Security
What is the Security page?
The Security page allows users to manage personal security settings, such as enabling two-factor authentication (2FA) and viewing active sessions.
How is the Security page useful to my organization?
The Security page enhances account security by enabling users to implement 2FA and monitor active sessions, supporting organizational efforts to safeguard sensitive information.
How do I access the Security page?
- Use a Chromium-based browser to sign in to your Privileged Remote Access URL.
 This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
- From the left menu, click My Account.
 The Profile page opens and displays by default.
- At the top of the page, click Security.
 The Security page displays.
What are passwordless authenticators?
Password authenticators are apps, usually on a mobile device, where you can enable passwordless authentication.
What is passwordless authentication?
Passwordless authentication is a security mechanism that allows you to access systems, applications, or services without the need to enter a traditional password. Instead, it relies on alternative methods of verifying a user's identity, such as biometric authentication (such as fingerprint scanning or facial recognition), one-time passcodes (such as codes sent via SMS, email, or authenticator apps), magic links (via email or text), push notifications (sent to a registered device, where a user approves the login request), hardware security keys (such as a Yubikey or Smart Card), and device-based settings (such as Windows Hello).
Important information about passwordless authenticators
- Set up authenticators (for example, YubiKey or Windows Hello) within the OS before registering the authenticator. It is important to follow the manufacturer's directions. For example, YubiKey Bio requires a PIN at setup, even for fingerprint authentication.
- Your browser or OS can timeout the authentication if there are delays responding to prompts.
- Windows Hello can be set up using a PIN and a fingerprint. If this is done, either method can be used, regardless of how it is registered.
- Authenticator registration may fail if the browser and OS combination does not support passwordless authentication (for example, Firefox 110 does not support passwordless authentication for Linux and macOS).
- Authenticators usually record failed authentication attempts, and may lock. They must be reset following the manufacturer's instructions.
- A failed authentication at the authentication device does not count as a failed login to the BeyondTrust site, as the incorrect information is not submitted to the site
What is two-factor authentication?
Two-Factor Authentication (2FA) is a security method that requires you to provide two different forms of identification to verify your identity. This process adds an extra layer of security to protect accounts and systems by combining two factors from:
- something you know (such as passwords, PINs, or security questions),
- something you have (such as a one-time passcode, a hardware security key, or a smart card), and/or
- something you are (a biometric identifier such as fingerprints, facial recognition, or retina scans).
Change or reset your password
- In the Your Password section, enter your username.
- Enter your current password.
- Enter a new password.
Note
The new password cannot match any of the previous 24 passwords, or any password set within the last 24 hours.
- Confirm the new password.
- Click Change Password.
 Your password updates immediately.
Register a passwordless authenticator
You can use FIDO2-certified authenticators to securely sign in to Privileged Remote Access, the Desktop Access Console, and the Privileged Web Access Console without entering your password.
Note
This feature is only available when enabled on the Management > Security page.
- In the Passwordless Authenticators section, click Register.
 The Register FIDO2 Authenticator dialog box displays.
- Select an authenticator type:
- Roaming: Roaming authenticators, or cross-platform security keys like YubiKeys, are FIDO2-certified external devices that use biometrics or a PIN for user verification. Use them instead of a password when signing into Privileged Remote Access (Windows only), the Privileged Web Access Console, and any machine and supported operating system that allows the use of external FIDO2 authenticators.
- Platform: Integrated, FIDO2-certified biometric authenticators, such as Touch ID, that can be used to sign in to Privileged Remote Access and the Privileged Web Access Console without a password, but only on this machine, in this browser.
Note for macOS and Linux systems For Desktop User consoles on macOS or Linux systems: - Roaming authenticators (such as a YubiKey or smart card) are supported.
- Platform authenticators (such as Face ID or Touch ID) are not supported.
 
 
- Enter a unique, human-readable authenticator name.
- Enter your Privileged Remote Access account password.
- Click Continue.
- Follow your on-screen prompts to complete the authenticator setup.
Tip
You can register up to 10 authenticators.
Change a passwordless authenticator name
- In the Passwordless Authenticators section, locate the authenticator you want to edit.
- Click the Edit icon.
 The Rename FIDO2 Authenticator dialog box displays.
- Enter a new name.
- Click Change.
 The name changes and updates in the list.
Delete a passwordless authenticator
Warning
Deleting a passwordless authenticator is an unrecoverable operation.
- In the Passwordless Authenticators section, locate the authenticator you want to delete.
- Click the Delete icon.
 A confirmation message displays.
- Click Yes.
 The authenticator deletes from your Privileged Remote Access account and can no longer be used to sign in.
Activate two-factor authentication
You can use two-factor authentication as a second factor when authenticating into Privileged Remote Access, or when required by a Jump Policy prior to accessing a configured Jump Item.
- In the Two Factor Authentication section, click Activate Two Factor Authentication.
- On your mobile device, ensure you've downloaded and authenticated into a time-based one-time password (TOTP) authenticator app (such as Microsoft Authenticator or Google Authenticator).
- In Privileged Remote Access, scan the QR code, or, in your authenticator app, manually enter the generated code below the QR code.
- In your authenticator app, locate the generated code for your Privileged Remote Access site.
- In Privileged Remote Access, enter your Privileged Remote Access password and the code in the app.
- Click Activate.
 The two-factor authentication activates, and you are required to use it the next time you sign into Privileged Remote Access.
Change a two-factor authenticator name
- In the Two Factor Authentication section, locate the authenticator you want to edit.
- Click the Edit icon.
 The Rename Two Factor Authenticator dialog box displays.
- Enter a new name.
- Click Change.
 The name changes and updates in the list.
Delete a two-factor authenticator
Warning
Deleting a two-factor authenticator is an unrecoverable operation.
- In the Two Factor Authenticators section, locate the authenticator you want to delete.
- Click the Delete icon.
 A confirmation message displays.
- Click Yes.
 The authenticator deletes from your Privileged Remote Access account and can no longer be used to sign in.
Disable two-factor authentication
Note
If two-factor authentication was deployed by your administrator, you do not have the option to disable it.
- In the Two Factor Authenticators section, click Disable Two Factor Authentication.
 A confirmation message displays.
- Click Yes.
 Two-factor authentication is disabled on your Privileged Remote Access account, and can no longer be used to sign in.
Updated 9 months ago
