Explore MFA Widget Capabilities

Angular Java Sample Application showcasing the CyberArk Identity capabilities.

The current context is that, the end user authenticated with customer's primary authentication and using CyberArk Identity as MFA(Multi Factor Authentication).

Introduction

As as an admin, one can specify what kind of authentication mechanisms the users must provide to access CyberArk Identity, as well as when a multi-factor authentication is required. Post authentication, the Home page of the sample app displays flow based cards. This guide describes about the MFA Widget card i.e. MFA(2FA) flow.

Types Of Mechanisms

Below are the types of mechanisms available to integrate in sample App.

🚧

Some authentication mechanisms require additional configurations before users can authenticate. Make sure that the users complete the configuration requirements for any authentication you plan to invoke. Refer to Secure access with adaptive MFA for more detail.

Authentication mechanismDescription
OATH OTPThis text string is configurable and reflects what you entered during the OATH OTP configuration. When you select this option, users can use a third party authenticator (like Google Authenticator) to scan a CyberArk Identity generated QR code and get a one-time-passcode (OTP). This authentication mechanism requires additional configurations. See Enable OATH OTP
Email confirmation codeWhen you select this option, CyberArk Identity sends a confirmation code and a link to the user’s email address. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

You can configure the confirmation code length (6 or 8 digits) in Admin Portal > Settings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.

The link and confirmation code are valid for 20 minutes. If a user does not respond within this time period, the CyberArk Identity cancels the login attempt.
QR CodeSelect this option to present users with a Quick Response (QR) Code that they can scan with the CyberArk Identity mobile app on an enrolled mobile device.
Text message (SMS) confirmation codeWhen you select this option, CyberArk Identity sends a text message to the user’s mobile phone with a one-time confirmation code and/or an authentication link. Depending on the language setting, some languages display only the confirmation code while others display the confirmation code and link. Users who are connected to the Internet can click/tap the link. Otherwise, they need to enter the confirmation code in the login prompt.

This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.

You can configure the confirmation code length (6 or 8 digits) in Admin Portal > Settings > Authentication > Security Settings > Email and SMS passcode length drop down option. The default is 8 digits.
Phone callWhen you select this option, CyberArk Identity calls the user using the stored phone number (mobile or land line) and describes an action the user must perform to complete the authentication. The user completes the action from the device to log in. If your tenant is configured on CyberArk Identity 17.10 or newer, see Enable phone PIN because additional configuration is required.

This option is disabled for new tenants by default. Contact your account representative to enable this authentication mechanism.
Security Question(s)When you select this option, users are prompted to answer user-defined and/or admin-defined security questions. When creating the authentication profile, you can specify the number of questions users must answer. You can also specify the number of user-defined and admin-defined questions available to users. See Enable multiple security questions. Users create, select, or change the question and answer from their Account page in the user portal.
Mobile AuthenticatorWhen you select this option, users authenticate using a one-time passcode displayed by the CyberArk Identity mobile app installed on their mobile devices.

If devices are connected via the cell network or a wi-fi connection, users can send the passcodes from the devices. If the devices are not connected, users must manually enter the passcodes into the Admin Portal or CyberArk Identity user portal login prompt.

The availability of this mechanism to users can be controlled using the Show Mobile Authenticator by default policy. This policy is in Core Services > Policies > select existing policy or create a new one > Endpoint Policies > Common Mobile Settings > Security Settings. Mobile device configuration policies overview for more information on the policy.

This option requires users to have CyberArk Identity mobile app installed on their devices and those devices must be enrolled in CyberArk Identity.

📘

Select the Authentication Mechanisms needed on the CyberArk's Admin Portal. For complete details refer
Authentication Mechanisms

Lets Start..

On the Home page of the sample app, Select MFA card as highlighted below and click on start.

14191419

After clicking the start button below screen would appear where you can see the API endpoints, Sign up and Login buttons.

995995

In case of a new user registration, click on Sign up button and submit the filled form.

Once the user is successfully registered, you can click on login and provide the credentials.

14201420

📘

Note:

To embed the MFA widget, refer here.

On success response, we use OAuth Authorization with PKCE flow to get access token. Use the access token in authorization header for subsequent requests in sample application.

Upon login is successful, you will be prompted with the second level (factor) of authentication depends on the configured policies as show in below image.

14731473 14251425

Once this level of the authentication is also successful, you can completely login the app navigates the user to a page where user functionalities are available. These are added to demonstrate how custom activities or use cases can make use of CyberArk Identity product to make these tasks more secure. Click here for more detail.

14191419

In this MFA flow we have the below use cases which a user can explore: