My Account: Change Password Settings and add Passwordless Authenticators
BeyondTrust recommends changing your password regularly.
Username, Current Password, New Password
Verify that you are logged into the account for which you want to change the password, and then enter your current password. Create and confirm a new password for your account. The password may be set to whatever you choose, as long as the string complies with the defined policy set on the /login > Management > Security page.
This feature is available only if enabled under Management > Security. The default authentication method is also selected here. Either authentication method can be selected when logging in.
FIDO2-certified authenticators can be used to securely log in to the desktop access console (Windows only), privileged web access console, and /login without entering your password. You can register up to 10 authenticators.
Only FIDO2-certified hardware authenticators that perform user verification – biometrics or PIN – are allowed.
There are two types of authenticators:
Roaming authenticators, or cross-platform security keys like YubiKeys, are FIDO2-certified external devices that use biometrics or a PIN for user verification. They can be used instead of your password when logging into the desktop access console (Windows only), privileged web access console, and /login on any machine and supported operating system that allows the use of external FIDO2 authenticators.
Platform authenticators such as Windows Hello or macOS Touch ID are integrated, FIDO2-certified biometric authenticators. These authenticators are tied to the machine where you registered the authenticator. They can be used instead of your password when logging into the desktop access console (Windows only), privileged web access console, and /login. On macOS and Linux, platform authenticators can only be used in the browser they were registered in. Incognito or private browsing windows cannot be used for authentication.
Register and Manage Authenticators
The screen shows all registered authenticators, with their name, type, registration date and time, and last usage date and time. Registered authenticators can be edited or deleted by selecting them and clicking the appropriate icon.
To register a new authenticator, click Register.
Select Roaming or Platform, depending on your requirements.
Enter an Authenticator Name. Choose a name to help you identify this authenticator when viewing all registered authenticators in a list.
Enter your BeyondTrust Privileged Remote Access Account Password. This is the password used to log in with Username & Password authentication, not the authenticator's PIN or passcode. It is used to confirm your identity before allowing a new authenticator to be registered to your account. It is not associated with the authenticator in any way.
The remaining steps for registering your authenticator depend on the type, the manufacturer, the browser, and the OS.
Set up authenticators (for example, YubiKey or Windows Hello) within the OS before registering the authenticator. It is important to follow the manufacturer's directions. For example, YubiKey Bio requires a PIN at setup, even for fingerprint authentication.
Windows Hello can be set up using a PIN and a fingerprint. If this is done, either method can be used, regardless of how it is registered.
Registering an authenticator might fail if the browser and OS combination does not support passwordless authentication. For example, Firefox 110 does not support passwordless authentication for Linux and macOS. A warning message is usually generated in these cases.
Authenticators usually record failed authentication attempts, and may lock. They must be reset following the manufacturer's instructions. A failed authentication at the authentication device does not count as a failed login to the BeyondTrust site, as the incorrect information is not submitted to the site.
Two Factor Authentication
Activate Two Factor Authentication
Activate two-factor authentication (2FA) to increase the level of security for users accessing /login and the BeyondTrust access console. Click Activate Two Factor Authentication and scan the displayed QR code using an authenticator app, such as Google Authenticator. Alternatively, you can manually enter the alphanumeric code displayed below the QR code into your authenticator app.
The app automatically registers the account and begins providing you with codes. Enter your password and the code generated by the authenticator app, and then click Activate. Please note that each code is valid for 60 seconds, after which time a new code is generated. Once you log in, you have the option to switch to a different authenticator app or disable 2FA.
If 2FA was deployed by your administrator, you do not have the option to disable it.