FIDO2 Authenticator(s) (single factor)

    FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

    CyberArk leverages the WebAuthn API to enable passwordless authentication to the CyberArk Identity using either external or on-device authenticators.

    Single-factor FIDO2 authenticators are something you have. Examples are external authenticators like security keys that you plug into the device's USB port; for example, a YubiKey.

    Refer to NIST 800-63b for more information about single-factor cryptographic devices.

    FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

    Something you are

    FIDO2 Authenticator(s) (multi-factor)

    FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

    CyberArk leverages the WebAuthn API to enable passwordless authentication to the CyberArk Identity using either external or on-device authenticators.

    Supported multi-factor FIDO2 authenticators are something you are. Popular examples are biometric authenticators integrated into device hardware, such as Mac Touch ID, Windows Hello, and fingerprint scanners.

    Refer to NIST 800-63b for more information about multi-factor cryptographic devices.

    FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

    Something you know

     

    Password

    When you select this option, users are prompted for either their Active Directory or CyberArk Identity user password when logging in to the Admin portal.

    Security Question(s)

    When you select this option, users are prompted to answer user-defined and/or admin-defined security questions. When creating the authentication profile, you can specify the number of questions users must answer. You can also specify the number of user-defined and admin-defined questions available to users. See Enable and configure Security Questions. Users create, select, or change the question and answer from their Account page in the user portal.

    Other

    3rd Party RADIUS Authentication

    When you select this option, we communicate with your RADIUS server to allow for user authentication into CyberArk Identity or an enrolled endpoint. See Configure CyberArk Identity for RADIUS.

  5. (Optional) Select the pass-through duration.

    If users have already authenticated using one of the specified mechanism within this duration, then they will not be authenticated again. The default is 30 minutes.

    This pass-through option does not apply to Windows or Mac MFA logins, or RADIUS VPN connections; only the User Portal and the Admin Portal.
  6. Click OK.

    If you have not created an authentication rule, see Create authentication rules to create one and associate this profile to it.

Step 2: Create an authentication rule.

This is where you specify the conditions in which the authentication profile is applied.

  1. Click Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.

  2. Click Authentication Policies > CyberArk Identity.

  3. Select Yes in the Enable authentication policy controls drop-down.

  4. Click Add Rule.

  5. The Authentication Rule window displays.

  6. Click Add Filter.

  7. Define the filter and condition using the drop-down boxes.

    For example, you can create a rule that requires users logging in from China to provide the authentication challenges specified in step 2. The sample rule would look like the following:

    Supported filters are:

    Filter Description Conditions available
    Identity Cookie

    The cookie that is embedded in the current browser by CyberArk Identity after the user has successfully logged in.

    • Is present
    • Is not present

    Device OS

    The operating system of the device a user is logging in from.

    • equal to
    • not equal to

    Browser

    The browser used for opening the CyberArk Identity portal.

    • equal to
    • not equal to

    Role

    CyberArk Identity roles that a user belongs to. If a user belongs to multiple roles, the authentication rule that comes first (highest priority on top) is honored.

    If a role is renamed following the creation of an authentication rule using Role as a filter, the authentication rule will automatically update with the new role name. If a role is deleted, the portion of the any authentication rule using that role as a filter will also be deleted.

    This filter is only applicable to managing web application access.

    Contact support if Role does not display in your menu. This filter requires tenant configuration.
    • equal to
    • not equal to

    Country

    The country based on the IP address of the user computer.

    • equal to
    • not equal to

    Risk Level

    Risk Level: The authentication factor is the risk level of the user logging on to the User Portal. For example, a user attempting to log in to CyberArk Identity from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter requires additional licenses. If you do not see this filter, contact CyberArk support. The supported risk levels are:

    • Non Detected -- No unexpected activities are detected.
    • Low -- Some aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup.
    • Medium -- Many aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup.
    • High -- Strong indicators that the requested identity activity is an anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced.
    • Undetermined -- Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected.
    Additional licenses might be required to enable this feature. Contact your CyberArk account representative for more information.

    The following video illustrates how to create an authentication rule based on risk level.

    • equal to
    • not equal to

    Managed Devices

    A device is considered “managed” if it is enrolled in CyberArk Identity and you use CyberArk Identity for device management. A device that is enrolled for only single sign-on or endpoint authentication is not considered a managed device. For more information about the difference, refer to Mobile Device Management or single sign-on only.

    The Windows Cloud Agent does not include device management features. Enrolled Windows machines are not considered managed devices.

    This filter is only applicable to managing web application access.

    • True
    • False

    Certificate Authentication

    Whether or not you use a digital certificate issued by your organization’s trusted certificate authority. You can upload a certificate using the Admin Portal > Settings > Authentication > Certificate Authorities. Users can also individually use CyberArk as their trusted certificate authority and automatically install the digital certificate by enrolling their devices.

    For example, if you configure an authentication rule to use the Certificate Authentication condition, then CyberArk Identity checks for a digital certificate issued by a trusted certificate authority and enforces the specified authentication profile before allowing access to this application.

    CyberArk support must enable the Certificate Authentication filter for your company.
    • is used
    • is not used
  8. Click the Add button associated with the filter and condition you have specified.

  9. Select the profile you want applied (in the Authentication Profile dr op-down) if all conditions are met.

    For example, you can select the "Trial Profile" profile you created in step 2.

  10. Click OK.

Step 3: Select a default profile, then save.

  1. Select a default profile to be applied if a user does not match any of the configured conditions in the Default Profile (used if no conditions matched) drop-down.

    If you have no authentication rules configured and you select Not Allowed in the Default Profile dropdown, users will not be able to log in to the service.
  2. Click Save.