You can configure authentication rules and authentication profiles to protect access to the account password for specific accounts. Based on the rules you define, users attempting to check out the password for an account with access to a specific system might be required to provide a password, enter the passcode from a text message, or answer a phone call to authentication their identity. The authentication rule defines the conditions for when a specific authentication profile should be used. The authentication profile defines the types of challenges presented and whether one factor or two factor authentication is required. You can also define a default authentication profile to use if the conditions you specify for the checkout rules are not met.
If you don’t create any authentication rules or authentication profiles for password checkouts, users with the appropriate permission can check out stored account passwords without being challenged to re‑authenticate their identity or provide multi-factor authentication.
For more information about setting the password checkout policy, see the following topics: