About MFA options for use with Centrify software

Centrify software can support identity assurance by way of multi-factor authentication authentication using the following mechanisms:

Mechanism NIST 800-53 Assurance Portal Client Notes Help

FIDO2 Authenticator

High

Supported

Partially Supported

Provides support for YubiKey, Windows Hello, and other password-less mechanisms

How to enable FIDO2 authentication

3rd Party RADIUS Authentication

High

Supported

Supported

Provides MFA brokering for legacy or RADIUS-enabled mechanisms like SecurID, Symantec VIP, Okta RADIUS, Microsoft MFA RADIUS, and so forth.

 

For use with the Connector: How to configure Privileged Access Service for RADIUS

Centrify Mobile Authenticator

High

Supported

Supported

Provides Support for the Centrify Mobile Authenticator that includes Push MFA and Conditional Access

Using Mobile Authenticator

OATH OTP Client

Medium

Supported

Supported

Provides support for any OATH-compatible authenticatior such as Google Authenticator, Red Hat Authenticator, Yubico Authenticator, and so forth.

How to configure OATH OTP

Text message (SMS) confirmation code

Medium

Supported

Supported

Provides SMS-OTP or SMS-Push (if allowed by carrier) for users that have a mobile number in their profile.

Authentication mechanisms

Security Question

Low

Supported

Supported

Provides support for additional secrets in the form of Security Questions.

Authentication mechanisms

Password

Low

Supported

Supported

Provides support for "what you know" secret password.  The password policy (such as length, complexity and expiration) are enforceable in the source directory.

Authentication mechanisms

You can use a combination of authentication mechanisms by creating different authentication profiles. Within each authentication profile, you define which mechanisms to use and which users they're for. For example, you could set up

Mechanisms can be stacked in the form of "Authentication Profiles";  these can be applied to different user populations (e.g. employees use password + mobile authenticator vs. contractors use password + OATH OTP) via the PAS Policy Engine.

For details about the following topics, see the links below: