Documentation

Introduction

Use this guide to configure the Registration Methods / Multi-Factor Methods tab in the Web Admin for each SecureAuth IdP realm.

This includes Multi-Factor Authentication mechanisms enablement and settings, and ID provisioning.

This tab is named Registration Methods in SecureAuth IdP Version 9.0.0 and has since been renamed Multi-Factor Methods as of Version 9.0.1 

Prerequisites

1. Create a New Realm for the target resource for which the configuration settings will apply, or open an existing realm for which configurations have already been started

2. Configure the Overview, Data, and Workflow tabs in the Web Admin before configuring the Registration Methods / Multi-Factor Methods tab

Registration Methods / Multi-Factor Methods Configuration Steps

If the Authentication Mode selected in the Workflow tab requires Multi-Factor Authentication, at least one registration method must be enabled on this page

Select the tab corresponding to the pertinent version: Version 9.0.0 to 9.0.1 or Version 9.0.2+

 

1. In the Registration Configuration section, under Phone Settings, enable Phone Field 1 by selecting a delivery method of the registration code to Phone 1 (refer to the Data tab for Profile Property / data store mapping)

Select Disabled from the dropdown if no registration code will be sent to Phone 1

2. Enable Phone Field 2 - Phone Field 4 in the same manner

Select Disabled from the corresponding dropdown if no registration code will be sent to Phone 2, Phone 3, or Phone 4

3. Select Voice from the Phone / SMS Selected dropdown to default the end-user's selection to Voice on the login page

4. Select True from the Phone / SMS Visible dropdown if both Voice and SMS / Text options are shown, even if both are not available for use

5. Set the Default Phone Country Code that will be appended to any user phone numbers in the directory that do not have a country code provided

Leave field empty if there is no default

6. Set the appearance of the end-users' phone numbers by designing a Phone Mask (Regex), e.g. xxx-xx1-2345

SecureAuth IdP automatically displays phone numbers as xxx-xxx-1234

Leave field empty if the out-of-the-box display is acceptable

7. Under Email Settings, enable Email Field 1 by selecting a delivery method of the registration code to Email 1 (refer to the Data tab for Profile Property / data store mapping)

Select Disabled from the dropdown if no registration code will be sent to Email 1

8. Enable Email Field 2 - Email Field 4 in the same manner

Select Disabled from the corresponding dropdown if no registration code will be sent to Email 2, Email 3, or Email 4

9. Under Knowledge Based Settings, select Enabled from the KB Questions dropdown to enable the use of knowledge-based questions for Multi-Factor Authentication

10. Select the method in which the knowledge-based questions will be formatted from the KB Format dropdown

11. Select the Number of Questions that will be displayed on the login page from the dropdown

12. Select True from the KB Conversion dropdown to enable the conversion of knowledge-based questions to certificate-based encryption from Base64 encoding

13. Under Help Desk Settings, select Enabled from the Help Desk 1 dropdown to enable the use of Help Desk 1 for Multi-Factor Authentication

14. Provide the Phone number of the Help Desk that end-users can call for a registration code

15. Provide the Email address of the Help Desk that end-users can message for assistance

16. Select Enabled from the Help Desk 2 dropdown to enable the use of Help Desk 2 for Multi-Factor Authentication

17. Provide the Phone number of the second Help Desk that end-users can call for a registration code

18. Provide the Email address of the second Help Desk that end-users can message for assistance

Refer to Second Help Desk Registration Method Configuration Guide for more information

19. Under PIN Settings, select Enabled from the PIN Field dropdown to enable the use of static PINs for Multi-Factor Authentication

The end-user's Personal Identification Number (PIN) must be contained in the data store and mapped to the SecureAuth IdP PIN Property

20. Select True from the Open PIN dropdown to store the PIN in plain text versus encryption

21. Select True from the One Time Use dropdown to enable a one-time-use PIN that is immediately cleared from the directory after use

This is typically utilized for first-time users in self-service enrollment processes

22. Select True from the Show When Empty dropdown if the One Time Use PIN is displayed as an option on the login page, but is inactive for use

23. Under Time-based Passcodes (OATH), select Enabled from the Time-based Passcodes dropdown to enable the use of mobile, browser, desktop, or third-party OATH OTP soft tokens for Multi-Factor Authentication

24. Select the number of digits of which a Passcode is compromised from the Passcode Length dropdown

25. Set the number of seconds during which a Passcode is displayed in the Passcode Change Interval field

26. Set the number of minutes during which a Passcode is valid to make up for time differences between devices in the Passcode Offset field

The Passcode Length and Passcode Change Interval fields must match the values configured in the Post Authentication tab of the SecureAuth App Enrollment Realm

27. Set the number of minutes during which the account is locked from utilizing Passcodes after too many failed OTP attempts in the Cache Lockout Duration field

28. Under Mobile Login Requests (Push Notifications), select the type of Push Notification(s) to be used in this realm for Multi-Factor Authentication from the Push Notification Field dropdown

  • Passcode (OTP): Enable the use of Push Notifications, which are one-time passcodes sent (pushed) directly to an end-user's enrolled mobile device
  • Accept / Deny: Enable the use of Push-to-Accept requests, which are login requests sent to the SecureAuth Authenticate App for iOS and Android that require an end-user to Accept or Deny the login request
  • Passcode (OTP) + Accept / Deny: Enable the use of Push Notifications and Push-to-Accept requests

29. Select the number of minutes a Push-to-Accept request is valid for response from the Login Request Timeout dropdown (if an Accept / Deny option is selected in step 28)

30. Set the Company Name, which displays on the Push-to-Accept request (optional, and if an Accept / Deny option is selected in step 28)

31. Set the Application Name to the post-authentication target (e.g. Salesforce, Password Reset, etc.), which displays on the Push-to-Accept request (optional, and if an Accept / Deny option is selected in step 28)

32. Limit the number of devices enrolled for Push Notifications / Push-to-Accept requests in the Max Device Count field

Set this to -1 if there is no limit

33. Select Allow to replace from the When exceeding max count dropdown to enable device replacement once the limit has been reached

34. Select Created Time from the Replace in order by dropdown to replace the oldest enrolled device with the new one

Select Last Access Time to replace the least recently used enrolled device with the new one

35. Under Symantec VIP Settings, select Enabled from the Symantec VIP Integration dropdown to initiate the integration of Symantec VIP with SecureAuth IdP

36. Provide the certificate serial number (provided by Symantec) in the Issued Cert SN field

37. Select Enabled from the Symantec VIP Field to enable the use of Symantec VIP tokens for Multi-Factor Authentication

38. Under Advanced Settings, check Missing Phone, Missing Email, Missing KB Answers, and/or Missing PIN from the Inline Initialization menu to enable end-users to update or provide missing information and then be redirected back to the login pages

39. Select Enabled from the Auto-Submit When One Avail dropdown to automatically select the registration method on the login page when only one is available for the user's account

40. Select the number of digits of which the One-time Passwords (OTPs) will be comprised from the OTP Length dropdown

41. Select True from the Lock User to lock an end-user's directory account after so many failed login attempts

42. Under Registration Method Order, drag and drop the enabled registration methods on the list to organize their display on the login page

Yubikey

 

43. Select True from the Validate Yubikey dropdown to enable the use of Yubikeys for Multi-Factor Authentication

44. Provide the Yubikey Provision Page URL at which end-users can provision their Yubikeys

This would be another SecureAuth IdP realm, configured in the Post Authentication tab

Social Identity

NOTE: In 9.0.1+, the Social Identity configuration section is moved to the Workflow tab

 

45. Under Facebook, select True from the Enable dropdown to enable the use of Facebook ID for Multi-Factor Authentication

46. Provide the Client ID, which is provided by Facebook

47. Provide the Client Secret, which is provided by Facebook

The Client ID and the Client Secret must match exactly here and on Facebook's side

48. Select where to Store Facebook ID at from the dropdown (e.g. Aux ID 1)

49. Under Google, select True from the Enable dropdown to enable the use of Google ID for Multi-Factor Authentication

50. Provide the Client ID, which is provided by Google

51. Provide the Client Secret, which is provided by Google

The Client ID and the Client Secret must match exactly here and on Google's side

52. Select where to Store Google ID at from the dropdown (e.g. Aux ID 2)

53. Under Windows Live, select True from the Enable dropdown to enable the use of Windows Live ID for Multi-Factor Authentication

54. Provide the Client ID, which is provided by Windows Live

55. Provide the Client Secret, which is provided by Windows Live

The Client ID and the Client Secret must match exactly here and on Windows Live's side

56. Select where to Store Windows Live ID at from the dropdown (e.g. Aux ID 3)

57. Under LinkedIn, select True from the Enable dropdown to enable the use of LinkedIn ID for Multi-Factor Authentication

58. Provide the Client ID, which is provided by LinkedIn

59. Provide the Client Secret, which is provided by LinkedIn

The Client ID and the Client Secret must match exactly here and on LinkedIn's side

60. Select where to Store LinkedIn ID at from the dropdown (e.g. Aux ID 4)

Click Save once the configurations have been completed and before leaving the Registration Methods / Multi-Factor Methods page to avoid losing changes

In SecureAuth IdP 9.0.2+, when the end-user is presented the page of Multi-Factor Authentication methods from which to choose, the Multi-Factor Authentication method that was last selected and used in a successful login attempt persists as the default method for the next login in each device / browser

 

1. In the Registration Configuration section, under Phone Settings, enable Phone Field 1 by selecting a delivery method of the registration code to Phone 1 (refer to the Data tab for Profile Property / data store mapping)

Select Disabled from the dropdown if no registration code will be sent to Phone 1

2. Enable Phone Field 2 - Phone Field 4 in the same manner

Select Disabled from the corresponding dropdown if no registration code will be sent to Phone 2, Phone 3, or Phone 4

3. Select Voice from the Phone / SMS Selected dropdown to default the end-user's selection to Voice on the login page

4. Select True from the Phone / SMS Visible dropdown if both Voice and SMS / Text options are shown, even if both are not available for use

5. Set the Default Phone Country Code that will be appended to any user phone numbers in the directory that do not have a country code provided

Leave field empty if there is no default

6. Set the appearance of the end-users' phone numbers by designing a Phone Mask (Regex), e.g. xxx-xx1-2345

SecureAuth IdP automatically displays phone numbers as xxx-xxx-1234

Leave field empty if the out-of-the-box display is acceptable

7. In the Phone Number Blocking frame, select types of phone numbers to block from the Block phone numbers from the following sources options

8. Check Enable to Block phone numbers that have recently changed carriers, then select a directory attribute to Store carrier information in

9. Check Enable block/allow list to Block or allow phone numbers by carrier or country, then click Define list of blocked/allowed numbers and carriers

Refer to Phone Number Profiling Service Configuration Guide for more information on configuring Phone Number Blocking settings

10. Under Email Settings, enable Email Field 1 by selecting a delivery method of the registration code to Email 1 (refer to the Data tab for Profile Property / data store mapping)

Select Disabled from the dropdown if no registration code will be sent to Email 1

11. Enable Email Field 2 - Email Field 4 in the same manner

Select Disabled from the corresponding dropdown if no registration code will be sent to Email 2, Email 3, or Email 4

12. Under Knowledge Based Settings, select Enabled from the KB Questions dropdown to enable the use of knowledge-based questions for Multi-Factor Authentication

13. Select the method in which the knowledge-based questions will be formatted from the KB Format dropdown

14. Select the Number of Questions that will be displayed on the login page from the dropdown

15. Select True from the KB Conversion dropdown to enable the conversion of knowledge-based questions to certificate-based encryption from Base64 encoding

16. Under Help Desk Settings, select Enabled from the Help Desk 1 dropdown to enable the use of Help Desk 1 for Multi-Factor Authentication

17. Provide the Phone number of the Help Desk that end-users can call for a registration code

18. Provide the Email address of the Help Desk that end-users can message for assistance

19. Select Enabled from the Help Desk 2 dropdown to enable the use of Help Desk 2 for Multi-Factor Authentication

20. Provide the Phone number of the second Help Desk that end-users can call for a registration code

21. Provide the Email address of the second Help Desk that end-users can message for assistance

Refer to Second Help Desk Registration Method Configuration Guide for more information

22. Under PIN Settings, select Enabled from the PIN Field dropdown to enable the use of static PINs for Multi-Factor Authentication

The end-user's Personal Identification Number (PIN) must be contained in the data store and mapped to the SecureAuth IdP PIN Property

23. Select True from the Open PIN dropdown to store the PIN in plain text versus encryption

24. Select True from the One Time Use dropdown to enable a one-time-use PIN that is immediately cleared from the directory after use

This is typically utilized for first-time users in self-service enrollment processes

25. Select True from the Show When Empty dropdown if the One Time Use PIN is displayed as an option on the login page, but is inactive for use

26. Under Time-based Passcodes (OATH), select Enabled from the Time-based Passcodes dropdown to enable the use of mobile, browser, desktop, or third-party OATH OTP soft tokens for Multi-Factor Authentication

27. Select the number of digits of which a Passcode is compromised from the Passcode Length dropdown

28. Set the number of seconds during which a Passcode is displayed in the Passcode Change Interval field

29. Set the number of minutes during which a Passcode is valid to make up for time differences between devices in the Passcode Offset field

The Passcode Length and Passcode Change Interval fields must match the values configured in the Post Authentication tab of the SecureAuth App Enrollment Realm

30. Set the number of minutes during which the account is locked from utilizing Passcodes after too many failed OTP attempts in the Cache Lockout Duration field

31. Under Mobile Login Requests (Push Notifications), select the type of Push Notification(s) to be used in this realm for Multi-Factor Authentication from the Push Notification Field dropdown

  • Passcode (OTP): Enable the use of Push Notifications, which are one-time passcodes sent (pushed) directly to an end-user's enrolled mobile device
  • Accept / Deny: Enable the use of Push-to-Accept requests, which are login requests sent to the SecureAuth Authenticate App for iOS and Android that require an end-user to Accept or Deny the login request
  • Passcode (OTP) + Accept / Deny: Enable the use of Push Notifications and Push-to-Accept requests

32. Select the number of minutes a Push-to-Accept request is valid for response from the Login Request Timeout dropdown (if an Accept / Deny option is selected in step 31)

33. Set the Company Name, which displays on the Push-to-Accept request (optional, and if an Accept / Deny option is selected in step 31)

34. Set the Application Name to the post-authentication target (e.g. Salesforce, Password Reset, etc.), which displays on the Push-to-Accept request (optional, and if an Accept / Deny option is selected in step 31)

35. Limit the number of devices enrolled for Push Notifications / Push-to-Accept requests in the Max Device Count field

Set this to -1 if there is no limit

36. Select Allow to replace from the When exceeding max count dropdown to enable device replacement once the limit has been reached

37. Select Created Time from the Replace in order by dropdown to replace the oldest enrolled device with the new one

Select Last Access Time to replace the least recently used enrolled device with the new one

38. Under Symantec VIP Settings, select Enabled from the Symantec VIP Integration dropdown to initiate the integration of Symantec VIP with SecureAuth IdP

39. Provide the certificate serial number (provided by Symantec) in the Issued Cert SN field

40. Select Enabled from the Symantec VIP Field to enable the use of Symantec VIP tokens for Multi-Factor Authentication

41. Under Multi-Factor Settings, check Missing Phone, Missing Email, Missing KB Answers, and / or Missing PIN from the Inline Initialization menu to enable end-users to update or provide missing information and then be redirected back to the login pages

42. Select Enabled from the Auto-Submit When One Avail dropdown to automatically select the registration method on the login page when only one is available for the user's account

43. Select the number of digits which the One-time Passwords (OTPs) will be comprised of from the OTP Length dropdown

44. Check Enable multi-factor throttling to limit the number of multi-factor attempts that are allowed within a rolling time period (specified below)

Refer to Multi-Factor Throttling Configuration Guide for more information

45. Under Registration Method Order, drag and drop the enabled registration methods on the list to organize their display on the login page

Yubikey

 

46. Select True from the Validate Yubikey dropdown to enable the use of Yubikeys for Multi-Factor Authentication

47. Provide the Yubikey Provision Page URL at which end-users can provision their Yubikeys

This would be another SecureAuth IdP realm, configured in the Post Authentication tab

Click Save once the configurations have been completed and before leaving the Multi-Factor Methods page to avoid losing changes