Configuring Access Manager To Use Simple OTP Authentication
If you are planning to use OTP authentication, this particular configuration is a powerful, simple, yet really effective way for users to use the system.
Here are some key benefits of using this type of Authentication configuration:
- Users do not need to complete a profile to be able to use the system
- Users profiles are automatically configured ready for use
- Allows for quicker and simpler system uptake and roll-out
Once the system is configured your users are able to use the self service functions straight away. When a Password reset or account unlock is required, the user will receive an unique OTP (One Time Password) authorization code via email or SMS, this code is then used to complete the authorization process.
In order for this type of authentication method to work the user must have either an email address set (which they are able to access if their account is locked in order to perform the self service action) on their Active Directory account which will be used by Access manager for the email OTP or a mobile number set on their Active Directory account in order to receive the OTP SMS message.
For this article we will use the email OTP method using the web interface. Here's a look at how to set it up.
1. Confirm users have a valid email address and mobile number set in Active Directory.
In order for the OTP authentication to work automatically the user must have a valid email address and mobile number set in Active Directory. These will be used by Access Manager to send the OTP code for authentication.
Please also remember for this type of authentication, the email address will need to be one that the user has access to while they are locked out of the system in order to receive the OTP.
Here is where the email and mobile number fields are required to be set on the users Active Directory account in order so Access manager can automatically import their details without the need for registration.
2. Configure Authentication
First make sure that the only primary authentication module present in ANY of your flows is the OTP module. Go to the Authentication page and check every flow (Password Reset, Account Unlock etc) remove any other primary module and make sure only OTP is present. This needs to be done for ALL front ends (Web, Mobile and Desktop) even if they are not all going to be used.
If required for even greater security, you can also add a secondary Authentication module to the flow, reCAPTCHA and Slider CAPTCHA for example, add these to the flow as usual and hit Save.
Next we need to configure the OTP module and set it's output method. Click the OTP tab under the Authentication menu. Setup the OTP configuration as required and choose the 'Output Media' type depending whether the OTP will be sent by email, SMS or both, once selected hit Save.
The system is now set to use the OTP authentication , as long as your users have an email or mobile number set on their Active Directory account they can start using the self service features straight away.
The End User experience
Here you can see the steps involved for performing a password reset by the user, this is exactly the same procedure if the user was to perform a "Unlock My Account".
If a user forgets their password, they simply log onto the Access Manager server and select "Forgot My Password".
They are then prompted to enter their Username and hit Next.
An OTP verification email is sent to the users registered email address. Once received, the code is then entered into the "Password" field, hit Next.
The user can then set a new password, once confirmed hit Finish to complete.