SOLUTION BRIEF
CYBERARK IDENTITY ADAPTIVE MULTI-FACTOR AUTHENTICATION
CONTEXT-AWARE AUTHENTICATION ACROSS ALL YOUR IDENTITIES AND RESOURCES
HIGHLIGHTS
Adaptive MFA Everywhere
Bolster security for all users and
protect your enterprise resources,
including cloud and on-premises
apps, workstations, VPNs, network
devices, servers and more.
Authentication Factors
Provide users a choice of
authentication methods to make
MFA painless and easy to use.
CyberArk Adaptive MFA supports
passwordless factors, hardware
tokens, authenticator apps, SMS-
based codes, and more.
Risk-Aware Authentication
Use contextual information and
risk-based access policies to
determine which authentication
factors to apply to a particular user
in a particular situation.
www.cyberark.com
Passwords alone are not enough to verify a user’s identity and
protect businesses from data loss, fraud and malicious attacks. Login
credentials are more valuable than ever, as companies adopt more cloud
applications, services and infrastructure. Multi-Factor Authentication
(MFA) makes it harder for attackers to get in. CyberArk Identity Adaptive
MFA provides additional layers of security, helping protect against
the leading cause of data breaches — compromised credentials — with
minimal impact to users.
Relying on simple usernames and passwords for authentication is not enough to
protect critical applications and endpoints that contain sensitive business data. In
fact, passwords are now considered security’s weakest link — especially in today’s
cloud-first, mobile-first world.
MFA strengthens security by requiring users to provide extra information or factors
unique to what the user knows, is or has. Many organizations start by implementing
MFA to protect a few key services or resources. For example, they may implement
MFA for a specific set of applications or for a particular group of users like employees
that have VPN access. But applying MFA for only certain resources or users may leave
your organization exposed.
Attackers are relentless. They hunt, phish, spear phish, scam and social engineer
end-users to infiltrate your organization. Once inside, they look for opportunities
to elevate privilege and access restricted resources. By implementing adaptive
MFA across every enterprise user (internal or external) and resource (applications,
endpoints, and infrastructure) you can prevent attackers from exploiting
compromised credentials and thwart lateral movement.
CyberArk Adaptive MFA helps enterprises bolster security and reduce risk posed by
compromised credentials. The solution supports a variety of authentication factors
and protects a variety of enterprise identities and resources.
Page 1 of 2
 CYBERARK SOLUTION BRIEF

Adaptive Authentication
Stronger security is good, but not if it gets in your users’ way. Traditional MFA is either enabled or disabled, and enforced
continuously, without context. End-users are constantly prompted for secondary authentication, impairing satisfaction
and productivity. CyberArk Identity Adaptive MFA improves end-user satisfaction and productivity by using contextual
information (location, time-of-day, IP address, device type, etc.) and administratively defined policies to determine which
authentication factors to apply to a particular user in a specific situation.

Flexible Authentication Methods

You require a choice of authentication methods to make MFA as painless and easy as possible to use. The CyberArk Adaptive
MFA service supports the broadest range of authentication factors. You can choose from push notification to a mobile
device; a soft OTP token generated by the CyberArk Identity mobile app, SMS/text message or email; QR code, WebAuthN
and FIDO 2.0-based passwordless factors, and OATH-based software or hardware tokens. With CyberArk Adaptive MFA, you
get the protection you need without sacrificing the convenience your users demand.

MFA USE CASES

Secure Application Access

Employees demand anytime, anywhere access to applications in the cloud, on mobile devices, and on-premises. As the
number of applications grows, so does the number of passwords. These passwords are often weak, re-used across apps,
and shared among employees. Password sprawl increases risk and makes strong authentication critical to protecting
against data breaches and unauthorized access. CyberArk Adaptive MFA helps mitigate security risks associated with
passwords. It simplifies and secures access to applications with context-aware access controls that seamlessly integrate
with CyberArk Identity Single Sign-On service.

Secure VPN Access

Today’s mobile and remote workers need secure, convenient access to all their enterprise applications and services.
Traditionally, companies used VPNs to establish an encrypted connection (tunnel) between a remote endpoint and an internal
network. But any external user that is permitted to access resources behind the firewall poses a significant security risk.
Many high-profile data breaches started with attackers using compromising VPN credentials to gain access to internal
systems. CyberArk reduces this risk by allowing you to enforce MFA on any VPN client that supports RADIUS, including Cisco,
Juniper Networks, and Palo Alto Networks VPN solutions. Enforcing MFA for VPN access allows you to give employees and
partners secure remote access to your corporate network, on-premises applications and resources. CyberArk also provides
secure, per-app, encrypted connections via an on-premises application gateway to further reduce remote access risk. When
combined with MFA, users get simple, secure access to specific on-premises apps without full network access privileges.

Secure Endpoints
CyberArk also ensures access is limited to authorized users with Multi-Factor Authentication for Endpoints. With CyberArk
Adaptive MFA, you can require users to pass secondary authentication at the endpoint login screen. This allows you to reduce
the risk of attacks that leverage compromised credentials to access corporate applications and data from Mac and Windows
devices. CyberArk Adaptive MFA for endpoints supports all authentication factors and allows you to require secondary
authentication when specific contextual conditions are met.

©CyberArk Software Ltd. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express written consent
of CyberArk Software. CyberArk ®, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks) of CyberArk
Software in the U.S. and other jurisdictions. Any other trade and service names are the property of their respective owners. U.S., 03.21. Doc. 201309
CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied
warranties and is subject to change without notice.

www.cyberark.com Page 2 of 2