In addition to receiving tokencodes on hardware and software tokens, users can receive tokencodes on mobile phones or through personal e-mail. You can deliver tokencodes to a mobile phone using Short Message Service (SMS), or an e-mail address using Simple Mail Transfer Protocol (SMTP). Tokencodes delivered using SMS or SMTP are called on-demand tokencodes.
As with the tokencode generated by a hardware or software token, on-demand tokencodes are used with a PIN to achieve two-factor authentication. However, on-demand tokencodes differ from tokencodes generated by hardware or software tokens in the following ways:
The user must already be assigned a PIN to use on-demand tokencodes.
You must either manually assign a PIN through the Security Console, or configure Self-Service to allow the user to request an account so that he or she can set a PIN.
The user initiates the request for the on-demand tokencode, either through Self-Service, which you must configure to allow such a request, or through any authentication agent.
Note:The on-demand tokencode service is not supported with authentication agents enabled with EAP 32.
The on-demand tokencode has a lifetime that you configure, after which it expires and can no longer be used to authenticate.
You can use the Security Console to perform the following tasks.
Configure SMS plug-ins for on-demand authentication (ODA).