This topic introduces you to CyberArk Remote Access, a SaaS based service that combines Zero Trust access, biometric authentication and seamless just-in-time provisioning for remote vendors connecting to the Privileged Access Manager - Self-Hosted solution and CyberArk Identity web apps.

What is Remote Access?

CyberArk Remote Access is a SaaS based service that integrates with PAM - Self-Hosted and CyberArk Identity web apps for complete visibility and control of remote privileged activities without the need for VPNs, agents or passwords.

Remote Access is specifically designed to provide fast, easy and secure privileged access for remote vendors that need to access critical internal systems that are managed by CyberArk. The cloud-based, multi-factor authentication provided with Remote Access leverages the biometric capabilities from smartphones, which in turn allows authorized remote vendors just-in-time secure privileged access with a simple glance or tap of a finger.

Remote Access eliminates the need for VPN clients, security agents or passwords that can frustrate users, add risk, and create administrative headaches. Instead, remote vendors authenticate using native smartphone facial or fingerprint recognition functionality and are provisioned and authenticated for secure access to PAM - Self-Hosted or CyberArk Identity web apps via Remote Access. Remote Access integrates zero trust access, biometric multi-factor authentication, just-in-time provisioning and full integration with PAM - Self-Hosted and CyberArk Identity web apps for full visibility and audit for administrators, into one single SaaS solution.

How does it work?

When a remote user attempts to log in to the CyberArk web portal, Remote Access displays a one-time, short-lived QR code on the users's workstation. Using the CyberArk Mobile app, the user scans the QR code and simultaneously authenticates their identity by means of facial or fingerprint recognition. If both the QR code and the biometric data are approved, the remote user is granted secure access to the CyberArk web portal and authorized to access privileged accounts from their workstation. The web browser session is isolated, and credentials are never shared to the end user’s workstation when they enter into critical IT systems for regular work, maintenance, or otherwise. The session is encrypted end-to-end.

Integration with Privileged Access Manager - Self-Hosted

The Privileged Access Manager - Self-Hosted solution mitigates risks by helping enterprises to efficiently manage privileged account access rights, proactively monitor and control privileged account activity, intelligently identify suspicious activity, and quickly and automatically respond to threats. Remote Access integrates seamlessly with the PAM - Self-Hosted solution, providing just-in-time user provisioning and access for remote vendors to ensure that critical assets are only accessed when necessary. The integration also provides enterprise operations and security teams full visibility and control over remote vendors’ privileged access activities.

Depending on organizational requirements, customers can either provision access to remote vendors directly, or delegate responsibility to a Vendor Manager or external vendor manager. Once the remote vendor authenticates via Remote Access, they can connect to PAM - Self-Hosted using the hosted cloud service, Remote Access connector and HTML5 Gateway.

Integration with CyberArk Identity web apps

Remote Access integrates with CyberArk Identity, providing vendors with just-in-time access to web application protected by CyberArk Identity.

Depending on your organizational requirements, vendor users can be created and managed by Remote Access, or the administrator creates and manages the vendor user in CyberArk Identity.

Vendors are assigned in Remote Access with their respective Role in CyberArk Identity, which determines the relevant access to specific applications in your organization.



The CyberArk Mobile app runs on iOS and Android phones. Once the app is downloaded, the user receives an email sent from the organization to access the Remote Access portal. Users confirm their identify by verifying the email address and registered phone by entering a passcode received through SMS.

Biometric authorization is also used to verify and authenticate the user identification and can be mandated during the onboarding process to ensure a successful first-time logon. Biometric data is securely stored natively on the user’s mobile device. The client uses the hosted Remote Access portal to manage external user accounts and audit activity.