The first step in preparing authentication profiles is to create the profile.
To create an authentication profile:
- Open a browser and log on to Privileged Access Service using your customer-specific URL.
Navigate to Settings > Authentication.
Three default authentication profiles are available out-of-the-box:
- Default New Device Login Profile: Uses Password for the first challenge and Mobile Authenticator, Text message (SMS) confirmation code, Email confirmation code, or OATH OTP Client for the second challenge with a 12 hours pass-through duration.
- Default Other Login Profile: Uses Password for the first challenge and no secondary challenge with a 12 hours pass-through duration.
- Default Password Reset Profile: Gives the option for users to use Mobile Authenticator, Text message (SMS) confirmation code, Email confirmation code, or OATH OTP Client for the first challenge with a 12 hours pass-through duration.
Select an existing Authentication Profile or click Add Profile.
The fields needed to add new profile.
- Type the authentication profile name.
Select the types of authentication to present for the first challenge.
Note: The second authentication is not needed. Challenge two is a third mechanism.
The pass-through option does not apply to Windows, Linux, or UNIX MFA logins unless you specify otherwise in the policy settings.
Select the authentication mechanism(s) you require and want to make available to users. Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. See Authentication mechanisms for information about each authentication mechanism.
For example, you can require that the first challenge be the user’s account password. Then for the second challenge, users can choose between an email confirmation code, security question, or text message confirmation code.
If you have multiple challenges, Privileged Access Service waits until users enter all challenges before giving the authentication response (pass or fail). For example, if users enter the wrong password for the first challenge, we will not send the authentication failure message until after users respond to the second challenge.
If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that Privileged Access Service will not send the SMS/email or trigger the phone call. Contact support to change this configuration.