Authentication Profiles

To enable MFA on the platform, you must set up authentication profiles. An authentication profile specifies the authentication challenges required to log in to the platform and the length of time that must elapse before a user is prompted for authentication again.

Authentication profiles work with identity policies (see Identity Policies), which determine whether and when a user is presented with the challenges specified in the associated authentication profile.

Authentication profiles also control step-up MFA flows on the platform, such as enabling MFA on Secrets.

Users can also log on to the platform using MFA on the Delinea Mobile application. For more information, see the following: Delinea Mobile Overview, Delinea Mobile Log in Process, Delinea Mobile Login Flow.

When creating a policy enabling a user to select or modify their authentication challenges (such as phone call, SMS, or FIDO2), do not require the user to complete the same challenge they are trying to set up. For example, when creating a policy enabling a user to select FIDO2 as an authentication challenge, do not use a profile that requires the user to complete the FIDO2 challenge. If you create such a defective policy, the user will be presented with the following error message: "Authentication Challenge Required. Cannot start step-up authentication flow. User does not have the attributes required to log in. Please contact your administrator."

View Authentication Profiles

Click Settings from the left navigation, then click Authentication profiles.

The platform comes with four built-in authentication profiles:

  • Default New Device Login Profile: Uses Password for the first challenge. For the second challenge, gives the user options to use Mobile Authenticator, Text message (SMS) confirmation code, Email confirmation code, or OATH OTP Client. 12-hour pass-through duration.

  • Default Other Login Profile: Uses Password for the first challenge. 12-hour pass-through duration.

  • Default Password Reset Profile: Gives the user options to use Mobile Authenticator, Text message (SMS) confirmation code, Email confirmation code, or OATH OTP Client for the first challenge. 12-hour pass-through duration.

  • Step Up Authentication Default: Gives the user options to use Email confirmation code or Mobile Authenticator. 15-minute pass-through duration.

You can review the details of each authentication profile by clicking directly on the profile name.

Add a New Authentication Profile

  1. Click Add Authentication Profile.

  2. Fill in the fields on the form:

    • Profile name: a unique name for the profile

    • Description: a brief description of the profile

    • Challenge pass-through duration: Choose an option from the dropdown menu to set the time that must elapse before a user is prompted again for MFA authentication. Challenge pass-through duration only applies to step-up MFA requests and does not apply to platform log-ins. The default is 30 minutes.

    • Authentication challenges: Select one or more of the authentication mechanisms available for Challenge 1 and Challenge 2.


3. Click Save.

 

  • Some authentication mechanisms, such as FIDO2, require additional configurations before users can authenticate with them.

  • If a user is presented with multiple challenges, the platform waits until the user completes all challenges before giving the authentication response (pass or fail). For example, if the user enters the wrong password for the first challenge, the platform does not send the authentication failure message until after the user responds to the second challenge.

  • If a user fails the first challenge, and the second challenge is SMS, email, or phone call, by default the platform will not send the SMS/email or trigger the phone call.

  • Federated users can be prompted for additional MFA challenges within the platform. This applies to logging into the platform and any browser-based step-up MFA, such as step-up MFA for Secrets. The identity policy setting "Platform login via federation satisfies all MFA mechanisms" should be disabled to allow for this.

  • Special consideration: As support for federated users for MFA has been recently enhanced, if you have enabled the platform integration with Secret Server to require multi-factor authentication, then access to the Secret Server application will be gated by MFA for all users, including federated users. Ensure your federated users have appropriate MFA in place; otherwise, they cannot access the Secret Server application.

Authentication Challenges

You can select the authentication challenges available to users. However, the challenges actually presented to the user depend on the account’s properties. For example, if you select all the mechanisms, but a user account has only a username and email address, the login prompt presents only those two challenges.

The following mechanisms are available:

  • Password/SSO: The user is prompted for either their Active Directory password or Platform account password, or they are directed to the appropriate federation identity provider to complete the authentication.

  • Delinea Mobile Authenticator: The user authenticates using a one-time passcode displayed in the Delinea mobile application on their mobile device. If the user’s mobile device is connected through the cellular network or through a wi-fi connection, the user can send passcodes from the devices. If the user’s mobile device is not connected in these ways, the user must manually enter the passcode in the login prompt.

  • Phone call: Delinea Platform calls the user at the stored phone number (mobile or land line) and describes an action the user must complete to authenticate from the device to log in. Phone PIN must be enabled.

  • Text message (SMS) confirmation code: The Delinea Platform sends a text message to the user’s mobile phone with a one-time confirmation code, which the user must enter at the login prompt.

  • Email confirmation code: The Delinea Platform sends an email to the user with a one-time confirmation code, which the user must enter at the login prompt.

  • OATH OTP client: The user can use a third-party authenticator such as Google Authenticator to generate a one-time passcode (OTP). This authentication mechanism requires additional configuration.

  • 3rd Party RADIUS authentication: The platform communicates with the client’s RADIUS server to allow for user authentication to the platform.

  • FIDO2 authenticator: FIDO2 is an authentication standard hosted by FIDO Alliance. FIDO2 includes the Web Authentication ("WebAuthn") API specification, written by the World Wide Web Consortium (W3C) and FIDO, with participation from third parties. The WebAuthn API is backward compatible with Universal 2nd Factor (U2F) keys. Delinea leverages the WebAuthn API to enable authentication to the platform without passwords, using either on-device authenticators or external authenticators. On-device authenticators are biometric authenticators integrated into the device hardware. Popular examples are Mac Touch ID, Windows Hello, and fingerprint scanners. External authenticators are security keys that you plug into the device's USB port, such as a YubiKey.

  • Security questions: The user is prompted to answer security questions defined by the user or by a platform administrator. When creating an authentication profile, you can specify the number of questions the user must answer. You can also specify the number of user-defined and administrator-defined questions available to the user. A user can create or update any available user-defined question or answer from their platform user profile page.

Assigning a Login Authentication Profile

Once you have an appropriate authentication profile set up and enabled, the next step is to assign the profile to an identity policy. The following represents the bare minimum when setting up a policy:

  1. Click Access from the left navigation, then click Identity Policies.

  2. Click the name of a policy. (To add a new policy, see Identity Policies).

  3. Click the Authentication tab.

  4. In the Services section, click Edit.

  5. For Enable authentication policy controls, select the box next to Enabled.

  6. Next to Default authentication profile, select an appropriate authentication profile from the drop-down menu. See Important warning below about the Deny platform authentication profile.

  7. Optional: You can add Authentication Rules to define conditions for authentication challenge requirements. Each rule maps to a customizable authentication profile. If no rules are configured, the default profile is used.

  8. Click Save.

If you select Deny platform authentication in the Default authentication profile drop-down and you configure no authentication rules, users will not be able to log in to the service. To use this profile appropriately, see Create a Conditional Access Policy

Notes:
- For optimal policy implementation, we recommend initially assigning the policy to only a small test user group before assigning it for real world use. This approach allows you to recover gracefully from issues that might arise, with minimal impact.

- Once you enable authentication policy controls, you can configure the rest of the policy options on the same page. For detailed information, see Identity Policies.

Global Security Settings

  1. Click Settings from the left navigation, then select Global Security.

  2. Click the Configuration tab. The page displays the global authentication options you can configure.

  3. Click Edit. The page changes, enabling you to modify the settings used by MFA, such as phone numbers and email addresses. These settings include the following:

  • Authentication Parameters:

    1. Enable forgot username self-service at login
      Allows a user to retrieve a forgotten username. The user is prompted to enter an email address, and if the email address matches a platform account, the platform sends the username to that email address.

    2. Send email notification to users when password is changed
      Sends an automated email after a user resets their platform password using the forgot password process.

  • Passcode Length: You can set the confirmation passcode length to 6 or 8 digits. The default is 8 digits.

  • Additional Attributes for MFA: You can add more attributes for MFA, such as other mobile phone, other home phone, other office phone, and other email addresses.

Security Questions

You can define questions that users can choose and answer to authenticate to the platform.

  1. Click Settings from the left navigation, then select Security Questions.


To add a security question:

  1. Click Create Question.

  2. Type a question in the text field.

  3. Click Add.

Security Devices

Click Settings from the left navigation, then select Security devices.

  • The Mobile devices sub-tab displays instances of registered mobile applications with the associated users. The Delinea Mobile app can be used as an MFA mechanism for logging in to the Delinea Platform. See Login Flow for the Delinea Platform Portal (MFA).

  • The OATH Tokens sub-tab displays registered OATH tokens for third-party authenticators, such as Google Authenticator and Microsoft Authenticator.

  • The FIDO2 Tokens sub-tab displays registered FIDO2 tokens for third-party authenticators, such as U2F, that use specialized Universal Serial Bus (USB) devices or near-field communication (NFC) devices.