SecureAuth mobile services

The SecureAuth® Identity Platform release 21.04 includes some changes to how it handles mobile services in the authentication workflow.

With a single global MFA one-time passcode (OTP) setting for authentication apps, all logins have the same unified login experience.

auth_app_MFA_004.png

Upgrade considerations

There are some mobile services considerations when upgrading to Identity Platform release 21.04.

Data store profile field properties

During the upgrade to Identity Platform release 21.04, it migrates data in the data store profile property fields, Push Notification Tokens and One Time OATH List.

With this migration, those fields will be disabled and set to read-only, so that end users do not have to re-enroll their authentication app after the Identity Platform upgrade.

Profile property field OATH Token was renamed HOTP Token. The name change better reflects the purpose of this field used by mobile services to handle HOTP tokens (security keys) to provide one-time passcodes.

Why you need to know this: After the Identity Platform upgrade, this allows previously enrolled users to login successfully without having to re-enroll their authentication app.

mobilesvcs_001.png

Conversion of passcode lengths

If you have multiple realms (created in the Classic Experience) with different passcode lengths, you MUST change them all to use the same passcode length you have defined in the global MFA one-time passcode (OTP) setting.

Why you need to know this: With a single global MFA one-time passcode (OTP) setting, it provides a unified login experience for all realms.

auth_app_MFA_004.png

Multi-factor app enrollment configuration (QR or URL)

Use the Internal Application Manager to set up a new authentication app enrollment page with a QR code or URL link.

Why you need to know this: You can set up a multi-factor app enrollment page (QR code or URL link) in the New Experience UI and define a PIN setting to enroll the authentication app. The passcode length generated by the authenticator comes from the single global MFA one-time passcode (OTP) setting set for Authentication apps.

Legacy enrollment realm in the Classic Experience

After the Identity Platform upgrade, if users re-enroll using the legacy enrollment realm (QR code or URL link) created in the Classic Experience, it enforces the passcode length set in the global MFA settings. It will not use the passcode length set on the Multi-Factor Methods tab in the Classic Experience.

Why you need to know this: With the change in how the Identity Platform handles mobile services, it now uses a single global MFA one-time passcode (OTP) setting from the New Experience UI for all realms that have authentication app enabled in the login workflow.

auth_app_MFA_004.png

OATH seed conversions

If you have any OATH seeds, you must convert them to OATH Tokens before upgrading to Identity Platform release 21.04.

Why you need to know this: SecureAuth deprecated OATH seed support as of SecureAuth IdP release 9.2. If you are on SecureAuth IdP 9.1 or earlier, OATH seeds must be converted to OATH Tokens as part of the mandatory upgrade to SecureAuth IdP 9.2 before upgrading to the Identity Platform release 21.04.