Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Setup
  4. Cylance Endpoint Security Setup Guide
  5. Adding users and devices
  6. Add an authenticator

Add an authenticator

You add authenticators so that you can add them to authentication policies. An authenticator defines an authentication method. They typically define one authentication method, such as a password (for example,
my
Account
 credentials) or a connection to a third-party for authentication like
Active Directory
,
Okta Verify
, or
Ping Identity
.  You add them to authentication policies to specify the types of authentication that administrators must complete to sign in to the
Cylance
 console and users must complete to activate
Cylance Endpoint Security
 apps or agents (for example, the
BlackBerry Protect
 app or
CylanceGATEWAY
). You can combine multiple authenticators in an authentication policy to provide multiple authentication steps. For example, you can combine the Enterprise authenticator with a one-time password prompt in a policy to require users to authenticate with both their work or
my
Account
 credentials and a one-time password.
  1. On the menu bar, click
    Settings > Authentication
    .
  2. Click
    Add Authenticator
    .
  3. In the
    Authenticator Type
     drop-down list, select one of the following authenticators:
    Item
    Description
    Enterprise
    Select this option if you want users to authenticate using their credentials for
    Active Directory
    , LDAP, or 
    my
    Account
    . The credentials that a user will use depends on the account type that is the source for their user account in the console.
    Active Directory
    Select this option if you want users to enter their
    Active Directory
     password. If you select this option, your
    Cylance Endpoint Security
     tenant must have a connection to the
    Active Directory
     instance. For more information, see Linking to your company directory.
    LDAP
    Select this option if you want users to enter their LDAP password. If you select this option, your
    Cylance Endpoint Security
     tenant must have a connection to the LDAP instance. For more information, see Linking to your company directory.
    BlackBerry Online Account
    Select this option if you want users to enter their
    BlackBerry Online Account
     (
    my
    Account
    ) credentials.
    Cylance
    Select this option if you want users to enter their
    Cylance
     console credentials.
    Okta Verify
    Select this option if you want users to authenticate using
    Okta
    . If you select this option, do the following:
    1. Enter a name for the authenticator.
    2. In the
      Identity Provider Client
       section, enter the OIDC discovery document URL, the client ID, and the private key JWKS.
    Ping Identity
    Select this option if you want users to authenticate using
    Ping Identity
    . If you select this option, do the following:
    1. Enter a name for the authenticator.
    2. In the
      Identity Provider Client
       section, enter the OIDC discovery document URL, the client ID, and the private key JWKS.
    Duo
     MFA
    Select this option if you want users to authenticate using
    Duo
     multi-factor authentication. If you select this option, do the following:
    1. Enter a name for the authenticator.
    2. In the
      DUO MFA Configuration
       section, enter the API hostname, Integration key, and Secret key. You can find this information on the Applications tab in your organization's
      Duo
       account. For more information, see the Duo documentation
    Okta Verify
     MFA
    Select this option if you want users to authenticate using
    Okta
     multi-factor authentication. If you select this option, do the following:
    1. Enter a name for the authenticator.
    2. In the
      Okta MFA Configuration
       section, enter the Auth API key for
      Okta
      . To generate the key, in the
      Okta
       administration console, go to
      Security > API
       and click
      Create Token
      .
    3. In the
      Auth domain
       field, enter your organization's domain. Do not include http:// or https:// in the domain field. For example, use
      login.example.com
       instead of
      https://login.example.com
    For more information about API keys, see the Okta documentation.
    One-Time Password
    Select this option if you want users to authenticate using a one-time password. If users do not have a one-time password app configured, they are prompted to set one up the first time that they authenticate. The supported one-time password apps are
    Authy
    ,
    Google Authenticator
    ,
    Microsoft Authenticator
    , and
    Okta Verify
    .
    If you select this option, do the following:
    1. Enter a name for the authenticator.
    2. In the Time-Step Window section, select a number of intervals in the drop-down list. Any code within the window is valid if it precedes or follows the expected code by the number of refresh intervals that you specify. The refresh interval is 30 seconds, and the default setting is 1.
  4. Click
    Save
    .