This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
IgorKatsenovich
Beginner
Beginner
‎2016-09-21 06:01 PM

How do I force ODA to accept PASSCODE only

We have a lot of ODA clients, primarily vendors, who is using this feature.  After upgrading to 8.1 and subsequently to 8.2, we found that ODA process - request and authentication - have changed.  While we can document the new process, we would like to find out if it is possible to authenticate with PASSCODE only.

 

Currently, after TOKENCODE is requested, a user can authenticate with this TOKENCODE without appending a PIN.  Can it be forced that PASSCODE is required for ODA authentication?

 

Thank you

Labels (1)
Labels
0 Likes
Reply
8 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2016-09-21 06:22 PM

In 8.x ODA on the agent you request the TokenCode by entering the PIN, so the 2 Factors are about 30 seconds apart while the ODT is delivered via SMS Text or email.  We no longer support that AM 7.1 type of ODA where you request the TokenCode via the Self Service Console, that link no longer shows in Self Service and should be dead in AM 8.1 SP1 Self Service

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to JayGuillette
‎2016-09-21 06:24 PM

You could use Link Search for "How to troubleshoot ODA" and find KB 29925 up at the top of the list

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to JayGuillette
‎2016-09-21 06:26 PM

here's the original version

Preview file
55 KB
0 Likes
Reply
IgorKatsenovich
Beginner
Beginner
In response to JayGuillette
‎2016-09-21 07:04 PM

Thank you for your reply

 

Yes, the process have changed and we are okay with it.  We would like to find out if we can force authentication with PIN + TOKENCODE.  We are using e-mail delivery and some of the registered email addresses are generic, so we want to make sure that PIN is required to request TOKENCODE and to authenticate into a resource protected by RSA.

 

Our testing shows that after PIN is requested, ODA user can authenticate with TOKENCODE or PASSCODE.  How do we force PASSCODE only.

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2016-09-21 07:33 PM

I don't think it is possible, but I'll check around some more to see if I can find anything.  If not this would make an good RFE, request for enhancement

0 Likes
Reply
EdwardDavis
Employee
Employee
‎2016-09-22 08:17 AM

You can do it: well, you may not be able to force passcode only unless you somehow disable the 3-way prompting

where an agent can request next tokencode, but you can login in with oda as a passcode easily.

 

1) login somewhere to get the on demand tokencode sent to you, with ODA pin...then cancel that login

(do not actually use the code)

 

or use (3) below 

 

2) Now login somewhere with the [ODA pin + the code you just got], as one passcode.

 

This will work, the only issue is, you need to do some action to trigger the code

to be sent.

 

 

3) In 7.1 we had a link on self-service to just send an on-demand code, you can still 

do that but the link clearly stating it is just to get a code sent was removed.

 

Use this hidden URL to hit the 8.x self service console and get an on-demand code

sent by itself, then use your ODA pin and this code you get to do a login elsewhere

 

https://primary-FQDN:7004/console-selfservice/OnDemandOTTLogin.do?action=nvPreEdit 

0 Likes
Reply
IgorKatsenovich
Beginner
Beginner
In response to JayGuillette
‎2016-09-22 10:05 AM

Thank you and I agree with RFE course of action.  If this is implemented as an ODA option or as a policy, it would be great. Just give admins ability to choose which option suits their needs as well as business requirements.

0 Likes
Reply
IgorKatsenovich
Beginner
Beginner
In response to EdwardDavis
‎2016-09-22 10:07 AM

Yes, this is doable and it will work.  Like I said, after PIN is requested both methods:  PASSCODE and TOKENCODE are accepted.  The question is how can we force PASSCODE only authentication?

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.