Authentication security options

Present users with the option to log in by scanning a Quick Response (QR) Code that they can scan with version 20.7 or later of the CyberArk Identity mobile app on an enrolled mobile device.

After scanning the QR code, users advance to the next authentication challenge configured in the relevant authentication profile. If no additional challenges are required, users log in immediately.

In addition, you can configure authentication profiles to allow either QR code login or present users with authentication challenges.

See Create authentication profiles for more information about authentication profiles.

You can enable users with a smart card to authenticate when signing in to CyberArk Identity.

See Set up smart card authentication for more information.

You can enable users to authenticate with their saved passkeys from the log in screen without entering their username. See Enable passkeys for more information.

You can enable users to select security images for the Identity User Portal sign in page. The security image reduces the risk of compromised credentials through phishing attacks by indicating to users that they are on the legitimate sign in page. The security image displays after the first successful sign in.

Capture user passwords using strong encryption.

After this option is enabled, CyberArk Identity captures user passwords (using symmetric encryption with AES algorithm) the next time they log in. By default, CyberArk Identity does not capture user passwords. However, you might want to capture user passwords to support account mapping options for user password applications or to provision user passwords for supported applications. Unless capturing user passwords is required for a specific feature, CyberArk recommends leaving this feature disabled.

Allow users to retrieve their forgotten username. Users will be prompted to enter an email address to which the username will be sent if a CyberArk Identity account is found that matches the email address. See Customize portal and login windows for more information about customizing the email message sent to users when they try to retrieve their username(s).

Send an automated email after users reset their CyberArk Identity password through the forgot password process.

Select this option for an intermediate step of approval by the user to verify the user is human.

The SAML authentication request requires an active user to re-authenticate to the web application using force authorization. Select this option to disable the force authorization request for SAML web applications.

Deselect this option to enable certificate-based authentication for the User Portal, the Identity Administration portal, and applications launched in a browser (not supported by Firefox).

Certificate-based authentication is an additional path to achieving zero sign-on ("ZSO") after first attempting ZSO by communicating with the CyberArk app. Certificate-based authentication for Android is disabled (option selected) by default. If you enable this feature, users are prompted to select a certificate at their first authentication attempt if ZSO through the CyberArk app fails. The certificate presented must be either issued by CyberArk by enrolling the device or issued by a trusted certificate authority. If certificate-based authentication fails, users see the login window.

Configure the confirmation code length to six or eight digits. The default value is eight digits.

Set a number of failed log in attempts allowed before presenting users with a CAPTCHA challenge. See Enable CAPTCHA for more information.

Configure additional attributes (such as other mobile phone, other home phone, other office phone and other email addresses) for multi-factor authentication (MFA). See Configure additional attributes for MFA.