Authentication grace periods

When you have authenticated with a Centrify component either with Windows authentication or MFA, you have a short period of time where you won't need to re-authenticate for the same type of item.

Understand that there are 3 types of grace periods for authentication:

  • Lock Screen MFA grace period
  • User Privilege Elevation for MFA grace period
  • User Privilege Elevation for Windows Authentication grace period

Your administrator enables and configures these grace periods by way of a group policy, and each grace period type has its own policy. By default, these grace periods are not in effect.

For the lock screen MFA grace period, when you lock the screen within the grace period (either you lock the screen yourself or if your screen saver does it for you), you can unlock the login session without an MFA challenge.

If the group policy "Continue with MFA Challenges after failed windows authentication in Logon Screen" is enabled, then the lock screen MFA grace period is disabled automatically.

For the user privilege elevation grace period (MFA or Windows authentication) , the grace period is triggered when you either run an application with privilege, switch to a privileged desktop, or create a new privileged desktop. During the grace period, you aren't requested to re-authenticate by way of MFA or Windows authentication, respectively.

For both the user privilege elevation grace periods (MFA and Windows authentication), you can clear the grace period manually. To clear the grace period, right-click the Centrify icon in the system tray and select Clear Grace Period > MFA or Clear Grace Period > Windows Authentication. The Clear Grace Period option is only enabled if you're within the user privilege elevation grace period.