MFA at System Login

Ensure Only Authorized Humans Access Critical Infrastructure

Privileged access to systems is often the primary attack interface, which must be protected from cyber adversaries who wish to steal information or do harm in an environment. Enforcing strong authentication through multi-factor authentication (MFA) bolsters identity assurance and ensures that only authorized humans are accessing critical systems. Centrify’s MFA at login for Linux, UNIX and Windows systems is host-enforced and cannot be circumvented.

Supported Authenticators

man authenticating using thumbprint

Zero Trust Demands Identity Assurance

Reinforce Zero Trust principles requiring strong verification of a user’s identity before authentication to critical infrastructure..
Halt in-progress attacks with step-up authentication support for a broad range of authenticators and form factors.
Enforce MFA on each computer at login to prevent humans or malware from circumventing (or bypassing) security policies.

Centralized MFA Service for All Privileged Access

Whether applying MFA at system login, vault login or during privilege elevation the Centrify Platform powers a consistent and easily maintainable MFA Service for ALL privileged access. Centrify MFA Service delivers out-of-the-box support for NIST Level 2 and 3 Assurance Levels.


Local MFA Capabilities for Linux and UNIX

The Centrify Agent is configured with a centralized policy to step-up authentication at login with a call out to a Centrify or 3rd party pluggable authentication module that challenges the user for MFA. Local enforcement simplifies the environment where systems directly communicate with the OTP.


Windows MFA Natively Integrated into the Login Process

Secure access to Windows systems with host-enforced MFA that verifies the authenticity of the user accessing the server. Host-enforced MFA cannot be bypassed by malicious attackers and streamlines the login process for authorized privileged users with seamless integration into the Windows login process.


Centrify Mobile App for Push Notification and Workflow

Centrify Mobile App for iOS and Android delivers a simple interface for MFA notifications. The Mobile App also provides an interface to manage OATH tokens where the Centrify Vault Suite manages the seed or secret. This interface validates the OTP codes for privileged applications or services that require OATH-compliant MFA such as the AWS® Console.

Smart Cards

Centrify Authentication Service supports Smart Cards for authentication at the highest assurance level after users are validated and verified against the corporate directory. Centrify’s support for CAC, CAC NG, PIV and PIV-I Smart Card-based Linux login combined with stringent security policy enforcement across Linux and Windows, simplifies compliance with federal guidelines for high-security environments.


Security administrators can use existing RSA Ace/Server-based authentication and authentication policies with Centrify MFA Authentication Service. In addition to using Centrify Zones, roles, and rights to authenticate via Active Directory, the RSA Ace/Server policies are centrally defined and enforced on login to the Centrify protected server, as well as on privilege elevation on that server.

Authenticators Supported by Centrify

Mobile push notifications to the Centrify Mobile App for iOS and Android with simple swipe after unlock to verify authentication.
One or more security questions can be used, as the simplest form of authentication using something the user knows.
Phone Call with PIN Verification can be used with any phone number in the Centrify Platform’s directory service — mobile, office, or home numbers.
Text Message (SMS) Confirmation Code can be used with any phone number in the Centrify Platform’s directory service — mobile, office, or home numbers.
Email Confirmation Code can be used with the email address in the Centrify Platform’s directory service.
OATH OTP Tokens such as managed by Google Authenticator or Centrify Mobile App, can be used to validate the user is who they say they are.
Third-Party RADIUS Authentication via RADIUS integration takes advantage of your existing MFA system such as RSA® SecurID, Duo Security® or Symantec® VIP.
FIDO U2F Security Keys represent a super simple solution to deploy that also provides the highest identity assurance when combined with the user’s password.
FIDO2 support the latest FIDO Alliance specifications for passwordless authentication and on-device authenticators such as Microsoft Hello, Apple’s FaceID and TouchID biometrics.

Learn More about Centrify Server Suite

Ready to Protect Against the #1 Attack Vector?

Click here for more information about our products, pricing, demos, and more.

Contact Us