How do I force ODA to accept PASSCODE only
We have a lot of ODA clients, primarily vendors, who is using this feature. After upgrading to 8.1 and subsequently to 8.2, we found that ODA process - request and authentication - have changed. While we can document the new process, we would like to find out if it is possible to authenticate with PASSCODE only.
Currently, after TOKENCODE is requested, a user can authenticate with this TOKENCODE without appending a PIN. Can it be forced that PASSCODE is required for ODA authentication?
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- On-Demand Authentication
- RSA SecurID
- RSA SecurID Access
- Token Auth
- Token Authentication
- Token Authenticator
- Token Authenticators
In 8.x ODA on the agent you request the TokenCode by entering the PIN, so the 2 Factors are about 30 seconds apart while the ODT is delivered via SMS Text or email. We no longer support that AM 7.1 type of ODA where you request the TokenCode via the Self Service Console, that link no longer shows in Self Service and should be dead in AM 8.1 SP1 Self Service
Thank you for your reply
Yes, the process have changed and we are okay with it. We would like to find out if we can force authentication with PIN + TOKENCODE. We are using e-mail delivery and some of the registered email addresses are generic, so we want to make sure that PIN is required to request TOKENCODE and to authenticate into a resource protected by RSA.
Our testing shows that after PIN is requested, ODA user can authenticate with TOKENCODE or PASSCODE. How do we force PASSCODE only.
You can do it: well, you may not be able to force passcode only unless you somehow disable the 3-way prompting
where an agent can request next tokencode, but you can login in with oda as a passcode easily.
1) login somewhere to get the on demand tokencode sent to you, with ODA pin...then cancel that login
(do not actually use the code)
or use (3) below
2) Now login somewhere with the [ODA pin + the code you just got], as one passcode.
This will work, the only issue is, you need to do some action to trigger the code
to be sent.
3) In 7.1 we had a link on self-service to just send an on-demand code, you can still
do that but the link clearly stating it is just to get a code sent was removed.
Use this hidden URL to hit the 8.x self service console and get an on-demand code
sent by itself, then use your ODA pin and this code you get to do a login elsewhere
Thank you and I agree with RFE course of action. If this is implemented as an ODA option or as a policy, it would be great. Just give admins ability to choose which option suits their needs as well as business requirements.
Yes, this is doable and it will work. Like I said, after PIN is requested both methods: PASSCODE and TOKENCODE are accepted. The question is how can we force PASSCODE only authentication?