MFA for Secrets

Multi-factor authentication (MFA) for secrets gives Delinea Platform administrators the option to add one or more security requirements to access specified secrets. This functionality is available exclusively through the Delinea Platform and supports many types of MFA, such as email, the Delinea Mobile App, YubiKey, and other devices using the FIDO2 protocol.

Availability

MFA for Secrets is available “out of the box.” No initial global configuration is required to enable the feature. Secrets have the feature disabled by default, but you can easily enable it on an individual secret or on multiple secrets simultaneously. For example, if you apply a secret policy to a folder that enables MFA on secrets, all secrets added to that folder inherit the policy setting enabling MFA.

 

Default MFA Profile

When MFA is enabled on a secret, the Step-up Authentication Default profile applies to the secret. This profile uses email for the default authentication mechanism, and because the email is already in the user database, the user does not need to configure anything. Although the email mechanism is easiest for the user, there may be situations that call for a login mechanism stronger than email.

For information on viewing, managing and assigning authentication profiles, and on selecting challenges for the profiles, see Authentication  Profiles.

If you wish to modify a secret that requires MFA, you will be prompted with an MFA challenge before you can make any changes.

Assigning MFA to Secrets

You can assign MFA to secrets several ways:

  • Assign MFA to an individual secret
  • Assign MFA to a secret policy
  • Assign MFA to a secret through a bulk operation

Assign MFA to an Individual Secret

  1. Click Secret Server from the left navigation.

  2. On the All Secrets page, click the name of a secret in the table. The page for that secret appears.

    The enabled secret in this case inherits a default authentication profile selected on a global level.

  3. Select the Security tab.

  4. In the Multi-factor Authentication section, click Edit.

  5. Select the box next to Require Multi-factor Authentication.

  6. Click Save.

Assign MFA to a Secret Policy

  1. Click Settings from the left navigation, then click Administration.
  2. Under Core Actions, click Secret Policies.
  3. Click a policy.
  4. Select the Security tab.
  5. Click Edit.
  6. Next to Require Multi-factor Authentication, select Yes from the dropdown list.
  7. Click Save.

Assign MFA to Secrets Through a Bulk Operation

  1. Click Secret Server from the left navigation.
  2. On the All Secrets page, select the checkboxes for two or more secrets.
  3. In the small banner that appears, click Bulk Actions.
  4. In the Bulk Actions dialog, under Security, click Change Security Options.

  5. Next to Multi-factor Authentication, select Enable Multi-factor Authentication from the dropdown list.

  6. Click Save.

Applying an MFA Profile to All Enabled Secrets

  1. Click Settings from the left navigation, then click Administration under Secret Server.

  2. On the Secrets Administration page, click Security MFA authentication under Security.

    alt

  3. Click Edit.

  4. Select an MFA profile from the dropdown list.

  5. Click Save.

Considerations for Assigning MFA to Secrets

Note the following when configuring or assigning MFA to secrets:

  • Secrets with MFA enabled are accessible in a disaster recovery replica by an administrator with unlimited permissions. The MFA requirement remains intact.
  • When exporting secrets, if any secret in the selected list has MFA enabled, you are prompted for MFA.
  • The profile you selected for secret MFA does not affect the profile for authenticating to the Delinea Platform.
  • Secret Server Cloud cannot access MFA-protected secrets unless it was itself authenticated through the platform. If this authentication was not done, the user is prompted with a link to redirect to the secret in the platform.
  • MFA-enabled secrets are not available in the Secret Server mobile application.