Advanced Authentication Service › Advanced Authentication Flows › Advanced Authentication Flows › ArcotID PKI-Based Flows

ArcotID PKI-Based Flows

The Advanced Authentication service uses ArcotID PKI as one of the credentials to protect end users from identity theft and fraud. ArcotID PKI acts as the second factor ("something you have") for multifactor authentication and works behind the scenes to protect and verify user identities. End users authenticate by using their user name and password.

This section describes the following ArcotID-based flows:

• ArcotID PKI Only Flow
• ArcotID Mobile PKI Client Flow
• ArcotID PKI Roaming Download Flow
• Forgot Password Flow

ArcotID PKI Only Flow

Defines the flow to authenticate end users with their ArcotID PKI credential only. Use the ArcotID PKI Only flow if you want to use only the ArcotID PKI credential to secure access to a resource.

This flow is the same as that described in the How Advanced Authentication Flows Work section.

ArcotID Mobile PKI Client Flow

Defines the flow of authentication with the ArcotID Mobile PKI client from the tenant administrator and the end user perspectives.

A tenant administrator configures ArcotID Mobile PKI as follows:

1. The administrator logs in to the User Console, selects Advanced Authentication Types, Configure Credential Types, Configure Enabled Credentials, and Modify ArcotID Profile.
2. The administrator selects the Use mobile client box and saves the changes.
3. The administrator navigates to Configure Advanced Authentication Flow, Enabled Flow Types, Configure Flows, and selects ArcotID PKI only. The administrator can also enable a secondary authentication mechanism for the Mobile PKI client.
4. The administrator creates and enrolls the user.
5. The administrator instructs the user to download the application and authenticate.

An end user authenticates with ArcotID Mobile PKI as follows:

1. The user opens the application store on their mobile device and searches for ArcotID PKI.
2. The user installs the mobile application.
3. From the mobile browser, the user accesses the protected resource and follows the on-screen authentication process.

ArcotID PKI Roaming Flow

For end users who do not have the ArcotID PKI credential present on the device from which they are trying to access a protected resource, the Advanced Authentication service offers roaming capabilities. With this feature, end users first download the ArcotID PKI after successfully completing secondary authentication and then use the ArcotID PKI to authenticate themselves and access the protected resource.

A roaming user can be authenticated using knowledge-based question and answer pairs, or security code through SMS, email, or voice message. Each security code is generated by the Advanced Authentication Server, and it does not require any credential-specific information.

This section describes the steps for the ArcotID PKI Roaming Download flow using security questions, security code, or both for secondary authentication.

Note: For detailed information about the back-end operations that take place when an end user tries to access a protected resource, see How Advanced Authentication Flows Work.

Assumptions:

This flow is based on the following assumptions:

• You have enabled the ArcotID PKI credential in the tenant console and configured the ArcotID PKI Only flow.
• You have configured the Credential Handling Service to protect the resource realm with the CA SiteMinder authentication scheme corresponding to the ArcotID PKI Only flow.
• You have enabled roaming for ArcotID PKI and configured the flow to use security questions, security code, or a combination of the two as the secondary authentication mechanism.
• In the case of security code, you have enabled the preferred credential delivery channels in the User Console.
• The end user’s record in the database contains a valid email address or phone number to which the credential can be delivered.
• The browser used for transactions is capable of supporting Java Applet and Native Client.
• JavaScript is enabled in the browser.
• The end user is enrolled with Advanced Authentication but the ArcotID PKI credential is not present on the end user’s device.

The Flow:

1. In a browser window, the end user attempts to access a protected resource.
2. On the login page, the end user enters their user name and password, and then clicks Submit.
3. CA SiteMinder verifies the end user's login credentials.
4. The ArcotID PKI Client checks for an ArcotID PKI for the provided user name but does not find it on the end user’s device.
5. The Advanced Authentication application invokes the Advanced Authentication Server to retrieve the end user’s ArcotID PKI.
6. If the user name exists in the database but if their ArcotID PKI is not available on the device being used, the user is challenged for secondary authentication. Depending on the secondary authentication mechanism, one of the following sequence of steps takes place:
   • If security question has been set as the secondary authentication mechanism, then:
     1. The Advanced Authentication application invokes IdentityMinder to retrieve the security questions.
        The page with challenge questions is presented to the end user. On the same page, the end user can specify whether the ArcotID PKI must be stored for future sessions.
     2. The end user submits answers to the security questions.
     3. The Advanced Authentication application invokes IdentityMinder to verify the answers.
   • If security code has been set as the secondary authentication mechanism, then:
     1. The Advanced Authentication application invokes the Advanced Authentication Server to generate a security code and fetch the end user’s email address and/or phone number.
     2. If more than one delivery channel has been configured, then the end user selects a preferred channel.
     3. The Advanced Authentication application invokes the delivery channel.
     4. The Advanced Authentication application presents a page challenging the end user for the security code.
        On the same page, the end user can specify whether the ArcotID PKI must be stored for future sessions.
     5. The end user submits the security code.
     6. The Advanced Authentication application invokes the Advanced Authentication Server to verify the security code.
7. If the verification is successful, depending on whether two-step authentication is enabled, either of the following steps take place:
   • If two-step authentication is not enabled:
     1. The ArcotID PKI credential is downloaded to the end user’s device.
     2. The ArcotID PKI Client loads the ArcotID PKI.
   • If two-step authentication is enabled:
     1. The end user is presented with the second form of authentication, and is authenticated as described in Step 6.

     Note: If security question was used the first time, then security code is used in this step. Conversely, if security code was used the first time, then security question is used in this step.

     1. If the verification is successful:
     • The ArcotID PKI credential is downloaded to the end user’s device.
     • The ArcotID PKI Client loads the ArcotID PKI.

   Note: Two-step authentication is not enabled for authentication using the ArcotID PKI mobile client. When a mobile client is used, all configured authentication methods are used one after the other.

8. Upon downloading the credential, the browser displays the login page with the user name and challenges the end user for the password.
9. The end user enters the password and completes the rest of the authentication process.
10. If the authentication is successful, then the browser is redirected to SiteMinder with a success message.

Forgot Password Flow

End users who forget their LDAP password can choose to reset their password by answering secret questions, which they set during enrollment. After changing the password, a new ArcotID is placed on the end user’s device.

Prerequisites:

This flow is based on the following configurations:

• The hosting administrator has enabled ArcotID PKI credential in the User Console and has configured the ArcotID PKI Only flow.
• The hosting administrator has configured the Credential Handling Service to protect the resource realm with the CA SiteMinder authentication scheme corresponding to the ArcotID PKI Only flow.
• The device used for transactions has ArcotID PKI native or mobile client installed or is capable of supporting Java Applet or JavaScript Client.
• An ArcotID PKI has been issued to the end user. The ArcotID PKI may or may not be present on the end user’s device.

The Flow:

1. In a browser window, the end user attempts to access a protected resource.
2. On the login page, the end user specifies their user name and clicks the Forgot Password link.
3. The end user is prompted for secondary authentication, and the following steps take place:
   1. The Advanced Authentication application invokes IdentityMinder to retrieve the security questions.
      The page with challenge questions is presented to the end user. On the same page, the end user can specify whether the ArcotID PKI must be stored for future sessions.
   2. The end user answers the security questions.
   3. The Advanced Authentication application invokes IdentityMinder again to verify the answers.
4. The browser displays the login page with the user name and challenges the end user for the new password.

   The end user provides a new password.

Note: The behavior of this flow is also applicable in case a credential expires. The only difference is that the end user does not click on the "Forgot Password" link.