AnsweredAssumed Answered

How do I force ODA to accept PASSCODE only

Question asked by Igor Katsenovich on Sep 21, 2016
Latest reply on Sep 22, 2016 by Igor Katsenovich

Like • Show 0 Likes0
Comment • 8

We have a lot of ODA clients, primarily vendors, who is using this feature. After upgrading to 8.1 and subsequently to 8.2, we found that ODA process - request and authentication - have changed. While we can document the new process, we would like to find out if it is possible to authenticate with PASSCODE only.

Currently, after TOKENCODE is requested, a user can authenticate with this TOKENCODE without appending a PIN. Can it be forced that PASSCODE is required for ODA authentication?

Thank you

No one else has this question

Outcomes

8 Replies

Jay Guillette Sep 21, 2016 6:22 PM
Mark Correct
Correct Answer
In 8.x ODA on the agent you request the TokenCode by entering the PIN, so the 2 Factors are about 30 seconds apart while the ODT is delivered via SMS Text or email. We no longer support that AM 7.1 type of ODA where you request the TokenCode via the Self Service Console, that link no longer shows in Self Service and should be dead in AM 8.1 SP1 Self Service
Like • Show 0 Likes0
Actions
- Jay Guillette @ Jay Guillette on Sep 21, 2016 6:24 PM
  Mark Correct
  Correct Answer
  You could use Link Search for "How to troubleshoot ODA" and find KB 29925 up at the top of the list
  Like • Show 0 Likes0
  Actions
  - Jay Guillette @ Jay Guillette on Sep 21, 2016 6:26 PM
    Mark Correct
    Correct Answer
    here's the original version
    Attachments
    000029925-AM8.1-Troubleshoot_ODA_login_failures.pdf54.4 KB
    Like • Show 0 Likes0
    Actions
- Igor Katsenovich @ Jay Guillette on Sep 21, 2016 7:04 PM
  Mark Correct
  Correct Answer
  Thank you for your reply
  
  Yes, the process have changed and we are okay with it. We would like to find out if we can force authentication with PIN + TOKENCODE. We are using e-mail delivery and some of the registered email addresses are generic, so we want to make sure that PIN is required to request TOKENCODE and to authenticate into a resource protected by RSA.
  
  Our testing shows that after PIN is requested, ODA user can authenticate with TOKENCODE or PASSCODE. How do we force PASSCODE only.
  Like • Show 0 Likes0
  Actions
Jay Guillette Sep 21, 2016 7:33 PM
Mark Correct
Correct Answer
I don't think it is possible, but I'll check around some more to see if I can find anything. If not this would make an good RFE, request for enhancement
Like • Show 0 Likes0
Actions
- Igor Katsenovich @ Jay Guillette on Sep 22, 2016 10:05 AM
  Mark Correct
  Correct Answer
  Thank you and I agree with RFE course of action. If this is implemented as an ODA option or as a policy, it would be great. Just give admins ability to choose which option suits their needs as well as business requirements.
  Like • Show 0 Likes0
  Actions
Edward Davis Sep 22, 2016 11:31 AM
Mark Correct
Correct Answer
You can do it: well, you may not be able to force passcode only unless you somehow disable the 3-way prompting
where an agent can request next tokencode, but you can login in with oda as a passcode easily.

1) login somewhere to get the on demand tokencode sent to you, with ODA pin...then cancel that login
(do not actually use the code)

or use (3) below

2) Now login somewhere with the [ODA pin + the code you just got], as one passcode.

This will work, the only issue is, you need to do some action to trigger the code
to be sent.

3) In 7.1 we had a link on self-service to just send an on-demand code, you can still
do that but the link clearly stating it is just to get a code sent was removed.

Use this hidden URL to hit the 8.x self service console and get an on-demand code
sent by itself, then use your ODA pin and this code you get to do a login elsewhere

https://primary-FQDN:7004/console-selfservice/OnDemandOTTLogin.do?action=nvPreEdit
Like • Show 0 Likes0
Actions
- Igor Katsenovich @ Edward Davis on Sep 22, 2016 10:07 AM
  Mark Correct
  Correct Answer
  Yes, this is doable and it will work. Like I said, after PIN is requested both methods: PASSCODE and TOKENCODE are accepted. The question is how can we force PASSCODE only authentication?
  Like • Show 0 Likes0
  Actions

How do I force ODA to accept PASSCODE only

Outcomes

Attachments

Related Content

Recommended Content