About MFA options for use with Centrify software

Centrify software can support identity assurance by way of multi-factor authentication authentication using the following mechanisms:

Mechanism	NIST 800-53 Assurance	Portal	Client	Notes	Help
FIDO2 Authenticator	High	Supported	Partially Supported	Provides support for YubiKey, Windows Hello, and other password-less mechanisms	How to enable FIDO2 authentication
3rd Party RADIUS Authentication	High	Supported	Supported	Provides MFA brokering for legacy or RADIUS-enabled mechanisms like SecurID, Symantec VIP, Okta RADIUS, Microsoft MFA RADIUS, and so forth.	For use with the Connector: How to configure Privileged Access Service for RADIUS
Centrify Mobile Authenticator	High	Supported	Supported	Provides Support for the Centrify Mobile Authenticator that includes Push MFA and Conditional Access	Using Mobile Authenticator
OATH OTP Client	Medium	Supported	Supported	Provides support for any OATH-compatible authenticatior such as Google Authenticator, Red Hat Authenticator, Yubico Authenticator, and so forth.	How to configure OATH OTP
Text message (SMS) confirmation code	Medium	Supported	Supported	Provides SMS-OTP or SMS-Push (if allowed by carrier) for users that have a mobile number in their profile.	Authentication mechanisms
Security Question	Low	Supported	Supported	Provides support for additional secrets in the form of Security Questions.	Authentication mechanisms
Password	Low	Supported	Supported	Provides support for "what you know" secret password.  The password policy (such as length, complexity and expiration) are enforceable in the source directory.	Authentication mechanisms

You can use a combination of authentication mechanisms by creating different authentication profiles. Within each authentication profile, you define which mechanisms to use and which users they're for.

You can stack authentication mechanisms with these authentication profiles;  you can apply authentication profiles to different user populations by way of policies (for example, employees can use a password + mobile authenticator compared to how contractors use a password + OATH OTP).

You can also configure your authentication profile with a grace period, where under certain conditions if a user needs to re-authenticate during a specified time frame then they don't have to supply credentials again. The MFA grace period applies only to Active Directory users logging in to a Windows system that is joined to Active Directory. For details about how to set up an authentication profile with a MFA grace period, see To create an authentication profile .

For details about the following topics, see the links below:

• Authenticate

• How to create a policy set and assign it to users
• For additional information about Authentication Assurance Levels, review the latest NIST 800-53 publication such as https://pages.nist.gov/800-63-3/sp800-63b.html.