Authentication security options

You can configure additional authentication security setting in the Identity Administration portal. The following configuration options are available from Settings > Authentication > Security Settings:

Option Description

Enable QR code based user identification on login screen

Present users with the option to log in by scanning a Quick Response (QR) Code that they can scan with version 20.7 or later of the CyberArk Identity mobile app on an enrolled mobile device.

After scanning the QR code, users advance to the next authentication challenge configured in the relevant authentication profile. If no additional challenges are required, users log in immediately.

In addition, you can configure authentication profiles to allow either QR code login or present users with authentication challenges.

See Create authentication profiles for more information about authentication profiles.

Enable smart card authentication on login screen

You can enable users with a smart card to authenticate when signing in to CyberArk Identity.

See Set up smart card authentication for more information.

Enable passkey authentication on login screen

You can enable users to authenticate with their saved passkeys from the log in screen without entering their username. See Enable passkeys for more information.

You need to set the single authentication mechanism to Passkey in the authentication profile that applies to the users. See Create authentication profiles for more information.

Enable anti-phishing security image

You can enable users to select security images for the Identity User Portal sign in page. The security image reduces the risk of compromised credentials through phishing attacks by indicating to users that they are on the legitimate sign in page. The security image displays after the first successful sign in.

Securely capture users’ passwords at login

Capture user passwords using strong encryption.

After this option is enabled, CyberArk Identity captures user passwords (using symmetric encryption with AES algorithm) the next time they log in. By default, CyberArk Identity does not capture user passwords. However, you might want to capture user passwords to support account mapping options for user password applications or to provision user passwords for supported applications. Unless capturing user passwords is required for a specific feature, CyberArk recommends leaving this feature disabled.

Enable forgot username self-service at login

Allow users to retrieve their forgotten username. Users will be prompted to enter an email address to which the username will be sent if a CyberArk Identity account is found that matches the email address. See Customize portal and login windows for more information about customizing the email message sent to users when they try to retrieve their username(s).

Send email notification to users when password is changed

Send an automated email after users reset their CyberArk Identity password through the forgot password process.

Enable user interaction with email invitations

Select this option for an intermediate step of approval by the user to verify the user is human.

Disable the force authentication at the Identity Provider for SAML login

The SAML authentication request requires an active user to re-authenticate to the web application using force authorization. Select this option to disable the force authorization request for SAML web applications.

Don't use certificates for authentication on Android if prompt is required

Deselect this option to enable certificate-based authentication for the User Portal, the Identity Administration portal, and applications launched in a browser (not supported by Firefox).

Certificate-based authentication is an additional path to achieving zero sign-on ("ZSO") after first attempting ZSO by communicating with the CyberArk app. Certificate-based authentication for Android is disabled (option selected) by default. If you enable this feature, users are prompted to select a certificate at their first authentication attempt if ZSO through the CyberArk app fails. The certificate presented must be either issued by CyberArk by enrolling the device or issued by a trusted certificate authority. If certificate-based authentication fails, users see the login window.

Email and SMS passcode length

Configure the confirmation code length to six or eight digits. The default value is eight digits.

Number of consecutive failed login attempts allowed before showing a CAPTCHA

Set a number of failed log in attempts allowed before presenting users with a CAPTCHA challenge. See Enable CAPTCHA for more information.

Additional Attributes for MFA

Configure additional attributes (such as other mobile phone, other home phone, other office phone and other email addresses) for multi-factor authentication (MFA). See Configure additional attributes for MFA.

Specify trusted DNS domains for API calls

Use the option to specify trusted domain names (for example your company domain, internet service provide domains like AT&T, etc.) that can make calls to CyberArk Identity APIs. If calls are made from domains not listed here, the call will fail.