Configuring Centrify to use the Google Authenticator to satisfy MFA challenges is a good way to give users another authentication factor. The set up is easy for end users once all of the policies are configured from an Centrify Identity Platform Administrator.
To get started, log in to your Admin Portal and click on the Policies tab. Click the Add Policy Set button and give the policy a Name, like OATH Policy. Apply the policy to all users and devices or a specific role of users. On the left hand side, select Policy Settings > User Security Policies > OATH OTP. Click the drop down and select Yes to Allow OATH OTP integration. Also, select Yes to Show QR code for self-service and click Save.
Next, go to an application policy or any other policy that is set to require MFA. I will demonstrate using my environment's Salesforce SAML application. From the Policy tab, scroll dow to the Default Profile (used if no conditions matched) and click the drop down. Choose Add New Profile from the drop down.
Set the Profile Name to “OATH MFA Challenge”. For Challenge 1, check the box for OATH OTP Client.
Press OK and then Save.
Now log in to the User Portal with an end user's account that will be required to authenticate using MFA. Click on the Account tab and click the Show QR Code button under OATH OTP Client.
On your mobile device, install the Google Authenticator application:
Blackberry - https://m.google.com/authenticator
In the Google Authenticator application, click the Begin Setup button and select the Scan barcode option.
Scan the QR code that is displayed in the User Portal.
Type the 6-digit code that is displayed on the Google Authenticator into the field under the QR code.
Now click the Verify button.
While logged in as the user that is a member of the role assigned to the application or other object that requires MFA, do the action that requires MFA.
In this demonstation, I will launch the Salesforce application from the User Portal since this application it is set to require MFA in my environment.
Type the current Verification Code displayed on the Authenticator mobile application into the Enter Verification Code field.
After you click the Next button, the action requiring MFA will continue. In this demonstration, my end user is logged into Salesforce.
This process can also OATH tokens can be used with any OATH token. Also, tokens can be uploaded in bulk via template in Admin Portal Settings > Authentication > OATH Tokens.
An OATH token can also be deleted from this page if the device it is on has been lost or compromised.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.