Sign in with multi-factor authentication

This topic describes an end user's experience responding to multi-factor authentication challenges.

Some organizations require you to provide multi-factor authentication when you sign in to the user portal, open an application, or enroll a device. Multi-factor authentication means you must enter your password plus provide another form of authentication to sign in.

The following video illustrates signing in to the Identity User Portal with MFA.

CyberArk Identity provides the following forms of authentication:

Authentication mechanisms
Authentication mechanism

How to respond

Something you have

Mobile Authenticator

Use either the Mobile Authenticator option in CyberArk Identity application or your device’s notification service. See Use the Mobile Authenticator for the details.

Phone call

Answer the call to the phone number indicated and follow the instructions.

One-Time Passcode (OTP)

Enter the one-time-passcode (OTP) from a third-party authenticator or from CyberArk Identity to sign in to the user portal. You can also use an offline OTP to authenticate to your macOS or Windows devices.

Using an offline OTP requires that you first log in to User Portal with an internet connection to configure the offline OTP. See Set up OTPs to authenticate to the User Portal for more information.

Text message (SMS) confirmation code

The link and confirmation code are valid for five minutes. If a user does not respond within this time period, CyberArk Identity cancels the login attempt.

To ensure delivery of SMS messages, CyberArk Identity uses a backup SMS provider and cycles through the providers on SMS retry attempts.

Open the text message sent to the phone number indicated and either click the link or enter the code in the User Portal prompt. If you don't receive the initial SMS message and the Send SMS again link is available (when the countdown timer completes), you can click the link to request a new SMS text message. If the link is not available, you need to refresh the page or click Start Over.

The device must be connected to use the link.


Click a button corresponding to your preferred method. For example:

  • Send Me a Push

  • Call Me

  • Enter a Passcode

If you haven't already set up your device with Duo, you can click Start setup to do that now.

Email confirmation code

Access the relevant email account, open the email message, and click the link or manually enter the one-time code.

QR code

If you select QR Code for challenge 1 in the authentication profile and the user identifies themselves with a QR code, then the user is identified and authenticated at the same time and proceeds to challenge 2.

If you select a different authentication mechanism for challenge 1 and QR Code for challenge 2, then the user must scan a QR code a second time, even if they identified themselves with a QR code.

Mac Cloud Agent does not support QR code authentication for Single Authentication Mechanism.

FIDO2 Authenticator(s) (single factor)

FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

See Manage FIDO2 authenticators.

YubiKey OTP

Something you are

FIDO2 Authenticator(s) (multi-factor)

See Manage FIDO2 authenticators.


A passkey can be used for authenticating an application without using a username or password. Passkeys are stored in a user's device to verify a user's identity and is something you are. A biometric sensor, such as a fingerprint, PIN, facial recognition, etc., unlocks the device and creates a passkey to communicate with an application to ensure access to the authorized user.

Passkeys are based on FIDO2 standards. See the FIDO Alliance on Passkeys for more information.

To configure a passkey, go to Policies > User Security Policies > User Account Settings and select Yes for Enable passkey authentication. See Enable passkeys for more information.

Something you know



Enter your password.

Security Question(s)

Provide the answer to security question(s) you created and/or admin-defined question(s).

You create your security question(s), select admin-defined question(s), and answer on the Accounts page in the user portal—see Specify security question(s) and answer(s).

Your IT administrator can enable some of them or all of them, requiring you to configure a minimum number of them. For example, your admin might enable all of them, but let you use the two that you find most convenient.

Configure enabled authentication factors

  1. Sign in to the User Portal.

    On your first login after an MFA policy is applied to you, you will see a wizard to assist in configuring your authentication factors.

  2. Click Get Started.

    The Wizard advances to a screen showing available authentication factors for you to configure.

  3. Select and configure authentication factors that you want to use until you have met the required number of configured factors.

    In the following image, your admin has required you to configure at least two factors before you can click Done to exit the wizard.

  4. Click Done after you have finished configuring the minimum number of authentication factors.

    If the option to map custom Active Directory attributes to the Mobile Number field is enabled and configured, the Mobile Number used for authentication is mapped to the custom attribute field in Active Directory.

Sign in with multi-factor authentication

Your options are displayed in a drop-down list in the login prompt. Make your selection after you enter your password.

If you are required to use multi-factor authentication, CyberArk Identity waits until you enter all challenges before giving the authentication response (pass or fail). For example, if you enter the wrong password for the first challenge, you won't see the authentication failure message until after you respond to the second challenge.

If you fail your first challenge and the second challenge is SMS, email, or phone call, the default configuration is that CyberArk Identity will not send the SMS/email or trigger the phone call. Your systems administrator can contact CyberArk support to change this configuration.

In this section: