Previous Topic: Configure Credential TypesNext Topic: Configure Authentication Methods

Advanced Authentication ServiceGetting Started with Advanced AuthenticationConfiguring Advanced AuthenticationHow to Configure Advanced AuthenticationConfigure Advanced Authentication Flows

Configure Advanced Authentication Flows

The advanced authentication flows that you can enable and configure are based on the credential types that you have enabled. You configure the advanced authentication flows that are requested by the tenant administrator.

Follow these steps:

  1. Log in to the User Console.
  2. Select Advanced Authentication, Configure Advanced Authentication Flow.

    The Select Flow Types screen opens.

  3. Use the arrow icons to move advanced authentication flow types to the Enabled list.
  4. Click Next.

    The Enabled Flow Types screen opens.

  5. Perform the following steps for each advanced authentication flow type that you have enabled:
    1. Click the pencil icon next to the advanced authentication flow type.

      The Flow Configuration screen displays a list of the different scenarios in which the end user is prompted for secondary authentication.

    2. Select the secondary authentication methods that must be enabled for each scenario.

      Note: An end user forgetting the password is an example of a use case in which the end user is prompted for secondary authentication. For information about all such use cases, see the Getting Started Guide for Advanced Authentication.

      Depending on the advanced authentication flow type that you are configuring, you can select any one or a combination of the following secondary authentication methods:

      • Security Question
      • Security Code over Email
      • Security Code over SMS
      • Security Code over Voice

      Note: Consider the following when selecting these mechanisms:

      • If you are configuring the ArcotID OTP with Risk flow or the ArcotID PKI with Risk flow, select at least two secondary authentication methods.
      • If you selected the Use mobile client option when configuring the ArcotID PKI credential type (as described in Configure Credential Types), then you must select at least one secondary authentication mechanism each for the Expiry from Mobile PKI Client and Roaming from Mobile PKI Client scenarios. If no authentication mechanism is selected, the end user cannot log in at run time.
    3. Select the Two Steps option to enforce two-step secondary authentication for a particular scenario.

      As secondary authentication is invoked when performing sensitive tasks, such as resetting passwords or authenticating roaming users, it is recommended that a combination of authentication mechanisms be chained together. Chaining of secondary authentication mechanisms provides a higher level of security.

      Note: Consider the following when selecting this option:

      • The Two Steps option is enabled only if you select 2 or more authentication mechanisms.
      • You can chain Security Question and any of the Security Code types, but you cannot chain two types of Security Code together.
      • Two-step authentication is not applicable for scenarios that use the ArcotID PKI mobile client, and therefore, this option is disabled. If multiple authentication mechanisms are selected for the mobile scenarios, all the mechanisms are invoked one by one. The end user is not presented a choice.
    4. Click Submit.

      The current date and time is displayed in the Last Configured Date column.

  6. Click Finish after you configure the required advanced authentication flows.

    The configured advanced authentication flows are now available for use in authentication schemes that can be configured for the tenant’s resources.