Add local multifactor authentication for administrators

1. Sign in to the Cylance console.

You can sign in using your existing Cylance console email address and password. After you enter your email address, you will be prompted to enter your password in a pop-up window. You should enable pop-ups for the sign-in page so that you can see the password prompt. 

2. Add authenticators.

To get started, add the Cylance and one-time password authenticators to your tenant if they don't already exist. You will use these to create your first authentication policies.

1. Click Settings > Authentication.
2. Click Add Authenticator.
3. In the drop-down list, select Cylance.
4. Complete the required fields.
5. Click Save.
6. Repeat these steps and select One-Time Password to add that authenticator. For the time step-window, use the default setting.

3. Add an authentication policy for one or more administrators (optional).

It is recommended that you create an authentication policy that requires only a Cylance console password and assign it to one or more designated administrators. You can use this policy as a failsafe while you trial other authentication policies. 

1. Click Policies > User policy.
2. Click the Authentication tab.
3. Click Add policy.
4. Add a name and description for the policy.
5. Click Add Authenticator and add the Cylance authenticator that you created in the previous step.
6. Click Save. 
7. When you are prompted to assign the policy, click Yes.
8. Click Add User or Group.
9. Search for and select the administrators.
10. Click Add.

4. Create an authentication policy for your tenant.

Create a policy that requires the Cylance console password and a one-time password. After you create this policy, it will be applied to all sign-ins except for administrators that have the Cylance password only policy.

1. Click Policies > Tenant Policy.
2. Click Add Policy.
   
3. In the drop-down list, select UES Console.
4. In the Authentication rules section, click Add Authenticators
5. In the drop-down list, select the Cylance console authenticator that you created.
6. Click Save.
7. Click Add Authenticator.
8. In the drop-down list, select the one-time password authenticator that you created and click Save.
   Note: Users will be prompted for each authentication type in the order that they are listed in the policy. To change the order, click Set Order, drag and drop the authenticators in the correct order and click Save. When one-time password is added to a policy, at least one other authenticator must precede it (for example, Cylance password must precede one-time password).
9. Click Save.

5. Test the Cylance console password policy.

If you created a Cylance console password only policy, sign out of the the console and sign in again using an administrator account that is assigned the Cylance console password authentication policy.

6. Test the Cylance and one-time password policy.

Sign in to the console using an administrator account that does not have the Cylance console password policy assigned. 

After the administrator enters their Cylance console password, they will be prompted to enroll with their one-time password app. The app can be any of the supported apps: Authy, Google Authenticator, Microsoft Authenticator, and Okta Verify.  Other apps that support RFC-6238 should also work. Administrators can follow the instructions to enroll and enter the one-time password to complete sign in. Enrollment is required for the first sign-in only.

7. That's it!

You have now set up local multifactor authentication for the Cylance console. The administrator can sign out and sign in again using a one-time password. For subsequent sign ins, administrators will be prompted to enter their Cylance console password and a one-time password, unless they are assigned the Cylance password only policy. 

For more information about authentication policies, see the Cylance Endpoint Security Setup content.