Preparing to Use Multi-Factor Authentication

This guide is intended for UNIX or Windows administrators who intend to configure multi-factor authentication for computers managed by Verify Privilege Server Suite.

Configuration information for IBM Security customers who are not using Verify Privilege Server Suite to manage their environment, but want to configure multi-factor authentication to log in Windows computers, should go to Downloading the Verify Privilege Server Suite Agent for Windows.

There are two separate scenarios for which you might want to require multi-factor authentication:

• Login access to Verify Privilege Server Suite-managed computers.
• As part of a re-authentication process so that users who are attempting to use Application, Network, and Desktop rights on Windows machines, or command rights with elevated privileges or in a restricted shell on UNIX machines, must provide a password and another form of authentication before they can execute the selected command.

With these two scenarios in mind, you can configure multi-factor authentication based on user roles or computer roles, for specific applications, or for individual commands. You can also skip multi-factor authentication for applications that do not support it or for other reasons on a case-by-case basis by enabling and applying group policy or by setting configuration parameters.