Previous Topic: ArcotID PKI Only FlowNext Topic: ArcotID PKI with Risk Flow


ArcotID PKI Roaming Flow

This section describes the authentication flow for an end user who is enrolled for advanced authentication but is using a different device to which the ArcotID PKI credential has not been provisioned.

End users are authenticated as follows:

  1. When trying to access a protected resource in a browser, the end user is prompted for their user name and LDAP password.
  2. The Advanced Authentication service verifies that the end user is an existing user, and checks for the presence of an ArcotID PKI credential on the device being used.
  3. Since ArcotID PKI is not present on the device, the end user is prompted for secondary authentication using the security question or security code mechanism.
  4. If the authentication is successful, depending on whether two-step authentication is enabled or not, either of the following steps take place:

    Note: Two-step authentication is not enabled for authentication using the ArcotID PKI mobile client. When a mobile client is used, all configured authentication methods are used one after the other.

  5. The browser then displays the login page with the user name, prompting the end user for the password again.

    Note: Apple devices may not prompt for a password.

  6. The Advanced Authentication service then authenticates the user.
  7. If authentication is successful, the end user is granted access to the resource.