Advanced Authentication Service › Getting Started with Advanced Authentication › Advanced Authentication Flows › Advanced Authentication Flows › ArcotID OTP-Based Flows › ArcotID OTP Roaming Flow

ArcotID OTP Roaming Flow

This section lists the steps for ArcotID OTP roaming authentication.

Note: For detailed information about the back-end operations that take place when an end user tries to access a protected resource, see How Advanced Authentication Flows Work.

Prerequisites:

This flow is based on the following configurations:

• You have enabled the ArcotID OTP credential in the tenant console and configured the ArcotID OTP Only flow.
• You have configured the Credential Handling Service to protect the resource realm with the CA SiteMinder authentication scheme corresponding to the ArcotID OTP Only flow.
• The end user’s device does not have the ArcotID OTP application installed and the ArcotID OTP credential is not provisioned to the device.
• The end user's browser supports JavaScript Client.

The Flow:

1. In a browser window, the end user attempts to access a protected resource.
2. On the login page, the end user is prompted for their user name and OTP.
3. The end user clicks the Help icon next to the One Time Password field.

   The resulting help page provides three links to enroll for advanced authentication, reset PIN, and perform roaming authentication.

4. The end user clicks the My phone is unavailable link to perform roaming authentication.
5. On the resulting page, the end user is prompted for their user name.
6. If the user name is valid, the end user is prompted for secondary authentication using security question or security code.
7. If the authentication is successful, then depending on whether two-step authentication is enabled, either of the following steps take place:
   • If two-step authentication is not enabled, an ArcotID OTP credential associated with that end user is provisioned to the web browser store, and the end user is prompted for their PIN.
   • If two-step authentication is enabled:
     1. The end user is authenticated again using another form of secondary authentication.

     Note: If security question was used the first time, then security code is used in this step. Conversely, if security code was used the first time, then security question is used in this step.

     1. If the verification is successful, an ArcotID OTP credential associated with that end user is provisioned to the web browser store, and the end user is prompted for their PIN.
8. If the PIN is correct, a JavaScript client on the end user's device implicitly generates an OTP and sends it to the Advanced Authentication application.
9. The Advanced Authentication application invokes the Advanced Authentication Server to verify the OTP.
10. If the OTP verification is successful, then the browser is redirected to SiteMinder with a success message.