About MFA options for use with Centrify software
Centrify software can support identity assurance by way of multi-factor authentication authentication using the following mechanisms:
| Mechanism | NIST 800-53 Assurance | Portal | Client | Notes | Help |
|---|---|---|---|---|---|
|
FIDO2 Authenticator |
High |
Supported |
Partially Supported |
Provides support for YubiKey, Windows Hello, and other password-less mechanisms |
|
|
3rd Party RADIUS Authentication |
High |
Supported |
Supported |
Provides MFA brokering for legacy or RADIUS-enabled mechanisms like SecurID, Symantec VIP, Okta RADIUS, Microsoft MFA RADIUS, and so forth.
|
For use with the Connector: How to configure Privileged Access Service for RADIUS |
|
Centrify Mobile Authenticator |
High |
Supported |
Supported |
Provides Support for the Centrify Mobile Authenticator that includes Push MFA and Conditional Access |
|
|
OATH OTP Client |
Medium |
Supported |
Supported |
Provides support for any OATH-compatible authenticatior such as Google Authenticator, Red Hat Authenticator, Yubico Authenticator, and so forth. |
|
|
Text message (SMS) confirmation code |
Medium |
Supported |
Supported |
Provides SMS-OTP or SMS-Push (if allowed by carrier) for users that have a mobile number in their profile. |
|
|
Security Question |
Low |
Supported |
Supported |
Provides support for additional secrets in the form of Security Questions. |
|
|
Password |
Low |
Supported |
Supported |
Provides support for "what you know" secret password. The password policy (such as length, complexity and expiration) are enforceable in the source directory. |
You can use a combination of authentication mechanisms by creating different authentication profiles. Within each authentication profile, you define which mechanisms to use and which users they're for. For example, you could set up
Mechanisms can be stacked in the form of "Authentication Profiles"; these can be applied to different user populations (e.g. employees use password + mobile authenticator vs. contractors use password + OATH OTP) via the PAS Policy Engine.
For details about the following topics, see the links below:
- How to create a policy set and assign it to users
- For additional information about Authentication Assurance Levels, review the latest NIST 800-53 publication such as https://pages.nist.gov/800-63-3/sp800-63b.html.
Doc Feedback