Two-factor Authentication and OTP (One Time Password)

When logging in, a user will be asked to provide additional authentication information. This is known as two-factor authentication. Two-factor authentication is a security process in which the user provides two forms of identification.

The advantage of two-factor authentication is a marked reduction of the risk of online identity theft, phishing, and other online fraud because the victim's password is no longer enough for gaining access to the user’s information. Safewhere Identify offers full flexibility in choosing the two types of authentication mechanisms that a user must use together to be granted access.

In addition to being able to combine any two existing authentication connections and use them together - e.g. Username & Password followed by NemID—we have introduced an additional authentication type, called OTP Plugin.

OTP Plugin can solely be used as a second factor authentication method. The OTP Plugin will generate and send the authenticating user a one time password by email, SMS or accept verification code generated by a time-based one time password provider (ex: Google Authenticator, Microsoft Authenticator) that the user then has to insert into the authentication page in order to get authenticated. The OTP authentication connection can be used together with any of the existing authentication connections that Safewhere Identify offers, but can only be used as the second factor authentication method.

Below are examples of an OTP connection login:

OTP with Email

OTPEmail

OTP with SMS

OTPSMS

OTP with Authenticator - user on-boarding

OTPGA

OTP with Authenticator - user on-boarded

OTPAuthenticator

OTP with OS2faktor - user on-boarding

OTPOS2faktor

OTP with OS2faktor - user on-boarded

OTPOS2faktor2

OTP with WebAuthn - user on-boarding

Registration clicked

Registration clicked

OTP with WebAuthn - user on-boarded

Authenticate with Windows Hello PIN

Authenticate with FIDO2 key

When Email or SMS method is used, the user will receive a one time password immediately upon seeing this page, which he must then enter here in order to finalize authentication. After a code is sent, a count-down message that can tell the user how many seconds left that he or she needs to wait before being able to request for a new code.

Count-down

You can configure for how long the interval between two OTP deliveries must be by using the new "OTP delivery interval (seconds)" setting found in the OTP connection setup UI

otp-delivery-interval-setting

After the count-down is over, the user can click the link "Click here to request a new OTP code" to have a new code sent out.

Count-down2

When Authenticator method is used:

  • At the first time of login, the user needs to scan the bar code in OTP login form using an Authenticator app to on-board before getting the verification code to authenticate.
  • If user has on-boarded already, he/she only needs to get the verification code from the Authenticator app to enter to the OTP login form.

When OS2faktor method is used:

  • At the first time of login, the user needs to fill in his/her OS2faktor client Id (Device Id) to on-board before actually doing login. It requires an administrator having allowed registering by enabling appropriate setting in the OTP connection.
  • If user has on-boarded already, he/she only needs to approve on the client side (Chrome extension, Android/iOS app or YubiKey) to get authenticated.

When WebAuthn method is used:

  • At the first time of login, the user needs to register his/her client using Windows Hello, Apple’s Touch ID, or FIDO2 keys before actually doing login.
  • If user has on-boarded already, he/she only needs to authenticate with his/her's registered client (Windows Hello, Apple’s Touch ID, or FIDO2 keys).

If there is more than one OTP method configured and usable, user is able to select another method to do 2-factor login.

switch-mfa

Authentication Connections contains more information about setting up two-factor authentication. Read more about OTP at One-Time Password Authentication Connection.

Note: for testing purposes, we have a key that allows Safewhere Identify to display the OTP code next to the verification form so user does not need to access email or phone to get the OTP code.

<add key="IsTestMode" value="true"/>

Switch between MFA options when onboarding

From 5.8 version, Safewhere Identify supports switching between MFA options when onboarding, which means you can choose to onboard Authenticator, OS2faktor or WebAuthn if the 2nd factor connection configured more than one option on "Second factor method(s)" as below.

configure send otp out using

For example, when we onboard via the Authenticator method, the "Need another way to secure your account?" will show up to offer you to onboard using another method.

onboarding authenticator

If you switch to onboarding via OS2faktor, the OS2faktor onboarding page will also show the "Need another way to secure your account?" option.

onboarding os2faktor

Same for WebAuthn.

onboarding webauthn