Establish authentication compliance

This topic describes the tools available to help establish whether your users are in compliance with your organization's multi-factor authentication (MFA) and user self-service policies.

Run built-in compliance reports

You can use these reports to help your organization conform to internal policies or guidelines established by NIST to ensure you are following MFA best practices. In addition, you can use these reports to help move your organization toward passwordless authentication by focusing on passwordless factors such as FIDO2 and mobile authenticators.

The following table describes the reports available in the CyberArk Identity Admin Portal at Reports > Built-in Reports > Compliance.

For optimal performance viewing reports in the Admin Portal, reports should not include Roles with more than 5,000 users. You can still use the Export and Email functionality to run reports on Roles with more than 5,000 users.
Report Description

Required Authentication Factors by User

This report shows whether specific authentication factors are configured for users in a selected Role. When you run the report, select the factors that you want to report on in the Required Parameters window, then click OK. If you want to change the selected parameters after you run the report, click Current Parameters.

 

Self-Service Password Reset for AD Users

Lists whether Self-Service Password Reset is enabled for AD users in a selected Role.

To enable self-service password reset (SSPR), refer to Configure self-service password reset (SSPR). The policy set must apply to AD users.

Self-Service Password Reset for all Users

Lists whether Self-Service Password Reset is enabled for all users in a selected Role.

To enable self-service password reset (SSPR), refer to Configure self-service password reset (SSPR). The policy set must apply to all users.

Users in administrative Roles

Lists configured authentication factors selected in Authentication Profiles that are applicable to users in the System Administrator Role.

In the report, the Identity Profile column refers to the Authentication Profile used to secure access to CyberArk Identity. Radius Profile refers to the Authentication Profile used to secure access to RADIUS client connections.

 

Users in all Roles

Lists configured authentication factors selected in Authentication Profiles that are applicable to all users in a selected Role.

Identity Profile refers to the Authentication Profile used to secure access to CyberArk Identity. Radius Profile refers to the Authentication Profile used to secure access to RADIUS client connections.

Design report queries based on Authentication Assurance Level (AAL)

The Event AuthenticationAssuranceLevel is available in the report builder to show AAL compliance each time a user signs in to CyberArk Identity. Available AAL for signed in users increases visibility into your organizations compliance with best practices recommended in NIST SP 800-63b guidelines. This increases awareness around authentication best practices revolving around the following criteria:

  • something you are

  • something you know

  • something you have

Our AAL related features do not guarantee compliance with NIST guidelines. Refer to https://pages.nist.gov/800-63-3/sp800-63b.html additional detail about NIST guidelines.

AAL event values

AAL scoring is based on the type and combination of authentication mechanisms used. The following table provides examples of different types of authentication mechanisms available in CyberArk Identity.

The following tables are based on authentication mechanism types available in CyberArk Identity, and do not include all authentication mechanism types defined by NIST.
Authentication mechanisms type Example(s)

Memorized secret (MS)

  • Password

  • Security Question

Out-of-band device (OOBD)

  • QR

  • DUO

  • MobileAuth

  • SMS

  • Phone

  • RADIUS

  • DUO

Single-factor cryptographic device (SFCD)

FIDO2 (for example, Yubikey)

Multi-factor cryptographic device (MFCD)

FIDO2 on device (for example, TouchID, Windows Hello)

Single-factor One-Time Passcode device (SFOTPD)

OATH OTP client

Possible values for the AuthenticationAssuranceLevel (AAL) event are AAL1, AAL2, and AAL3. The following table details the combinations of mechanism types used to determine AAL scores.

AAL score Authentication mechanism type

AAL1

  • Memorized Secret

  • Out-of-band Devices

  • Single-factor OTP Devices

  • Single-Factor Cryptographic Devices

  • Multi-Factor Cryptographic Devices

AAL2

  • Multi-Factor Cryptographic Devices

  • Combination of Memorized Secret and Single-Factor Cryptographic Devices, Out-of-band Devices, Single factor OTP Devices

AAL3

  • Multi-Factor Cryptographic Devices

  • Combination of Memorized Secret and Single-Factor Cryptographic Devices

Refer to Create authentication profiles for more information.

Example AAL report

The following report query returns AAL scores for user sign ins after a specified date.

 
SELECT
    Event.AuthenticationAssuranceLevel,
    Event.Factors,
    Event.NormalizedUser,
    Event.WhenOccurred
FROM
    Event
WHERE
    Event.EventType IN ("Cloud.Core.MfaSummary")
AND
    Event.WhenOccurred > Datefunc('08/12/2021 15:14:00 -07:00')

The AuthenticationAssuranceLevel event is automatically included in searches for Core.Cloud.MfaSummary.