Two-factor Authentication and OTP (One Time Password)


When logging in, a user will be asked to provide additional authentication information. This is known as two-factor authentication. Two-factor authentication is a security process in which the user provides two forms of identification.

The advantage of two-factor authentication is a marked reduction of the risk of online identity theft, phishing, and other online fraud because the victim's password is no longer enough for gaining access to the user’s information. Safewhere*Identify offers full flexibility in choosing the two types of authentication mechanisms that a user must use together to be granted access.

In addition to being able to combine any two existing authentication connections and use them together—e.g., Username & Password followed by NemID—we have introduced an additional authentication type, called OTP Plugin.

OTP Plugin can solely be used as the second factor. The OTP Plugin will generate and send the authenticating user a one time password by email, SMS or accept verification code generated by a time base one time password provider (ex: Google Authenticator, Microsoft Authenticator) that the user then has to insert into the authentication page in order to get authenticated. The OTP authentication connection can be used together with any of the existing authentication connections that Safewhere*Identify offers, but can only be used as the second factor.

Below are examples of an OTP connection login:

OTP with Email
OTPEmail

OTP with SMS
OTPSMS
OTP with Authenticator - user on-boarding
OTPGA
OTP with Authenticator - user on-boarded
OTPAuthenticator

OTP with OS2faktor - user on-boarding

image20

OTP with OS2faktor - user on-boarded

image11
When Email or SMS method is used, the user will receive a one time password immediately upon seeing this page, which he must then enter here in order to finalize authentication. After a code is sent, a count-down message that can tell the user how many seconds left that he or she needs to wait before being able to request for a new code.

Count-down

You can configure for how long the interval between two OTP deliveries must be by using the new “OTP delivery interval (seconds)” setting found in the OTP connection setup UI

image

After the count-down is over, the user can click on the link “Click here to request a new OTP code” to have a new code sent out. 

Count-down2
When Authentictor method is used:

  • At the first time of login, the user needs to scan the bar code in OTP login form using an Authenticator app to on-board before getting the verification code to authenticate.
  • If user has on-boarded already, he/she only needs to get the verification code from the Authenticator app to enter to the OTP login form.

When OS2faktor method is used:

  • At the first time of login, the user needs to fill in his/her OS2faktor client Id (Device Id) to on-board before actually do login. It requires administrator allow registering by enable setting in the OTP connection.
  • If user has on-boarded already, he/she only needs to approve on the client side (Chrome extension, Android/iOS app or YubiKey) to get authenticated.

If there is more than one OTP method configured and usable, user is able to select another method to do 2-factor login.

Untitled

Authentication Connections contains more information about setting up two-factor authentication. Read more about OTP at One-Time Password Authentication Connection.

Note: in order to support testing purpose, we have a key to allow Safewhere Identify to display the OTP code next to the verification form so user does not need to access email or phone to get the OTP code.

<add key="IsTestMode" value="true"/>