When logging in, a user will be asked to provide additional authentication information. This is known as two-factor authentication. Two-factor authentication is a security process in which the user provides two forms of identification.
The advantage of two-factor authentication is a marked reduction of the risk of online identity theft, phishing, and other online fraud because the victim's password is no longer enough for gaining access to the user's information. Safewhere*Identify offers full flexibility in choosing the two types of authentication mechanisms that a user must use together to be granted access.
Below are examples of an OTP connection login:
OTP with Email
OTP with SMS
OTP with Authenticator - user on-boarding
OTP with Authenticator - user on-boarded
OTP with OS2faktor - user on-boarding
OTP with OS2faktor - user on-boarded
OTP with WebAuthn - user on-boarding
OTP with WebAuthn - user on-boarded
When Email or SMS method is used, the user will receive a one time password immediately upon seeing this page, which he must then enter here in order to finalize authentication. After a code is sent, a count-down message that can tell the user how many seconds left that he or she needs to wait before being able to request for a new code.
You can configure for how long the interval between two OTP deliveries must be by using the new "OTP delivery interval (seconds)" setting found in the OTP connection setup UI
After the count-down is over, the user can click on the link "Click here to request a new OTP code" to have a new code sent out.
When Authenticator method is used:
- At the first time of login, the user needs to scan the bar code in OTP login form using an Authenticator app to on-board before getting the verification code to authenticate.
- If user has on-boarded already, he/she only needs to get the verification code from the Authenticator app to enter to the OTP login form.
When OS2faktor method is used:
-
At the first time of login, the user needs to fill in his/her OS2faktor client Id (Device Id) to on-board before actually doing login. It requires an administrator having allowed registering by enabling appropriate setting in the OTP connection..
- If user has on-boarded already, he/she only needs to approve on the client side (Chrome extension, Android/iOS app or YubiKey) to get authenticated.
When WebAuthn method is used:
-
At the first time of login, the user needs to register his/her client using Windows Hello, Apple’s Touch ID, or FIDO2 keys before actually doing login.
-
If user has on-boarded already, he/she only needs to authenticate with his/her's registered client (Windows Hello, Apple’s Touch ID, or FIDO2 keys).
If there is more than one OTP method configured and usable, user is able to select another method to do 2-factor login.
Authentication Connections contains more information about setting up two-factor authentication. Read more about OTP at One-Time Password Authentication Connection.
Note: For testing purposes, we have a key that allows Safewhere Identify to display the OTP code next to the verification form so user does not need to access email or phone to get the OTP code.
1 |
<add key="IsTestMode" value="true"/> |
Switch between MFA options when onboarding
Same for WebAuthn.