Notifying Users After the First Failed MFA Challenge

The default Privileged Access Service MFA behavior is to allow users to step through all the relevant MFA challenges before we notify them of their failed authentication attempt. For example, if your authentication policy is configured to use password and Email confirmation code, then even if users enter the wrong password during log-in, we still send the email confirmation code. After the last relevant MFA challenge, we notify users of their failed authentication without identifying the failed challenge. However, you can configure Privileged Access Service to notify users of their failed authentication after the first failed challenge.

To notify users of a failed authentication after the first failed challenge:

  1. Log in to Admin Portal.

  2. Click Access > Policies and select the policy you want to edit or click Add Policy Set to create a new one.

  3. Click Login Policies > Centrify Portal.

  4. De-select the “Continue with additional challenges after failed challenge” policy checkbox.

    Users will receive a failed authentication attempt message after the first failed challenge. Privileged Access Service will not send additional authentication challenges.

  5. Click Save.

Optional Configuration for the Default MFA Behavior

You can configure Privileged Access Service to handle the default MFA behavior (allow users to step through all the relevant MFA challenges before we notify them of their failed authentication attempt) differently based on the challenge type. If you deselect the “Do not send challenge request when previous challenge response failed” check box but leave the “Continue with additional challenges after failed challenge” check box selected, there are two possible scenarios after users have failed an authentication challenge.

Scenario 1: The next authentication challenge requires Privileged Access Service to send information back to the users, such as email, SMS, or phone call. In this scenarios, users will not receive the necessary information and the authentication session fails. Users must wait until the authentication session times out and try again.

Scenario 2: The next authentication challenge does not require Privileged Access Service to send information back to users, such as a security question. In this scenario, users can proceed with the challenge (for example, answer the security question). After all relevant challenges have been satisfied, we notify users of their failed authentication without identifying the failed challenge.