Authentication mechanisms

You can select the authentication mechanisms that will be available to users. However, the mechanisms ultimately offered to users on the login prompt depend on the account’s properties. For example, if you select all of the mechanisms but a user account has only a user name and email address, then the login prompt will only offer those two options.

To set the authentication mechanisms, see Creating authentication profiles.

The following mechanisms are available:

  • Password

    When you select this option, users are prompted for either their Active Directory or Privileged Access Service user password when logging in to the Admin portal.

  • Mobile Authenticator

    When you select this option, users authenticate using a one-time passcode displayed by the Centrify application installed on their mobile devices.

    If devices are connected via the cell network or a wi-fi connection, users can send the passcodes from the devices. If the devices are not connected, users must manually enter the passcodes into the Admin Portal login prompt.

    This option requires users to have Centrify application installed on their devices and those devices must be registered in Privileged Access Service.

  • Phone call

    When you select this option, Privileged Access Service calls the user using the stored phone number (mobile or land line) and describes an action the user must perform to complete the authentication. The user completes the action from the device to log in. If your tenant is configured on Privileged Access Service 17.10 or newer, see Enabling phone PIN because additional configuration is required.

    This option is disabled for new tenants by default. Contact Centrify Support to enable this authentication mechanism.

  • Text message (SMS) confirmation code

    When you select this option, Privileged Access Service sends a text message to the user’s mobile phone with a one-time confirmation code and/or an authentication link. Depending on the language setting, some languages display only the confirmation code while others display the confirmation code and link. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

    You can configure the confirmation code length (6 or 8 digits) in Admin PortalSettings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

    Note:   The link and confirmation code are valid for 20 minutes. If a user does not respond within this time period, the Privileged Access Service cancels the login attempt.

    This option is disabled for new tenants by default. Contact Centrify Support to enable this authentication mechanism.

  • Email confirmation code

    When you select this option, Privileged Access Service sends a confirmation code and a link to the user’s email address. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

    You can configure the confirmation code length (6 or 8 digits) in Admin PortalSettings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

    The link and confirmation code are valid for 20 minutes. If a user does not respond within this time period, the Privileged Access Service cancels the login attempt.

  • FIDO2 Authenticator(s)
  • FIDO2 is an authentication standard hosted by FIDO Alliance. This standard includes the Web Authentication ("WebAuthn") API, which is a specification written by the World Wide Web Consortium (W3C) and FIDO, with participation from additional third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys.

    Centrify leverages the WebAuthn API to enable passwordless authentication to the Privileged Access Service using either on-device or external authenticators. On-device authenticators are biometric authenticators integrated into the device hardware. Popular examples are Mac Touch ID, Windows Hello, and fingerprint scanners. External authenticators are security keys that you plug into the device's USB port; for example, a YubiKey.

  • Security Question(s)

    When you select this option, users are prompted to answer user-defined and/or admin-defined security questions. When creating the authentication profile, you can specify the number of questions users must answer. You can also specify the number of user-defined and admin-defined questions available to users. See Enabling multiple security questions. Users create, select, or change the question and answer from their Account page in the Admin Portal.

  • OATH OTP Client

    This text string is configurable and reflects what you entered during the OATH OTP configuration. When you select this option, users can use a third party authenticator (like Google Authenticator) to scan a Privileged Access Service generated QR code and get a one-time-passcode (OTP). This authentication mechanism requires additional configurations. See How to configure OATH OTP.

  • 3rd Party RADIUS Authentication

    When you select this option, we communicate with your RADIUS server to allow for user authentication into Privileged Access Service. See How to configure Privileged Access Service for RADIUS.