Using multi-factor authentication

Some organizations require you to provide multi-factor authentication when you log in to the Admin Portal, open an application, or register a device. Multi-factor authentication means you must enter your password plus provide another form of authentication to log in.

Privileged Access Service provides the following forms of authentication:

Authentication form

How you respond to complete the login

Mobile Authenticator

You can respond using either the Mobile Authenticator option in the Privileged Access Service application or your device’s notification service. See Using Mobile Authenticator for the details.

One-time-passcode (OTP)

You enter the one-time-passcode (OTP) from a third party authenticator or from Privileged Access Service to log in to the Admin Portal. You can also use an offline OTP to authenticate to your MAC or Windows 10 devices.

Using an offline OTP requires that you first log in to Admin Portal with an internet connection to configure the offline OTP. See Using OTPs to authenticate for more information.

Email verification code

Access the relevant email account, open the email message, and click the link or manually enter the one-time code.

SMS verification code

Open the text message sent to the phone number indicated and either click the link or enter the code in the Admin Portal prompt.

Note:   The device must be connected to use the link.

Answer Security Question

Provide the answer to security question(s) you created and/or admin-defined question(s).

You create your security question(s), select admin-defined question(s), and answer on the Accounts page in the Admin Portal—see Specifying security question(s) and answer(s).

Phone call

Answer the call to the phone number indicated and follow the instructions.

FIDO2 Authenticator(s)

FIDO2 authenticator(s) are either on-device or external security keys that provide passwordless authentication.

See Using FIDO2 Authenticators.

Your IT administrator can enable all of them or just some of them. Your options are displayed in a drop-down list in the login prompt. Make your selection after you enter your password.

If you are required to user multifactor authentication, Privileged Access Service wait until you enter all challenges before giving the authentication response (pass or fail). For example, if you enter the wrong password for the first challenge, we will not send the authentication failure message until after you respond to the second challenge.

If you fail your first challenge and the second challenge is SMS, email, or phone call, the default configuration is that Privileged Access Service will not send the SMS/email or trigger the phone call. Your systems administrator can contact Centrify support to change this configuration.