Skip Navigation

Add an authenticator

You add authenticators so that you can add them to authentication policies. An authenticator defines an authentication method. They typically define one authentication method, such as a password (for example,
my
Account
credentials) or a connection to a third-party for authentication like
Active Directory
,
Okta Verify
, or
Ping Identity
.  You add them to authentication policies to specify the types of authentication that administrators must complete to sign in to the
Cylance
console and users must complete to activate
Cylance Endpoint Security
apps or agents (for example, the
BlackBerry Protect
app or
CylanceGATEWAY
). You can combine multiple authenticators in an authentication policy to provide multiple authentication steps. For example, you can combine the Enterprise authenticator with a one-time password prompt in a policy to require users to authenticate with both their work or
my
Account
credentials and a one-time password.
  1. On the menu bar, click
    Settings > Authentication
    .
  2. Click
    Add Authenticator
    .
  3. In the
    Authenticator Type
    drop-down list, select one of the following authenticators:
    Item
    Description
    Enterprise
    Select this option if you want users to authenticate using their credentials for
    Active Directory
    , LDAP, or 
    my
    Account
    . The credentials that a user will use depends on the account type that is the source for their user account in the console.
    Active Directory
    Select this option if you want users to enter their
    Active Directory
    password. If you select this option, your
    Cylance Endpoint Security
    tenant must have a connection to the
    Active Directory
    instance. For more information, see Linking to your company directory.
    LDAP
    Select this option if you want users to enter their LDAP password. If you select this option, your
    Cylance Endpoint Security
    tenant must have a connection to the LDAP instance. For more information, see Linking to your company directory.
    BlackBerry Online Account
    Select this option if you want users to enter their
    BlackBerry Online Account
    (
    my
    Account
    ) credentials.
    Cylance
    Select this option if you want users to enter their
    Cylance
    console credentials.
    Okta Verify
    Select this option if you want users to authenticate using
    Okta
    . If you select this option, do the following:
    1. Enter a name for the authenticator.
    2. In the
      Identity Provider Client
      section, enter the OIDC discovery document URL, the client ID, and the private key JWKS.
    Ping Identity
    Select this option if you want users to authenticate using
    Ping Identity
    . If you select this option, do the following:
    1. Enter a name for the authenticator.
    2. In the
      Identity Provider Client
      section, enter the OIDC discovery document URL, the client ID, and the private key JWKS.
    Duo
    MFA
    Select this option if you want users to authenticate using
    Duo
    multi-factor authentication. If you select this option, do the following:
    1. Enter a name for the authenticator.
    2. In the
      DUO MFA Configuration
      section, enter the API hostname, Integration key, and Secret key. You can find this information on the Applications tab in your organization's
      Duo
      account. For more information, see the Duo documentation
    Okta Verify
    MFA
    Select this option if you want users to authenticate using
    Okta
    multi-factor authentication. If you select this option, do the following:
    1. Enter a name for the authenticator.
    2. In the
      Okta MFA Configuration
      section, enter the Auth API key for
      Okta
      . To generate the key, in the
      Okta
      administration console, go to
      Security > API
      and click
      Create Token
      .
    3. In the
      Auth domain
      field, enter your organization's domain. Do not include http:// or https:// in the domain field. For example, use
      login.example.com
      instead of
      https://login.example.com
    For more information about API keys, see the Okta documentation.
    One-Time Password
    Select this option if you want users to authenticate using a one-time password. If users do not have a one-time password app configured, they are prompted to set one up the first time that they authenticate. The supported one-time password apps are
    Authy
    ,
    Google Authenticator
    ,
    Microsoft Authenticator
    , and
    Okta Verify
    .
    If you select this option, do the following:
    1. Enter a name for the authenticator.
    2. In the Time-Step Window section, select a number of intervals in the drop-down list. Any code within the window is valid if it precedes or follows the expected code by the number of refresh intervals that you specify. The refresh interval is 30 seconds, and the default setting is 1.
  4. Click
    Save
    .