About MFA options for use with Centrify software
Centrify software can support identity assurance by way of multi-factor authentication authentication using the following mechanisms:
Mechanism | NIST 800-53 Assurance | Portal | Client | Notes | Help |
---|---|---|---|---|---|
FIDO2 Authenticator |
High |
Supported |
Partially Supported |
Provides support for YubiKey, Windows Hello, and other password-less mechanisms |
|
3rd Party RADIUS Authentication |
High |
Supported |
Supported |
Provides MFA brokering for legacy or RADIUS-enabled mechanisms like SecurID, Symantec VIP, Okta RADIUS, Microsoft MFA RADIUS, and so forth.
|
For use with the Connector: How to configure Privileged Access Service for RADIUS |
Centrify Mobile Authenticator |
High |
Supported |
Supported |
Provides Support for the Centrify Mobile Authenticator that includes Push MFA and Conditional Access |
|
OATH OTP Client |
Medium |
Supported |
Supported |
Provides support for any OATH-compatible authenticatior such as Google Authenticator, Red Hat Authenticator, Yubico Authenticator, and so forth. |
|
Text message (SMS) confirmation code |
Medium |
Supported |
Supported |
Provides SMS-OTP or SMS-Push (if allowed by carrier) for users that have a mobile number in their profile. |
|
Security Question |
Low |
Supported |
Supported |
Provides support for additional secrets in the form of Security Questions. |
|
Password |
Low |
Supported |
Supported |
Provides support for "what you know" secret password. The password policy (such as length, complexity and expiration) are enforceable in the source directory. |
You can use a combination of authentication mechanisms by creating different authentication profiles. Within each authentication profile, you define which mechanisms to use and which users they're for.
You can stack authentication mechanisms with these authentication profiles; you can apply authentication profiles to different user populations by way of policies (for example, employees can use a password + mobile authenticator compared to how contractors use a password + OATH OTP).
You can also configure your authentication profile with a grace period, where under certain conditions if a user needs to re-authenticate during a specified time frame then they don't have to supply credentials again. The MFA grace period applies only to Active Directory users logging in to a Windows system that is joined to Active Directory. For details about how to set up an authentication profile with a MFA grace period, see To create an authentication profile .
For details about the following topics, see the links below:
- How to create a policy set and assign it to users
- For additional information about Authentication Assurance Levels, review the latest NIST 800-53 publication such as https://pages.nist.gov/800-63-3/sp800-63b.html.