About MFA options for use with Centrify PAS and Centrify Server Suite

Centrify PAS and Centrify Server Suite can support identity assurance by way of multi-factor authentication authentication using the following mechanisms:

Mechanism NIST 800-53 Assurance Portal Client Notes Help

FIDO2 Authenticator

High

Supported

Partially Supported

Provides support for YubiKey, Windows Hello, and other password-less mechanisms

How to enable FIDO2 authentication

3rd Party RADIUS Authentication

High

Supported

Supported

Provides MFA brokering for legacy or RADIUS-enabled mechanisms like SecurID, Symantec VIP, Okta RADIUS, Microsoft MFA RADIUS, and so forth.

 

For use with the Connector: How to configure Privileged Access Service for RADIUS

Centrify Mobile Authenticator

High

Supported

Supported

Provides Support for the Centrify Mobile Authenticator that includes Push MFA and Conditional Access

Using Mobile Authenticator

OATH OTP Client

Medium

Supported

Supported

Provides support for any OATH-compatible authenticatior such as Google Authenticator, Red Hat Authenticator, Yubico Authenticator, and so forth.

How to configure OATH OTP

Text message (SMS) confirmation code

Medium

Supported

Supported

Provides SMS-OTP or SMS-Push (if allowed by carrier) for users that have a mobile number in their profile.

Authentication mechanisms

Security Question

Low

Supported

Supported

Provides support for additional secrets in the form of Security Questions.

Authentication mechanisms

Password

Low

Supported

Supported

Provides support for "what you know" secret password.  The password policy (such as length, complexity and expiration) are enforceable in the source directory.

Authentication mechanisms

You can use a combination of authentication mechanisms by creating different authentication profiles. Within each authentication profile, you define which mechanisms to use and which users they're for.

You can stack authentication mechanisms with these authentication profiles;  you can apply authentication profiles to different user populations by way of policies (for example, employees can use a password + mobile authenticator compared to how contractors use a password + OATH OTP).

You can also configure your authentication profile with a grace period, where under certain conditions if a user needs to re-authenticate during a specified time frame then they don't have to supply credentials again. The MFA grace period applies only to Active Directory users logging in to a Windows system that is joined to Active Directory. For details about how to set up an authentication profile with a MFA grace period, see To create an authentication profile .

For details about the following topics, see the links below: