Manage authenticators

An authenticator helps protect an application from unauthorized access. It requires the user to respond to a security challenge before granting access.

User authenticators

The following points describe how authenticators are assigned in IDaaS:

• A user can be assigned multiple authenticators.
• A user must have at least one authenticator to log in to IDaaS.
• A user can select to receive their OTP by voice, email, or SMS if they have a phone number, email address, or mobile device registered to their account.
• Assigned tokens have a token state (either Active or Inactive). Only tokens in an Active state can be used for authentication.
• The resource rules for an application control which authenticators can be used to log in to an application.
• Users created locally in IDaaS or through Active Directory (AD) sync can be automatically assigned an authenticator.

note

This section explains how to configure the global settings using the General page and how to configure authenticator policies. You can override the General settings for specific groups using the Group policies options.

Push transaction queuing

The push transaction queuing feature supports users who need to verify multiple transactions during the day and may need time to complete other steps before confirming each transaction.

For example, bank loan officers can use this feature during the loan approval process. When enabled, IDaaS can send multiple transactions to a user’s mobile soft token app and allow the user to respond within a configured time period.

If the queue size set to 1, only one transaction can be active at a time for a soft token identity. A new transaction overwrites the previous one. Additionally, transactions typically expire after a short time.

Example of queued transactions

A loan officer at AnyBank is asked to approve about 15 loans a day. The approval is granted by responding to a transaction challenge sent to loan officer's mobile soft token identity being used for transaction queuing.

The administrator configured the push transaction to expire after two days (Push Transaction Lifetime). To handle spikes in activity, the administrator also set the Maximum Queued Transactions to twice the typical daily transaction volume. As a result, the loan officer can have up to 30 transactions queued for this identity.

When the queue reaches this limit, the system removes expired transactions first, or deletes the oldest transactions to make room for new ones. Ideally, the queue never reaches this limit, and the loan officer responds to each transaction before the system deletes it.

For more information, see Manage General settings.

Assigning user authenticators

To assign authenticators to users, see the following:

• Assign user authenticators
• Bulk assign authenticators

For instructions on how users authenticate with them, see the IDaaS User Online Help.

Topics in this section

📄️Authenticator lockout behavior

The authenticators allowed to access applications are set by the resource rules (see Create and manage resource rules). If a user enters an incorrect authentication response more times than the value set in the Lockout Count, the authenticator is locked and the user cannot access the application using that authenticator. See Manage General settings for more information about account lockout.

📄️Manage General settings

After you create a user, you must assign one or more authenticators to that user. The General settings control how authenticators work and whether the system automatically assigns authenticators when you create a user account.

📄️Manage Device fingerprint attributes

Device fingerprint attributes validate a machine authentication when Device Fingerprint Required is selected in the machine authenticator settings.

🗃Manage Face Biometrics by Onfido

2 items

🗃Manage grid card authenticators

6 items

🗃Manage hardware token authenticators

4 items

🗃Manage Knowledge-based (KBA) authenticators

5 items

📄️Manage machine authenticator settings

Machine Authentication provides identification information on the Web browser being used to access an application. The resource rules that protect your applications can then be configured to check for registered machine authentication when assessing a user's risk. When configured, the resource rule compares the attributes of a Web browser's Machine Authentication with the copy of the machine authentication information recorded in the IDaaS account.

🗃Manage Magic Links

2 items

📄️Manage One Time Password (OTP) settings

A one time password (OTP) authenticator is a random series of characters that are sent to the mobile device number or email address of a user during authentication. If you are using WeChat or WhatsApp for OTP delivery, ensure that you have completed the prerequisites.

🗃Manage pass-through authenticators

2 items

🗃Manage Passkey/FIDO2 authenticators

2 items

🗃Manage password authenticators

4 items

🗃Reset a password

1 item

🗃Manage Risk-based authentication (RBA) settings

3 items

🗃Manage smart credential authenticators

7 items

🗃Manage soft token authenticators

9 items

🗃Manage Temporary Access Codes

2 items

🗃Manage user certificate authenticators

1 item