Skip to main content

SecureAuth mobile services

Updated October 4, 2022

The SecureAuth® Identity Platform release 21.04 or later includes some changes to how it handles mobile services in the authentication workflow.

If you are upgrading from an earlier version of the Identity Platform to 21.04 or later, this topic complements the Mobile service migration process.

With a single global MFA one-time passcode (OTP) setting for authentication apps, all logins have the same unified login experience.Authentication apps global MFA settings

auth_app_MFA_004.png

Upgrade considerations

There are some mobile services considerations when upgrading to Identity Platform release 21.04 or later.

SQL data store updates

Before you can upgrade to the Identity Platform release 21.04 or later, you must update your SQL data store.

To learn about this important update, see Upgrade information for SQL data stores.

Why you need to know this: The mobile service references unique user values assigned to each user login.

Data store profile field properties

During the upgrade to Identity Platform release 21.04 or later, it migrates data in the data store profile property field names like Push Notification Tokens and OATH Token.

With this migration, your on-prem data store profile properties must be visible and set to writable on your Self-Service, Account Management (Help Desk), and Mobile enrollment realms. This applies to mappings from your data store to Push Notification Tokens and OATH Token (TOTP and HOTP).

Why you need to know this: After the Identity Platform upgrade, this allows previously enrolled users to login successfully without having to re-enroll their authentication app.

Conversion of passcode lengths

If you have multiple realms (created in Advanced Settings / Classic Experience) with different passcode lengths, you MUST change them all to use the same passcode length you have defined in the global MFA one-time passcode (OTP) setting.Authentication apps global MFA settings

Why you need to know this: With a single global MFA one-time passcode (OTP) setting, it provides a unified login experience for all realms.Authentication apps global MFA settings

auth_app_MFA_004.png

Multi-factor app enrollment configuration (QR or URL)

Use the Internal Application Manager to set up a new authentication app enrollment page with a QR code or URL link.Multi-factor app enrollment QR code configurationMulti-factor app enrollment URL configuration

Why you need to know this: You can set up a multi-factor app enrollment page (QR code or URL link) in the New Experience and define a PIN setting to enroll the authentication app. The passcode length generated by the authenticator comes from the single global MFA one-time passcode (OTP) setting set for Authentication apps.Authentication apps global MFA settings

Legacy enrollment realm in Advanced Settings

After the Identity Platform upgrade, if users re-enroll using the legacy enrollment realm (QR code or URL link) created in Advanced Settings (formerly Classic Experience), it enforces the passcode length set in the global MFA settings. It will not use the passcode length set on the Multi-Factor Methods tab in Advanced Settings.

Why you need to know this: With the change in how the Identity Platform handles mobile services, it now uses a single global MFA one-time passcode (OTP) setting from the New Experience for all realms that have authentication app enabled in the login workflow.Authentication apps global MFA settings

auth_app_MFA_004.png