Skip to main content

Multi-screen login workflows

With the multi-screen login workflow, end users authenticate by entering their username on a VPN login screen followed by at least one other code. This can be a password, passcode, symbol, link, PIN, or YubiKey passcode. Once end users have entered their username and code, the login button is enabled on a second VPN login screen or the SecureAuth Authenticate mobile app.

Considerations

  • If end users will use YubiKey devices to obtain an HMAC-based One-Time Password (HOTP) or Time-Based One-Time Passcode (TOTP), ensure that the YubiKey devices are supported. See the Supported third-party login devices section of the SecureAuth compatibility guide.

  • If end users will use face or fingerprint recognition, ensure that they set up their mobile device for face or fingerprint recognition before enrollment. Features will then work automatically with the SecureAuth Authenticate mobile app.

  • End users who already use the Authenticate mobile app and want to add the ability to accept biometric push notifications to use face or fingerprint recognition must first reconnect the account for their mobile device.

  • If end users want to use face or fingerprint recognition, but did not set up their mobile device to use the features before enrollment, they must turn on face or fingerprint recognition on their mobile device, then set up the SecureAuth mobile app again. To learn more, see the Prerequisites section in the SecureAuth Authenticate App documentation for iOS and Android.

Second-factor authentication methods

The list of available second-factor authentication methods is dynamic and based on the multi-factor authentication options provisioned by the administrator.

See the chart below for the full list of second-factor authentication methods and their workflows.

Second-factor method

Workflow

SMS / Text Message Phone

If the SMS / Text Message Phone option is selected, the following occurs:

  • An SMS/ Text Message containing a one-time passcode is sent to the mobile number associated with the end user's profile.

  • The end user enters the passcode in the VPN screen as the answer and clicks Continue on the VPN screen to be authenticated.

SMS / Text Link (Link-to-Accept)

If the SMS Link-to-Accept option is selected, the following occurs:

  • On the mobile device, the end user receives a request to click the link to approve the request, and clicks the link to be authenticated.

  • The VPN receives the link information and the end user is authenticated.

Email

If the Email option is selected, the following occurs:

  • An email containing a one-time passcode is sent to the email address associated with the end user's profile.

  • The end user enters the passcode in the VPN screen as the answer and clicks Continue on the VPN screen to be authenticated.

Email Link (Link-to-Accept)

If the Email Link-to-Accept option is selected, the following occurs:

  • A push notification is sent to the email address that the end user set up. The end user clicks the notification to open the email containing the link, then clicks the link to be authenticated.

  • The VPN receives the link information and the end user is authenticated.

Send Passcode to Phone (Push Notification)

If the Send Passcode to Phone (Push Notification) option is selected, the following occurs:

  • On the mobile device, the end user receives a Push Notification containing a one-time passcode.

  • The end user enters the passcode in the VPN screen as the answer and clicks Continue to be authenticated.

Send Login Request to Phone (Push-to-Accept)

If the Push-to-Accept option is selected, the following occurs:

  • The VPN waits for RADIUS to respond.

  • When the Login Request screen appears on the mobile app, the end user taps Approve or Deny on the screen.

Yubico OTP Token

If the Yubico OTP Token option is selected, the following occurs:

  • The VPN waits for RADIUS to respond.

  • The end user gets the Yubico one-time passcode by pressing their YubiKey.

  • The Yubico OTP is automatically sent to the login app, the login app receives the OTP, and the end user is authenticated.

PIN

If the PIN option is selected, the following occurs:

  • The end user enters the PIN associated with their account on the VPN screen as the answer and clicks Continue to be authenticated.

Help Desk OTP

If the Help Desk OTP option is selected, the following occurs:

  • End users receive a message to call the help desk for a passcode, along with the help desk phone number.

  • If there is more than one help desk to select, end users choose the option for the help desk they will call and enter the number in the Answer field.

  • The end user calls the help desk and requests the passcode.

  • The end user enters the passcode in the VPN screen as the answer and clicks Continue on the VPN screen to be authenticated.

The following image is an example of the VPN screen end users see with this workflow:

60574201.png

Symbol-to-Accept

If the Symbol-to-Accept option is selected, the following occurs:

  • End users receive a valid symbol on the VPN screen.

  • On the mobile app, end users receive four symbols; they must tap the symbol that matches the one on the VPN screen.

  • The tapped symbol is sent back to the VPN screen as the answer. End users then click Continue on the VPN screen to be authenticated.

The following image is an example of the VPN screen end users see with this workflow:

60574199.png

Fingerprint

If the Fingerprint or Face Recognition options are selected, the following occurs:

  • A push notification is sent to the mobile phone that the end user set up.

  • The VPN waits for the fingerprint or face recognition. (Face recognition is available to users on iOS mobile phones only.)

  • On the SecureAuth mobile app, the end user receives a request to provide a fingerprint or face to approve the request.

  • The VPN receives the fingerprint or face information and the end user is authenticated.

Face Recognition

End user experience

The following sections detail the end user instructions for logging in with the available multi-screen login workflow options.

Note

If the Send Passcode to Phone (Push Notification), PIN, Symbol-to-Accept or Link-to-Accept workflow is initially selected, end users can enter 0 (zero) in the Response field to return to the screen where they can select a different second-factor authentication option.

If end users have more than one registered mobile device, each with more than one phone number or email address registered, a prompt appears to select which mobile device, phone number, or email address to use in the second-factor authentication workflow. See sample image below.

End users must first select the phone number to use before seeing the second-factor authentication screen.

60574202.png

Password | One-Time Passcode (TOTP/HOTP)

  1. On the initial VPN login screen, enter your username.

  2. Enter your password.

  3. Get the one-time passcode from the SecureAuth Authenticate App or other SecureAuth TOTP application.

    60574205.png
  4. On the second VPN login screen, enter your passcode.

Password & Mobile Login Request (Approve / Deny)

  1. On the initial VPN login screen, enter your username.

  2. Enter your password.

    The VPN waits for SecureAuth RADIUS to respond.

  3. On the mobile app Login Request screen, tap Approve or Deny request.

    58066660.png

Password | Second Factor

  1. On the initial VPN login screen, enter your username.

  2. Enter your password.

  3. The response screen prompts you for one of two options:

    • Enter an HOTP one-time passcode (from a YubiKey) or a TOTP one-time passcode (from SecureAuth Authenticate, SecureAuth Passcode, or Yubico Authenticator) to authenticate.

    • Enter the number corresponding to an available second-factor authentication method and proceed with the workflow. See Second-factor authentication methods.

    60574203.png

One-Time Passcode (TOTP/HOTP) | Password

  1. On the initial VPN login screen, enter your username.

  2. Get the one-time passcode from the SecureAuth Authenticate App (or other SecureAuth TOTP application, such as SecureAuth Passcode), HOTP from YubiKey, or TOTP from a Yubico Authenticator app by using a YubiKey.

  3. Enter your password on the second VPN login screen.

Username | Second Factor

  1. On the initial VPN login screen, enter your username.

    A password entry is not required.

  2. On the response screen, enter the number corresponding to an available second-factor authentication method and proceed with the workflow. See Second-factor authentication methods.

Username | Second Factor | Password

  1. On the VPN login screen, enter your username.

    A password entry is not required at this step.

  2. On the response screen, enter the number corresponding to an available second-factor authentication method and proceed with the workflow. See Second-factor authentication methods.

  3. On the response screen, enter your password.

    60574197.png

Username | Fingerprint

  1. On the initial VPN login screen, enter your username.

    A password entry is not required.

  2. If more than one mobile phone is registered, select the phone to use.

    You need to do this once only as the selection is persistent.

  3. Enter the number that corresponds with Fingerprint to send a request to the SecureAuth mobile app.

  4. Provide a fingerprint on the SecureAuth mobile app to approve the request.

    The VPN receives the fingerprint information and you are authenticated.

Username | Face Recognition

  1. On the initial VPN login screen, enter your username.

    A password entry is not required.

  2. If more than one mobile phone is registered, select the phone to use.

    You need to do this once only as the selection is persistent.

  3. Enter the number that corresponds with Face Recognition to send a request to the SecureAuth mobile app.

  4. Show your face on the SecureAuth mobile app to approve the request.

  5. The VPN receives the face information and you are authenticated.

Password & One-Time Passcode (TOTP/HOTP)

  1. On the initial VPN login screen, enter your username.

  2. Enter your password.

  3. Get the one-time passcode from the SecureAuth mobile app (or other SecureAuth TOTP application, such as SecureAuth Passcode), HOTP from YubiKey, or TOTP from a Yubico Authenticator app by using a YubiKey.

  4. Enter your passcode.

Password & Yubico One-Time Passcode (OTP)

  1. On the initial VPN login screen, enter your username.

  2. Enter your password.

  3. Get the Yubico one-time passcode by pressing your YubiKey.

    The Yubico OTP is automatically sent to the login app, the login app receives the OTP, and you are connected to your network.