Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
With AuthPoint MFA, each user installs the AuthPoint app on a mobile device, and activates a token. The user can then use the app to authenticate with the Push, QR code, or one-time password (OTP) authentication methods. Users can also use third-party hardware tokens to authenticate with an OTP.
When a user tries to log in to a resource that requires authentication, the AuthPoint single sign-on (SSO) authentication page appears. To log in, the user types their AuthPoint password (if required) and chooses an authentication method. The authentication methods available depend on the authentication policies that apply to the user's AuthPoint groups. Some resources might require specific authentication methods, or allow only certain methods.
If a user fails three consecutive authentication attempts, AuthPoint automatically blocks the token used for authentication. The user cannot authenticate with the blocked token until an AuthPoint administrator unblocks the token.
When the user authenticates, their web browser creates a session and remembers them for eight hours. While their session is active, the user does not need to authenticate again for SAML resources, RD Web resources, or the IdP portal unless the resource requires a more secure authentication method.
From most secure to least secure, the authentication methods are:
- Push notification and QR code
- One-time password
- Password
For example, you authenticate with your password and an OTP to log in to the IdP portal. After this, you can log in without authentication to any resource that has OTP as an allowed authentication option or that only requires a password.
The table below shows when an authenticated user must reauthenticate.
| User Previously Authenticated With | Authentication Options in Policy | Authentication Action |
|---|---|---|
| Password | Password | Log in without authentication |
| Password | Password + OTP, QR code, or Push | User must authenticate with OTP, QR code, or Push (no password required) |
| OTP | Password or OTP | Log in without authentication |
| OTP | Password + QR code or Push | User must authenticate again with QR code or Push (no password required) |
| OTP | OTP, QR code, or Push | Log in without authentication |
| QR Code or Push | Any | Log in without authentication |
Push Authentication
For push authentication, AuthPoint sends a push notification to your phone. You can either tap Approve to authenticate and get access to your applications, or tap Deny to prevent an access attempt that was not made by you.
To use push authentication:
- Navigate to an application or service that requires MFA.
You are redirected to the AuthPoint SSO authentication page. - Log in with your user name or email address.
- Type your AuthPoint password (if required) and select Push for the authentication method.
- On the push notification that is sent to your phone, tap Approve to authenticate and log in.
You do not have to have the AuthPoint app open to approve a push.
If your token is protected, the AuthPoint app opens and prompts you to unlock your token with a biometric ID or a PIN when you try to approve a push notification. After you validate, you can approve or deny the push notification.
Some mobile devices allow users to approve push notifications from the lock screen, even when the device is locked. To prevent this, enable PIN protection for your tokens. For instructions to enable PIN protection, refer to Token Security.
QR Code
A QR code is a square bar code that can be scanned by your phone to read stored data. AuthPoint uses secure QR codes to provide you with a verification code for authentication. AuthPoint QR codes can only be decrypted with the built-in AuthPoint app QR code reader.
To authenticate with a QR code:
- Navigate to an application or service that requires MFA.
You are redirected to the AuthPoint SSO authentication page. - Log in with your user name or email address.
- Type your AuthPoint password (if required) and select QR Code for the authentication method.
A new page with a QR code appears. - Open the AuthPoint app and tap
to open the QR code reader. - Point your phone camera at the QR code on the computer screen.
The AuthPoint app reads the QR code and the Authentication Request page appears with a temporary verification code. - In the Verification Code text box, type the 6-digit verification code from your AuthPoint app.
- Click Finish.
If your token is protected with a PIN, you must type your PIN to see the Authentication Request page with the verification code.
One-Time Password
An OTP (one-time password) is a unique, temporary password that is only valid for a short time. OTPs are used in addition to your normal password for authentication. You can see the OTP for each token and how long the OTP is valid on the Token Management page of the AuthPoint app. The OTP for protected tokens is hidden until you unlock your tokens.
To authenticate with an OTP:
- Navigate to an application or service that requires MFA.
You are redirected to the AuthPoint SSO authentication page. - Log in with your user name or email address.
- Type your AuthPoint password (if required) and select OTP for the authentication method.
- In the One-Time Password text box, type the OTP shown for your token in the AuthPoint app. Unlock your token if necessary.
- Click Finish.
For RADIUS authentication, you append your OTP to the end of your password. Do not add a space.
Authentication Without Your Mobile Device