Authentication mechanisms
You can select the authentication mechanisms that will be available to users. However, the mechanisms offered to users on the login prompt depend on the user account’s properties. For example, if you select all of the mechanisms in a challenge column but a user only has a password and email address, then the login drop-down menu only offers those two options.
To set the authentication mechanisms, see Create authentication profiles.
Refer to the following table for a description of available authentication mechanisms.
Authentication mechanism |
Description |
---|---|
Something you have |
|
Mobile Authenticator |
Enables users to authenticate with either a one-time passcode or by approving a push notification using the CyberArk Identity mobile app installed on their enrolled mobile devices. If devices are connected through the cell network or a wi-fi connection, users can send the passcodes from the devices. If the devices are not connected, users must manually enter the passcodes into the Identity Administration portal or Identity Administration user portal sign in prompt. In a policy set, use Endpoint Policies > Common Settings > Mobile Settings > Security Settings > Show Mobile Authenticator by default to control whether users see the Mobile Authenticator in the CyberArk Identity mobile app. The default behavior is to show the Mobile Authenticator. To mitigate security risks due to user push fatigue, you can require users to match one of three two-digit numbers displayed on the Mobile Authenticator to a number displayed on the sign-in page to unlock the Mobile Authenticator. Enable this feature with the Endpoint Policies > Common Settings > Mobile Settings > Security Settings > Require number matching for mobile authenticator to prevent accidental approvals policy setting. This mechanism requires users to have CyberArk Identity mobile app installed on an enrolled device. Number matching is only supported for signing in to Identity Administration. It is not supported for other authentication types such as endpoint authentication on enrolled Windows/macOS devices Number matching is not supported if the sign-in request comes from the enrolled device. The following video illustrates how to enable users to use the CyberArk Identity mobile app as a mobile authenticator.
|
Phone call |
When you select this option, Identity Administration calls the user using the stored phone number (mobile or land line) and describes an action the user must perform to complete the authentication. The user completes the action from the device to log in. This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.
|
OATH OTP Client |
|
Text message (SMS) confirmation code |
When you select this option, Identity Administration sends a text message to the user’s mobile phone with a one-time confirmation code and/or an authentication link. Depending on the language setting, some languages display only the confirmation code while others display the confirmation code and link. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt. This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism. You can configure the confirmation code length (6 or 8 digits) in Identity Administration portal > Settings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits. The link and confirmation code are valid for five minutes. If a user does not respond within this time period, Identity Administration cancels the login attempt. Additionally, you can configure Identity Administration to allow users to click a Send SMS again link to request a new SMS text message if the user doesn't receive the initial message in a specified period of time. You can configure this in Identity Administration portal > Core Services > Policies > Authentication Policies > CyberArk Identity > Other Settings. To ensure delivery of SMS messages, Identity Administration uses a backup SMS provider and cycles through the providers on SMS retry attempts.
|
Duo |
Select this option to use Duo as an authentication factor. For example, if you already use Duo for authentication to other applications, you can continue to use it with Identity Administration as well. If you select Duo, the authentication process provides an opportunity for users to configure their devices to use Duo, if they haven't already done so. You have to configure Duo in your Identity Administration tenant before you can select it as a authentication mechanism. Refer to Enable Duo authentication for more information. |
Email confirmation code |
When you select this option, Identity Administration sends a confirmation code and a link to the user’s email address. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt. You can configure the confirmation code length (6 or 8 digits) in Identity Administration portal > Settings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits. The link and confirmation code are valid for five minutes. If a user does not respond within this time period, Identity Administration cancels the login attempt.
|
QR code |
Select this option to present users with a Quick Response (QR) code that they can scan with the CyberArk Identity mobile app on an enrolled mobile device. To enable the QR code, go to Settings > Authentication > Platform > Security Settings > Authentication Options, and then select Enable QR code based user identification on login screen. Successfully scanning a QR code bypasses other authentication mechanisms when it's selected under Single Authentication Mechanism. This allows the user to authenticate without entering a username. If you select QR Code for challenge 1 in the authentication profile and the user identifies themselves with a QR code, then the user is identified and authenticated at the same time and proceeds to challenge 2. If you select a different authentication mechanism for challenge 1 and QR Code for challenge 2, then the user must scan a QR code a second time, even if they identified themselves with a QR code. Mac Cloud Agent does not support QR code authentication for Single Authentication Mechanism. |
FIDO2 Authenticator(s) (single factor) |
FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys. CyberArk leverages the WebAuthn API to enable passwordless authentication to Identity Administration using either external or on-device authenticators. Single-factor FIDO2 authenticators are something you have. Examples are external authenticators like security keys that you plug into the device's USB port; for example, a YubiKey. Refer to NIST 800-63b for more information about single-factor cryptographic devices. FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.
|
Something you are |
|
FIDO2 Authenticator(s) (multi-factor) |
FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys. CyberArk leverages the WebAuthn API to enable passwordless authentication to Identity Administration using either external or on-device authenticators. Supported multi-factor FIDO2 authenticators are something you are. Popular examples are biometric authenticators integrated into device hardware, such as Mac Touch ID, Windows Hello, and fingerprint scanners. Refer to NIST 800-63b for more information about multi-factor cryptographic devices. FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.
|
Something you know
|
|
Password |
When you select this option, users are prompted for either their Active Directory or Identity Administration user password when logging in to the Admin portal. |
Security Question(s) |
|
Other |
|
3rd Party RADIUS Authentication |
When you select this option, we communicate with your RADIUS server to allow for user authentication into Identity Administration or an enrolled endpoint. See Configure Identity Administration for RADIUS. |