Add an authenticator
You add authenticators so that you can add them to authentication policies. An authenticator defines an authentication method. They typically define one authentication method, such as a password (for example, credentials) or a connection to a third-party for authentication like credentials and a one-time password.
my
AccountActive
Directory
, Okta Verify
, or Ping Identity
. You add them to authentication policies to specify the types of authentication that administrators must complete to sign in to the Cylance
console and users must complete to activate Cylance Endpoint Security
apps or agents (for example, the BlackBerry Protect
app or CylanceGATEWAY
). You can combine multiple authenticators in an authentication policy to provide multiple authentication steps. For example, you can combine the Enterprise authenticator with a one-time password prompt in a policy to require users to authenticate with both their work or my
Account- On the menu bar, clickSettings > Authentication.
- ClickAdd Authenticator.
- In theAuthenticator Typedrop-down list, select one of the following authenticators:ItemDescriptionEnterpriseSelect this option if you want users to authenticate using their credentials forActive Directory, LDAP, or. The credentials that a user will use depends on the account type that is the source for their user account in the console.myAccountActive DirectorySelect this option if you want users to enter theirActive Directorypassword. If you select this option, yourCylance Endpoint Securitytenant must have a connection to theActive Directoryinstance. For more information, see Linking to your company directory.LDAPSelect this option if you want users to enter their LDAP password. If you select this option, yourCylance Endpoint Securitytenant must have a connection to the LDAP instance. For more information, see Linking to your company directory.BlackBerry Online AccountSelect this option if you want users to enter theirBlackBerry Online Account() credentials.myAccountCylanceSelect this option if you want users to enter theirCylanceconsole credentials.Okta VerifySelect this option if you want users to authenticate usingOkta. If you select this option, do the following:
- Enter a name for the authenticator.
- In theIdentity Provider Clientsection, enter the OIDC discovery document URL, the client ID, and the private key JWKS.
Ping IdentitySelect this option if you want users to authenticate usingPing Identity. If you select this option, do the following:- Enter a name for the authenticator.
- In theIdentity Provider Clientsection, enter the OIDC discovery document URL, the client ID, and the private key JWKS.
DuoMFASelect this option if you want users to authenticate usingDuomulti-factor authentication. If you select this option, do the following:- Enter a name for the authenticator.
- In theDUO MFA Configurationsection, enter the API hostname, Integration key, and Secret key. You can find this information on the Applications tab in your organization'sDuoaccount. For more information, see the Duo documentation
Okta VerifyMFASelect this option if you want users to authenticate usingOktamulti-factor authentication. If you select this option, do the following:- Enter a name for the authenticator.
- In theOkta MFA Configurationsection, enter the Auth API key forOkta. To generate the key, in theOktaadministration console, go toSecurity > APIand clickCreate Token.
- In theAuth domainfield, enter your organization's domain. Do not include http:// or https:// in the domain field. For example, uselogin.example.cominstead ofhttps://login.example.com
For more information about API keys, see the Okta documentation.One-Time PasswordSelect this option if you want users to authenticate using a one-time password. If users do not have a one-time password app configured, they are prompted to set one up the first time that they authenticate. The supported one-time password apps areAuthy,Google Authenticator,Microsoft Authenticator, andOkta Verify.If you select this option, do the following:- Enter a name for the authenticator.
- In the Time-Step Window section, select a number of intervals in the drop-down list. Any code within the window is valid if it precedes or follows the expected code by the number of refresh intervals that you specify. The refresh interval is 30 seconds, and the default setting is 1.
- ClickSave.