Previous Topic: ArcotID OTP Only FlowNext Topic: ArcotID OTP with Risk Flow

CA CloudMinder Advanced AuthenticationHow Advanced Authentication WorksEnd User Authentication FlowsArcotID OTP FlowsArcotID OTP Roaming Flow

ArcotID OTP Roaming Flow

This section describes the authentication flow for an end user who is either not enrolled for advanced authentication, or does not have access to the ArcotID OTP application or the mobile device to which the ArcotID OTP credential was provisioned.

End users are authenticated as follows:

  1. When trying to access a protected resource in a browser, the end user is prompted for their user name and OTP.
  2. The end user clicks the Help icon next to the One Time Password field.

    The resulting help page provides three links to enroll for advanced authentication, reset PIN, and perform roaming authentication.

  3. The end user clicks the My phone is unavailable link to perform roaming authentication.
  4. On the resulting page, the end user is prompted for their user name.
  5. If the user name is valid, the end user is prompted for secondary authentication using the security question or security code mechanism.
  6. If the authentication is successful, then depending on whether two-step authentication is enabled or not, either of the following steps take place:
  7. If the PIN is correct, a JavaScript client on the end user's device implicitly generates an OTP and sends it to the Advanced Authentication service.
  8. The Advanced Authentication service verifies the OTP and authenticates the end user.
  9. If authentication is successful, the end user is granted access to the resource.