If your tenant was created before March 2024, you can update the authentication policy for your tenant to require administrators to enter a one-time password (in addition to entering their Cylance console password) before they can access the Cylance console. Administrators can use any of the supported apps to register and generate their one-time password: Authy, Google Authenticator, Microsoft Authenticator, and Okta Verify. Other apps that support RFC-6238 should also work. The default authentication policy described here is applied when no app exception or authentication policy is assigned to the administrator.
Tenants that are created in March 2024 or later require administrators, by default, to enter a one-time password after they enter their Cylance password to access the console by default. For more information, see Remove One-Time Password authentication for administrators in new tenants.
1. Sign in to the Cylance console.
You can sign in using your existing Cylance console email address and password.
2. Add the One-Time Password authenticator to your default policy.
To get started, add the one-time password authenticator to your tenant if it doesn’t already exist. For instructions, see Add an authenticator.
- On the menu bar, click Settings > Authentication.
- Click the Default Authentication tab.
- Click the Administration Console policy.
- Click Add Authenticator and add the One-Time Password authenticator that you created.
- Click Add.
- Click Save.
Note: Users will be prompted for each authentication type in the order that they are listed in the policy. When one-time password is added to a policy, at least one other authenticator must precede it. In this example, the Cylance password must precede one-time password).
3. Optionally, add an authentication policy for one or more administrators.
It is recommended that you create an authentication policy that requires only a Cylance console password and assign it to one or more designated administrators. You can use this policy as a failsafe while you trial the Console and One-Time Password authentication policy.
Make sure that you have an existing Cylance Administrator Password authenticator for administrators to use their Cylance console credentials only. If it doesn’t already exist, add one. For instructions, see Add an authenticator.
- Click Policies > User policy.
- Click the Authentication tab.
- Click Add policy.
- Add a name and description for the policy.
- Click Add Authenticator and add the Cylance Password authenticator.
- Click Save.
- When you are prompted to assign the policy, click Yes.
- Click Add User or Group.
- Search for and select the administrators.
- Click Add.
4. Test the Cylance and one-time password policy.
Sign into the console using an administrator account that has the Cylance console password and One-Time Password policy assigned.
After the administrator enters their Cylance console password, they will be prompted to enroll with their one-time password app. By default, the one-time password authenticator does not allow administrators to skip the OTP app setup and authentication. To set the number of time administrators can skip the OTP app setup and authentication without entering a code, see Add an authenticator. Administrators can follow the instructions to enroll and enter the one-time password to complete sign in. If you do not allow administrators to skip the one-time password app setup and authenticate without entering a code, a one-time password is required each time to complete sign-in.
That's it!
You have now set up local multifactor authentication for the Cylance console. The administrator can sign out and sign in again using a one-time password. For subsequent sign ins, administrators will be prompted to enter their Cylance console password and a one-time password, unless they are assigned the Cylance password only policy.
For more information about authentication policies, see the Cylance Endpoint Security Setup content.