This topic describes how to configure Identity Administration to allow users to use one-time passcodes (OTPs) for MFA challenges.

Users have the option to use authenticator applications on a mobile device, or the desktop-based CyberArk Authenticator. Mobile-based authenticators are convenient for endpoint authentication, while the desktop-based CyberArk Authenticator offers increased flexibility for authenticating to Identity Administration. For example, some users might not have a suitable mobile device, or might prefer not to use a personal mobile device for professional purposes.

You must configure an authentication rule with OATH OTP enabled in the associated authentication profile for the relevant policy. If you do not have this configured, users will not be able to authenticate using the OTP. See Create authentication rules.

Authenticator Description

Mobile-based authenticators

The user scans a CyberArk-generated QR code (using a third party authenticator application or the CyberArk Identity mobile app) to add their Identity Administration account to the authenticator. Once users have their account in the authenticator, they can use the authenticator to generate OTPs to satisfy authentication challenges.

Additionally, you can upload existing OATH tokens and allow users to authenticate using the one-time passcode generated from those tokens. See Import OATH tokens in bulk.

Direct users to Set up OTPs to authenticate to the User Portal for more details about how to use OTPs to authenticate.

Desktop-based CyberArk Authenticator

The CyberArk Authenticator generates time-based OTPs (TOTPs) that users can use to satisfy MFA challenges.

You can distribute the CyberArk Authenticator application to Windows and Mac users. Users install the CyberArk Authenticator on the machine and register it to their tenant. During the registration process users create a PIN to protect their CyberArk Authenticator account. This PIN is required to open the CyberArk Authenticator. For shared machines, every user that logs in has to repeat the registration process. This way, each user has a separate PIN and only sees their accounts.

The CyberArk Authenticator is available in the Identity Administration portal Downloads page under MFA Plugins & Clients.

Direct users to Generate OTPs with CyberArk Authenticator for more details about how to use CyberArk Authenticator.


To enable the OTP policy

  1. Sign in to the Identity Administration portal.

  2. Go to Core Services > Policies.

  3. Select a policy set or create a new one.

  4. Go to User Security Policies > OATH OTP.

  5. Select Yes in the Allow OATH OTP Integration drop down.

  6. Select Yes in the Enable auto-setup of OATH OTP in Identity app to allow users to automatically configure OATH OTP during device enrollment with the CyberArk Identity mobile app.

    This provides a more convenient enrollment experience for users who use the CyberArk Identity mobile app. If you expect users to use a third-party authenticator such as Google Authenticator, select the default value (--) or No.

  7. Click Save.

  8. Enable users to configure an OATH OTP client.
    1. Click User Account Settings.

      The User Account Setting window opens.

    2. Select Yes in the Enable user to configure an OATH OTP client.

    3. Enter a user-friendly name (for example the name of the OTP client used by your organization) in the OATH OTP Display Name text field. This name is what users will see.

    4. Select an authentication profile to require users to provide additional authentication before they can access the QR code.

    For desktop-based CyberArk Authenticator, do not configure any additional Authentication profiles. This field should be set to --.
  9. Click Save.