Requiring multi-factor authentication to log on

You can configure multi-factor authentication for users logging on to Centrify-managed computers to improve the security of physical or virtual data centers. You can assign the predefined require MFA for login role in combination with the UNIX Login role to require users who are assigned to both roles to provide more than one form of authentication. You can also create custom role definitions with the Require multi‑factor authentication for login system right. Before setting this system right, however, you should be aware the multi‑factor authentication for Centrify-managed computers relies on the infrastructure provided by the Centrify identity platform and Centrify identity services.

As a preview, here are the steps involved to enable multi-factor authentication for Centrify‑managed computers in hierarchical zones:

  • Register for Privileged Access Service.
  • Install and configure at least one connector for communication with Privileged Access Service.
  • Verify the users who are required to provide more than one form of authentication have valid Active Directory accounts that are active in Privileged Access Service.
  • Add or select the authentication profiles that specify the types of authentication challenges to support.
  • Create a role with the appropriate computer members and administrative rights for multi‑factor authentication.
  • Verify the identity platform instance URL you want to use if you have access to more than one instance.

After you have completed the preliminary steps, you can assign users the predefined require MFA for login role or a custom role with the Require multi-factor authentication for login system right to require two-step authentication when logging on using PAM applications. These preliminary steps are also required if you want to create command rights that require two-step authentication when executing commands using elevated privileges (dzdo) or in restricted shell (dzsh) environments.

The preliminary steps are also required to support multi-factor authentication in classic zone and Auto Zone. However, the implementation is slightly different than in hierarchical zones, so some of the steps differ depending on the type of zone where you want to use multi-factor authentication. For more information about preparing to use multi-factor authentication, see "Preparing to use multi-factor authentication" in theMulti-factor Authentication Quick Start Guide.