MFA at Privilege Elevation

Validate Users' Identity Before They Elevate Privilege

Multi-factor authentication (MFA) at login can be cumbersome and unnecessary, particularly if everyday access and activity cannot do harm and does not expose sensitive information. However, the elevation of privilege should always require identity assurance through MFA validation that an authorized human is making the request. Centrify Privilege Elevation Service provides host-based MFA at privilege elevation across Linux, UNIX and Windows systems, which cannot be circumvented.

Supported Authenticators

man authenticating using thumbprint

Zero Trust Demands Identity Assurance

Reinforce Zero Trust principles requiring strong verification of a user’s identity before running privileged applications or commands.
Contain damage during a breach leveraging stolen credentials by requiring proof of identity before elevating privilege.
Simplify IT staff access when privileges are not necessary for day-to-day activity, such as checking logs for investigative work.
centralized management

MFA Service for All Privileged Access

Whether requiring MFA at system or vault login, before privilege elevation, or on a password checkout, Centrify Platform delivers a consistent and easily maintainable MFA service for ALL privileged access. Centrify Platform’s MFA service supports the broadest range of authenticators for NIST Level 2 and 3 Assurance Levels. We got you covered.


MFA for Linux and UNIX Privilege Elevation

A zero standing privilege approach requires validation of who is making the request to elevate their privilege. Linux admins logging in to check a system do not introduce risk and should not require MFA. However, execution of privileged commands that could harm a business should first require MFA to validate the admin’s identity.


MFA for Windows Privilege Elevation

A zero standing privilege approach requires always verifying who is requesting privileged access. Windows admins who need to run applications with privilege prove their identity with MFA by re-authenticating with their Active Directory password or validating their identity with a Smart Card.

Authenticators Supported by Centrify

Mobile push notifications to the Centrify Mobile App for iOS and Android with simple swipe after unlock to verify authentication.
One or more security questions can be used, as the simplest form of authentication using something the user knows.
Phone Call with PIN Verification can be used with any phone number in the Centrify Platform’s directory service — mobile, office, or home numbers.
Text Message (SMS) Confirmation Code can be used with any phone number in the Centrify Platform’s directory service — mobile, office, or home numbers.
Email Confirmation Code can be used with the email address in the Centrify Platform’s directory service.
OATH OTP Tokens such as managed by Google Authenticator or Centrify Mobile App, can be used to validate the user is who they say they are.
Third-Party RADIUS Authentication via RADIUS integration takes advantage of your existing MFA system such as RSA® SecurID, Duo Security® or Symantec® VIP.
FIDO U2F Security Keys represent a super simple solution to deploy that also provides the highest identity assurance when combined with the user’s password.
FIDO2 support the latest FIDO Alliance specifications for passwordless authentication and on-device authenticators such as Microsoft Hello, Apple’s FaceID and TouchID biometrics.

Learn More About Centrify Server Suite

Ready to Protect Against the #1 Attack Vector?

Click here for more information about our products, pricing, demos, and more.

Contact Us