CA CloudMinder Advanced Authentication › How Advanced Authentication Works › End User Authentication Flows › ArcotID OTP Flows › ArcotID OTP with Risk Flow

ArcotID OTP with Risk Flow

The ArcotID OTP with Risk flow defines the steps that must be performed to authenticate end users by using both the ArcotID OTP credential and the Risk Evaluation credential. At runtime, this flow takes effect only if both these credentials are enabled.

This section describes the end-user authentication flow based on the following assumptions:

• The end user has enrolled with the Advanced Authentication service.
• The ArcotID OTP application is installed on the end user's device.
• The ArcotID OTP credential is provisioned to the device being used by the end user.

End users are authenticated as follows:

1. When trying to access a protected resource in a browser, the end user is prompted for their user name and OTP.
2. The end user opens the ArcotID OTP application installed on their device, authenticates to the application using their PIN, and generates an OTP.
3. The end user makes a note of the OTP, returns to the login page in the browser, and provides the user name and OTP.
4. The Advanced Authentication service verifies the details provided and authenticates the user.
5. If authentication is successful, the Advanced Authentication service performs a risk check as follows:
   1. A JavaScript that is running in the browser does the following:
      • Checks whether a DeviceID has been recorded on the device.
      • Extracts DeviceDNA from the device to identify the device.
      • Sends this information back to the Advanced Authentication service without requiring any user inputs.
   2. The Advanced Authentication service validates the DeviceID and DeviceDNA using the configured risk rules. It then generates a risk advice.
   3. Depending on the risk advice, one of the following happens:
      • If the Advanced Authentication service returns an ALLOW advice, then the end user is granted access to the resource.
      • If the Advanced Authentication service returns an INCREASEAUTH advice, the end user is prompted for secondary authentication. If secondary authentication (described in ArcotID OTP Roaming Flow) is successful, the end user is granted access to the resource.
      • If the Advanced Authentication service returns a DENY advice, then an error message is displayed indicating that the authentication failed.

   A DeviceID is recorded on the end user's device. During subsequent logins, the risk history is used to decide whether to grant access to the end user after authentication.

Note: In case of a roaming user, who is using a different device, the authentication steps are as described in ArcotID OTP Roaming with Risk Flow.