You can configure multi-factor authentication for users logging on to Centrify-managed computers to improve the security of physical or virtual data centers. You can do this by assigning the predefined require MFA for login role to users who are required to provide more than one form of authentication. Alternatively, for UNIX and Linux roles, you can also create custom role definitions with the Require multi‑factor authentication for login system right selected. Because the Windows Login role can be assigned to local accounts, there is no system right for multi-factor authentication, therefore you must assign users the require MFA for login role.
Roles and role assignments are important when configuring multi-factor authentication for login access to Centrify‑managed computers in hierarchical zones.
Before configuring multi-factor authentication, you should be aware that multi-factor authentication for Centrify-managed computers relies on the infrastructure provided by the Centrify Identity platform and the Centrify identity services.
Note: For Linux and UNIX computers, logging on requires a PAM application such as login, ssh, or a desktop manager. Most programs that enable users to log in support multi-factor authentication. However, some desktop manager programs that run on older operating systems might not support multi-factor authentication.
A smart card user logging in by way of a Personal Identification Number (PIN) will not authenticated by multi-factor authentication. (Ref: CS-38641)