Overview

Admins can use CSE's built-in Multi-Factor Authentication (MFA) to secure Active Directory users in their org: the three factors used for authentication include (i) user (i.e., email), (ii) device serial number, and (iii) cryptographic factor (i.e, a certificate).

Certificate-based MFA is important for Active Directory users, since AD credentials are a common target for phishing and other cyber attacks. Adding cert-based MFA ensures that, if a bad actor were to obtain a user's credentials, CSE-protected resources would still be inaccessible; All 3 factors must be validated in order to authenticate users to access resources.

The authentication sequence is as follows: a One-Time Passcode (OTP) is sent to the user's email; the OTP is required in order for CSE to install the certificate on the user's device. Once installed, the certificate then silently authenticates access to protected resources in the background, without any further user action.

Each Cloud Secure Edge org has its own private Certificate Authority (CA); this private CA issues, validates, and manages certificates for each user in your environment. To learn more about how certificates are revoked or invalidated, see our doc on de-registering and banning devices.

Complete the following steps to enable MFA for Active Directory users using CSE.

Pre-requisites

• Active Directory On-premise
• a valid user email address
• a device (for testing)

Steps to enable cert-based MFA for AD users