Centrify MFA Guide

The MSSP Guide to Centrify MFA

Centrify offers MFA at System Login, which ensures that “only authorized humans are accessing your critical infrastructure.” This is an MFA login that provides access to the Centrify privileged access management tool (PAM) called Centrify Zero Trust Privilege. If you’re looking for a general multi factor authentication tool, then you might prefer Idaptive MFA. Idaptive is a spin off of Centrify. And while Idpative was recently acquired by CyberArk, Idaptive is a true MFA solution — originally developed by Centrify. Here’s a guide.

 

What is Centrify Multi Factor Authentication (MFA)?

Centrify multi-factor authentication (MFA) adds a layer of security that allows organizations to protect against today’s leading cause of data breaches — privileged access abuse. Privileged users simply provide extra information or factors when they access critical enterprise resources.” As Centrify offers as an analogy, MFA is the combination of Something You Know like a password, Something You Have like a smartphone, and Something You’ve Done like visit a location.

Plus, by adding risk-based policies, Centrify MFA further reduces malicious threats and security breaches. What is a risk-based policy? Well, if you typically login to your account from San Francisco, and an attempt occurs from Paris, that should indicate a level of risk — and you may have to provide extra “proof” of account access rights.

If you’re looking for a PAM solution, then Centrify Zero Trust Privilege does offer MFA login. However, if you’re looking for a standalone MFA solution, you want Idaptive MFA.

 

What is Centrify MFA at Vault?

Centrify Zero Trust Privilege is a privileged access management (PAM) tool, while Centrify MFA at Vault manages access for administrative accounts. Per Centrify:

“Privileged user access increasingly requires multi-factor authentication (MFA) to comply with regulations as well as to ensure that only authorized human users access privileged accounts and systems versus malware or bots trying to impersonate your IT staff. Centrify provides full multi-factor authentication capabilities from the simplest of authenticators to the more advanced authenticators to ensure compliance at NIST Assurance Level 2 or 3 for access to the Centrify Privileged Access Service and all protected accounts and systems.”

 

What is Idaptive MFA?

A spin off from Centrify in 2017, Idaptive specializes in adaptive multi-factor authentication for email security, database monitoring, and remote app security. Idaptive strives for a simple interface that integrates SSO, MFA, EMM, and UBA. A leader in cloud-based Multi-factor Authentication and Single Sign On, Idaptive is a flexible solution that’s easy to implement for small to large companies. We tend to recommend it to product based companies with a growing salesforce.

 

What is Centrify MFA pricing?

Centrify Zero Trust Privilege is a PAM solution and starts at $22/user per month. There is no free version, although there is a free trial period. But if you’re looking for a class leading MFA solution, Idaptive specializes in adaptive multi-factor authentication for email security, database monitoring, and remote app security. Idaptive strives for a simple interface that integrates SSO, MFA, EMM, and UBA. A leader in cloud-based Multi-factor Authentication and Single Sign On, Idaptive is a flexible solution that’s easy to implement for small to large companies. We tend to recommend it to product based companies with a growing salesforce. Idaptive pricing starts at $2/month per user, and their adaptive MFA is $4/month per user.

In a recent Idaptive Adaptive MFA implementation for a Bay Area startup, their final monthly cost was about $8000 per year. An enterprise might expect to spend $50,000 per year or more. It’s worth mentioning that Idaptive’s pricing really is based on per user charges. There are no additional account costs for fees.

 

What is a typical Centrify MFA configuration?

Centrify MFA is designed to protect the infrastructure-side of the assets such as servers, endpoint devices, firewalls, VPNs, Switches, remote endpoints etc.  Typically these MFA are challenged via SMS and mobile authenticator. However, this supports all other means of MFA options. Single Sign On can be enabled by extending LDAP users to login to these servers. MFA makes sure that the identity is verified and authenticating the right users. Adaptive MFA is also possible with the right combination of solution to challenge more factors  if a suspicious login is detected. 

 

Does Centrify MFA work with a VPN?

Centrify PAM does not require a VPN. However, Idaptive MFA does allow VPN integration, per Idaptive:

“You can use Idaptive Identity Service with your RADIUS client to provide a second authentication layer. For example, if a VPN concentrator uses RADIUS for authentication, you can configure email as a secondary authentication requirement.”

And, per Idaptive:

“Juniper SSL VPN offers SP-initiated SAML SSO (for SSO access directly through the Juniper SSL VPN web application)…”

And lastly, per Idaptive:

“The Idaptive App Gateway enables you to set up secure, per-app access to your on-premises applications without a VPN. With App Gateway, you can access individual legacy applications based on application URLs, users, groups, and network information without exposing your entire network, installing hardware, or changing firewall rules.”

 

Who are Idaptive MFA competitors?

The primary Idaptive MFA competitor we recommend is Okta. While Okta and Idaptive are similar product offerings, we have preferences based on your company’s goals and needs.

Choose Okta if your company is:

  • Mostly interested in online login (i.e., publishers, gaming)
  • Single Sign On and/or Multi Factor Authentication
  • Scaling quickly to 200+ employees
  • 100% cloud-based
  • Interested in biometric/fingerprint authentication

 

Choose Idaptive if your company is:

  • Product based with a growing salesforce
  • 50-100+ employees
  • On-prem and cloud data centers
  • Interested in a “zero-trust” security policy

 

Do I need a Centrify or Idaptive consultant near me?

Maybe. The most important factor is experience and effective workflow, whether in-person, on-site, virtual, or off-site. That said, we think working with a Centrify or Idaptive consultant near you is an advantage. This will allow your consultant to better communicate with existing IT teams, and better understand your current information architecture. A non-local consultant becomes a good option if they follow security best practices, and have an established virtual workflow. Why? Location is less significant when virtual workforce tools are effectively adopted by consultant and client, whether a small business or global enterprise. Plus, on-site specialists can become costly. Bottomline, look for a Centrify or Idaptive consultant who offers an excellent communication process, clear workflow, and custom security solution for your business. 

 

Have questions about finding a Centrify or Idaptive consultant?
Email [email protected] or call (925) 918-6618 

 

READ MORE

The MSSP Guide to Idaptive SSO

The 5-Minute Identity and Access Management Tutorial

The Insider’s Guide to Okta Adaptive MFA Pricing

How to Get an Accurate Okta Quote

How to Migrate to Okta from Oracle Access Manager

Okta vs Idaptive: Decide in 3 Minutes

Gigya to Okta: Why You Should Migrate

 

About Sennovate

Sennovate delivers custom identity and access management solutions to businesses around the world. With global partners and a library of 1000+ integrations, we implement world-class cybersecurity solutions that save your company time and money. We offer a seamless experience with integration across all cloud applications, and a single price for product, implementation, and support. Have questions? The consultation is always free. Email [email protected] or call us at: (925) 918-6618

Previous:
Next: