Generate OTPs with CyberArk Authenticator

This topic describes how to install the CyberArk Authenticator and use it to generate time-based one-time passcodes (TOTPs ) to sign in to CyberArk Identity.

The CyberArk Authenticator is software installed on a Windows or macOS machine that generates TOTPs that you can use to satisfy authentication challenges when you sign in to CyberArk Identity. It's similar to mobile-based authenticators (for example, the CyberArk Identity mobile app or Google Authenticator), except that it can run on your Windows or macOS based machine. This allows you to use OTPs to sign in to CyberArk Identity without depending on a mobile device.

Contact your system administrator for access to the CyberArk Authenticator.

Requirements to use the CyberArk Authenticator

  • You need admin privileges on your desktop machine to install the CyberArk Authenticator.

  • Your system administrator must enable users to configure an OATH OTP client before you can use OTPs generated by CyberArk Authenticator to sign in to CyberArk Identity.

  • Your system administrator must provide the CyberArk Authenticator installer file.

Install CyberArk Authenticator

The CyberArk Authenticator is available for Windows and macOS. The following procedures assume your system administrator has made CyberArk Authenticator available to you.

  1. Open the CyberArk Authenticator disk image provided by your system administrator, then drag CyberArk Authenticator into the Applications folder.

  2. Go to your Applications folder and double click CyberArk Authenticator, then cancel the warning that the app can't be opened because the developer can't be verified.

  3. Go to System Preferences > Security and Privacy > General tab, and click Open Anyway.

  4. Click Open when the warning repeats.

    You are now ready to use CyberArk Authenticator.

  1. Sign in to your Windows machine using an administrator account.

  2. Click the CyberArk Authenticator file provided to you by your system administrator to begin installation, and then click Next at the Welcome screen.

  3. At Enter enrollment parameters, enter the URL for the CyberArk Identity User Portal (tenant URL) where you have a user account(s), and then click Next.

    For example, https://example.idaptive.app

  4. At Ready to install CyberArk Authenticator, click Install, and then click Finish to complete the installation.

    You are now ready to use CyberArk Authenticator.

Register CyberArk Authenticator with CyberArk Identity

You need to associate CyberArk Authenticator with CyberArk Identity when you first launch the application for your logged in user.

  1. Enter your CyberArk Identity tenant URL, then click OK.

    You must use the tenant ID for the URL. Custom domains are not currently supported. For example, use aaa1234.idaptive.app, not example.idaptive.app.

    Click the user icon in the top right, then click About to find the tenant ID.

  2. Sign in to CyberArk Identity User Portal or CyberArk Identity the Admin Portal.

    After a successful sign in, a window asking you to create a PIN displays.

  3. Enter and confirm a PIN.

    This PIN prevents malicious actors from opening CyberArk Authenticator and using it to sign in to your User Portal. You need to enter the PIN you created each time you open CyberArk Authenticator.

    After creating a PIN, you can copy the OTPs for use in satisfying CyberArk Identity authentication challenges.

    You can find the accounts added to CyberArk Authenticator in your CyberArk Identity User Portal under Accounts > Passcodes.

Add an account

You can add additional user accounts to CyberArk Authenticator.

  1. Open CyberArk Authenticator.

  2. Click the gear icon, then select Add Account.

  3. Sign in to CyberArk Identity.

    After a successful sign in, the new account displays in CyberArk Authenticator.

Change the account's display name

You can change the account's display name to more easily identify the account's purpose.

  1. Click the gear icon, then select Manage Account.

  2. Click the pencil icon next to the account, then edit the account's display name and click Done.

Delete an account

Delete unused accounts so you can easily find the accounts that you do use.

  1. Click the gear icon, then select Manage Account.

  2. Click the trash barrel icon next to the account that you want to delete, then click Done.

Change your PIN

Change your PIN if you think your current PIN might be compromised.

  1. Click the gear icon, then select Change PIN.

  2. Enter your old PIN.

  3. Enter a new PIN and confirm the new PIN.

Reset your PIN

If you don't remember your PIN, you can reset it. Resetting your PIN deletes all existing accounts from CyberArk Authenticator; you will have to add them again.

  1. Click the gear icon, then select Change PIN.

  2. Click Reset PIN code.

    After resetting your PIN code, you have to re-register CyberArk Authenticator and add your accounts again.