Use Cases for MFA on CTE

When using Multifactor Authentication with CipherTrust Transparent Encryption, after successfully completing the MFA provider, you can enable it on a:

• Client

• GuardPoint

• GuardPoint, while exempting certain users/applications/processes from authentication

Enable Multifactor Authentication on a client

When Multifactor Authentication is enabled at the client level, CTE enforces the configuration for all GuardPoints configured on the client. It overrides any MFA configuration set for individual GuardPoints.

To enable Multifactor Authentication on a client:

1. In CipherTrust Manager, open the Transparent Encryption application.

2. Select the client for which you want to enable for Multifactor Authentication.

3. Click on a client under the Client Name column (Clients > Clients).

4. Select the option: Multifactor Authentication.

5. Click Apply.

Enable Multifactor Authentication on a GuardPoint

When Multifactor Authentication is disabled at the client level, you can enable Multifactor Authentication for individual GuardPoints on clients. CTE processes the MFA configuration for individual GuardPoints.

To enable Multifactor Authentication on a GuardPoint:

1. Open the Transparent Encryption application.

2. Select clients to open the clients window.

3. Click on a client under the Client Name column (Clients > Clients).

4. On the GuardPoints tab, click the expand icon () corresponding to the desired GuardPoint.

5. Select Multifactor Authentication.

6. Click Apply.

To disable Multifactor Authentication on a GuardPoint, deselect the Multifactor Authentication option.

Enable Multifactor Authentication on a GuardPoint and exempt some users from authentication

You can include a list of users who are exempted from MFA enforcement in the Client Profile. Such users may be an administrator, an application, or a Windows System NT user that require access to the files. These users are contained in a User Set.

Creating a User Set

See Creating User Sets for information on creating a User Set in a Policy Element.

Adding the User Set to the Client Profile

To add an MFA Exempt list to the client profile:

1. Create your Client Profile if it is not already created.

2. Click on your client profile to open it.

3. Click Multifactor Authentication.

4. In the Select OIDC connection field, select the OIDC connection that you created. See OIDC connection for MFA provider-specific information.

5. In the Select the MFA exempted User Set field, select the User Set that contains the people/applications that are exempted from authorization.

6. Click Update.

Client Groups

Multifactor authentication cannot be enabled at the client group level. However, you can enable Multifactor Authentication for individual GuardPoints on client groups.

While propagating the Multifactor Authentication-enabled GuardPoints to the member clients, CipherTrust Transparent Encryption checks the Multifactor Authentication capability of the member clients. If a client is Multifactor Authentication-capable, the GuardPoints are added to the client. If a client is not Multifactor Authentication-capable, the GuardPoints are skipped.