In Multifactor Authentication (MFA), access to the requested data is granted only after the requester satisfies two or more authentication criteria.
MFA is applicable to the MFA-capable CTE for Windows clients.
CTE for Windows adds an extra layer of security before granting access to the protected GuardPoints. If MFA is enabled, the users performing specific tasks on the configured GuardPoints need to perform an additional OpenID Connect (OIDC) based authentication.
MFA can be helpful in scenarios such as when the credentials of a client machine are compromised. As an additional level of authentication is enforced, the data security cannot be breached.
Before configuring MFA, make sure that:
A valid OIDC connection exists on the CipherTrust Manager. Refer to Connection Manager for details. Use this connection to configure MFA in CTE profiles.
MFA is configured in profiles, which can be associated with the clients and client groups. Refer to Setting MFA Configuration for details.
After you have configured MFA, you can enable it for individual clients and GuardPoints at the client and client group levels.
MFA at Client Level
When MFA is enabled at the client level, the CTE Agent enforces MFA configuration for all GuardPoints configured on the client irrespective of the MFA configuration set for individual GuardPoints.
MFA at GuardPoint Level
GuardPoint-level MFA can be enabled at the time of GuardPoint creation. Also, you can enable or disable it later.
GuardPoints on Clients
When MFA is disabled at the client level, you can enable MFA for individual GuardPoints on clients. In this case, the CTE Agent processes the MFA configuration of individual GuardPoints. However, if client-level MFA is enabled, the MFA configuration of the client takes priority.
GuardPoints on Client Groups
MFA cannot be enabled at the client group level. However, you can enable MFA for individual GuardPoints on client groups.
While propagating the MFA-enabled GuardPoints to the member clients, the CTE service on the CipherTrust Manager checks the MFA capability on the member clients. If a client is MFA-capable, the GuardPoints are added to the client. If a client is not MFA-capable, the GuardPoints are skipped.
After GuardPoints are propagated to the member clients, the MFA configuration specified in the profiles associated with the member clients is used to send the security configuration to the CTE Agent.
Therefore, if the profiles of a client group and its member clients are different, the profiles of the member clients are used.
For steps, refer to Enabling and Disabling MFA on GuardPoints.