To create an authentication profile
The first step in preparing authentication profiles is to create the profile.
- Open a browser and log on to the Privileged Access Service using your customer-specific URL.
- Switch to the administrative portal, then click Settings and click Authentication.
Three default authentication profiles are available out-of-the-box:
Default New Device Login Profile: Uses Password for the first challenge and Mobile Authenticator, Text message (SMS) confirmation code, Email confirmation code, or OATH OTP Client for the second challenge with a 12 hours pass-through duration.
Default Other Login Profile: Uses Password for the first challenge and no secondary challenge with a 12 hours pass-through duration.
Default Password Reset Profile: Gives the option for users to use Mobile Authenticator, Text message (SMS) confirmation code, Email confirmation code, or OATH OTP Client for the first challenge with a 12 hours pass-through duration.
Select an existing Authentication Profile or click Add Profile.
The fields needed to add new profile.
Type the authentication profile name.
Select the types of authentication to present for the first challenge.
Note: The second authentication is not needed. Challenge two is a third mechanism.
The pass-through option applies to Active Directory user MFA logins on systems that are joined to Active Directory.
Note: Only the authentication challenges that are applicable for a user can be presented. For example, you might select Phone call and Email confirmation code in the authentication profile, but these challenges are only valid if users have both a phone number and email address stored for their accounts. If users only have a phone number and not an email address stored, they will receive a phone call to complete the authentication process rather than be prompted to select an authentication option. If users have both a phone number and an email address stored, they will be prompted to select which form of authentication to use.
- Select the authentication mechanism(s) you require and want to make available to users. Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. See Authentication mechanisms for information about each authentication mechanism. For example, you can require that the first challenge be the user’s account password. Then for the second challenge, users can choose between an email confirmation code, security question, or text message confirmation code.
- If you have multiple challenges, Privileged Access Service waits until users enter all challenges before giving the authentication response (pass or fail). For example, if users enter the wrong password for the first challenge, we will not send the authentication failure message until after users respond to the second challenge.
- If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that Privileged Access Service will not send the SMS/email or trigger the phone call. Contact support to change this configuration.