Frequently asked questions when setting up Multi-Factor Authentication (MFA) on Citrix properties
Article ID: CTX463482
Updated On:
Description
What is changing?
Users will be able to enroll in MFA for Citrix web properties starting on August 8, 2022.
You can enable and configure MFA by following the simple steps located here https://support.citrix.com/article/CTX461297/how-to-enroll-into-multi-factor-authentication-mfa.
Note: Citrix supports authenticator apps, backup codes, and recovery email methods.
- Which sites are impacted? - Impacted web properties include citrix.com/account; support.citrix.com; demo.citrix.com;
- What two-factor authentication application can I use? - You can download an Authenticator app that supports Time-based One-Time Password (TOTP). Several are available including Citrix SSO, Google Authenticator, and Microsoft Authenticator. These applications are available for Apple and Android mobile devices as well as Windows and Mac desktops.
- What if I use a shared account? - Each user will need to have an individual account with their own login credentials. Citrix does NOT support shared accounts or sharing of login credentials. This control supports account and security management, consistent with industry practice. If you need your new account to be linked to your company, an Account Administrator or user with Unrestricted account access will need to add you as a contact. Instructions can be found here: https://support.citrix.com/article/CTX120355/how-to-add-contacts-on-a-citrix-account-customer.
- What if I am not allowed to have a mobile device in my workplace? - Users who are not able to bring a secondary device (e.g. cell phones, tablets, etc.) into their workplace can leverage a desktop-compatible authenticator app, a programmable TOTP hardware token, backup codes, or recovery email. Users must initially enroll in MFA using an authenticator app but can leverage backup codes or recovery emails as backup options. To choose a desktop-compatible authenticator app or Hardware Token, verify that the authenticator app (1) implements IETF RFC 6238 and (2) that you/your company trusts and/or approves it as required.
What if I forget or no longer have access to my authenticator app?
When you configured MFA for your account, you were prompted to select three (3) recovery methods: backup codes, recovery email, and phone number.
Backup codes and recovery email allow you to self-service if you no longer have access to your authenticator app. You can follow the instructions below:
- Backup Codes: If you have backup codes configured, you can leverage an unused code to log in. The default file name is backup-codes.txt when the backup codes are downloaded.
- Recovery Email: If you have a recovery email configured, you can request a time-bound code be sent to the email to log in.
If you do not have access to your backup codes or recovery email, then you will need to contact Customer Service to restore your access. You can follow the instructions below:
- Phone Number: If you have a phone number configured, you can contact Customer Service here: https://www.citrix.com/support/. Customer Service will use this number to call you and verify your identity.
How will MFA impact me if I use automation to log in to sites (e.g. to automatically download updates from https://www.citrix.com/downloads/)?
You will need to update your automation mechanism to account for MFA. The automation will need to be able to generate Time-based One-Time Password (TOTP) codes.
You will need to know your MFA secret, or secret key. If you do not know your secret, refer to the questions in the FAQ below.
What updates will I need to make to my automation mechanism?
The updates required will depend on the language and type of mechanism used. Below are some examples of libraries that can be used to generate TOTP codes:
- C#
Library: TwoStepsAuthenticator
Link: https://github.com/glacasa/TwoStepsAuthenticator
TOTP code Example:
var secret = user.secretAuthToken;
var authenticator = new TwoStepsAuthenticator.TimeAuthenticator();
var code = authenticator.GetCode(secret);
Code Sample:
Download: CitrixMfaAuthenticationAutomation.zip (see download above)
Nugut Packages:
- DotNetSeleniumExtras.WaitHelpers
- Selenium.WebDriver
- Selenium.WebDriver.ChromeDriver
- TwoStepsAuthenticator
- Python
GitHub Source Code: https://github.com/pyauth/pyotp
PyOTP Site: https://pyauth.github.io/pyotp/
TOTP code Example:
totp = pyotp.TOTP('base32secret3232')
totp.now() # => '492039'
Code Sample:
Download: citrix_authentication_automation.py (see download above)
Python Packages:
- pyotp
- Selenium
- JavaScript
GitHub: https://github.com/yeojz/otplib
NPM: https://www.npmjs.com/package/otplib
TOTP code Example:
import { authenticator } from 'otplib';
const secret = 'mfaSecret';
const token = authenticator.generate(secret);
Code Sample:
Download: citrix_authentication_automation.zip (see download above)
Uses NodeJS. Requires the packages:
- selenium-webdriver
- otplib
Please note that the software/automation mechanisms above are not provided by Citrix and Citrix offers no related warranties.
How do I view the MFA secret key for my account?
You can view the MFA secret (Key field) when setting up a Citrix account as shown below: 
What if I do not know the MFA secret key for my account?
If the secret is not known or cannot be viewed in the existing authenticator, you will need to re-enroll in MFA. You will also need to update any devices applicable to use the new secret.
You can follow the steps below to re-enroll in MFA and generate the secret:
-
Authenticate with Citrix Cloud (https://citrix.cloud.com) or My Citrix (https://citrix.com)
-
Navigate to https://accounts.citrix.com/core/profile
-
Under the Login Security section, click Change Device
-
Click Yes, Change device
-
Enter the MFA TOTP code
-
You will be presented with the below device registration screen. Save the key highlighted in red below, register a new MFA device, and enter the new TOTP code.
-
Click Verify code to complete device registration and link the new MFA secret to the account.
What if I use CSS Selectors for automation?
You can use the following details to update your automation mechanism:
- Username and Password Registration
| # | What | CSS Selector types | CSS Selector |
| 1 | Username | ID | #username |
| 2 | Password | ID | #password |
| 3 | Submit Button | ID | #submit |
- MFA Device Registration
| # | What | CSS Selector Type | CSS Selector |
|---|---|---|---|
| 1 | Initial Button to Enroll in MFA | XPath | button[contains(@class, "btn-default")] |
| 2 | Textbox to enter email | ID | #account-verification-email-input |
| 3 | Button to send Verification Email | ID | #account-verification-resend |
| 4 | Textbox to enter the code | ID | #account-verification-code-input |
| 5 | Textbox to enter the password | ID | #account-verification-password-input |
| 6 | Button to verify the code and password | ID | #account-verification-submit |
| # | CSS Selector | CSS Selector Type | Value |
|---|---|---|---|
| 1 | Field containing the MFA secret | Class | app-verification__qr-container__block__key |
| 2 | Textbox to enter the OTP code | ID | app-verification-code-input |
| 3 | Button to Verify new OTP code | Class | .app-verification__button |
- Recovery Screen
| # | CSS Selector | CSS Selector Type | Value |
|---|---|---|---|
| 1 | Link to show the recovery phone popup | XPath | //a[contains(text(), "recovery phone")] |
| 2 | Recovery phone number textbox | XPath | //input[@placeholder="Enter phone number"] |
| 3 | Verify recovery phone number textbox | XPath | //input[@placeholder="Verify phone number"] |
| 4 | Button to submit the recovery phone | XPath | //button[contains(@class, \"recoveryphone__form__submit\")] |
| 5 | Link to show the backup codes | XPath | //a[contains(text(), "backup codes")] |
| 6 | Div containing backup codes. Each code is stored in a div | XPath | //div[@class="codes__backup-codes__codes"]/div |
| 7 | Consent Checkbox for the backup codes | ID | #checkbox |
| 8 | Complete Creating Backup codes | XPath | //button[@type="submit"] |
| 9 | Link for the Recovery Prompt | XPath | //a[contains(text(), "recovery email")] |
| 10 | Text box for email | XPath | //input[@placeholder="Enter recovery email"] |
| 11 | Button to send the Verification Email | XPath | //form[@class="recoveryemail__form"]//button[text()="Send verification email"] |
| 12 | Text box to enter the verification code | XPath | //form[@class="recoveryemail__form"]//input[@class="recoveryemail__form__input"][@placeholder="Enter 6-digit verification code"] |
| 13 | Button to submit the verification code | XPath | //form[@class="recoveryemail__form"]//button[text()="Verify code"] |
| 14 | Button to complete Enrollment | XPath | //button[@type="button" and contains(@class, "recoverymethods__submit")] |
- MFA TOTP Code
| # | What | CSS Selector Type | CSS Selector | Notes |
|---|---|---|---|---|
| 1 | Text boxes to enter the OTP code | Class | .ctx-input-digits | Will return an array of 6 elements in order |
| 2 | Submit Button | XPath | [class$=login__button] | |
| 3 | Link to alternative MFA options | Class | .primary-code-login__link |
Where can I learn more about this change?
Account recovery methods: https://support.citrix.com/article/CTX461295/setting-up-account-recovery-methods-for-mfa
Having Issues ?
Contact Customer Service via Live Chat and follow the menu's instructions to speak to a Live Agent.
Issue/Introduction
