Advanced Authentication Service › Advanced Authentication Flows › Advanced Authentication Flows › ArcotID OTP-Based Flows

ArcotID OTP-Based Flows

The ArcotID OTP application is a secure software OTP generator which must be installed on the end user's device. To support a wide variety of application environments, the ArcotID OTP application is available in the form of a desktop client and a mobile application.

For users who do not want to manage the ArcotID OTP application on their device to generate OTPs, the Advanced Authentication service provides a JavaScript Client that invisibly runs in the end user’s web browser and generates an OTP each time it is invoked.

This section describes the following ArcotID OTP-based flows:

• ArcotID OTP Only Flow
• ArcotID OTP Roaming Download Flow
• ArcotID OTP New Device Activation Flow
• Forgot My PIN Flow

ArcotID OTP Only Flow

This section lists the steps for ArcotID OTP authentication.

Note: For detailed information about the back-end operations that take place when an end user tries to access a protected resource, see How Advanced Authentication Flows Work.

Prerequisites:

This flow is based on the following configurations:

• You have enabled the ArcotID OTP credential in the tenant console and configured the ArcotID OTP Only flow.
• You have configured the Credential Handling Service to protect the resource realm with the CA SiteMinder authentication scheme corresponding to the ArcotID OTP Only flow.
• The end user’s smart phone or system has the ArcotID OTP application installed and the ArcotID OTP credential is provisioned to the phone or system.

The Flow:

1. In a browser window, the end user attempts to access a protected resource.
2. On the login page, the end user is prompted for their user name and OTP.
3. The end user accesses the ArcotID OTP application installed on their smart phone or system, authenticates to it with their PIN, and then generates an OTP.
4. The end user then returns to the login page in the browser, enters the user name and OTP, and clicks Submit.
5. The Advanced Authentication server verifies the OTP.
6. If OTP verification is successful, then the end user is granted access the resource.

ArcotID OTP Roaming Flow

This section lists the steps for ArcotID OTP roaming authentication.

Note: For detailed information about the back-end operations that take place when an end user tries to access a protected resource, see How Advanced Authentication Flows Work.

Prerequisites:

This flow is based on the following configurations:

• You have enabled the ArcotID OTP credential in the tenant console and configured the ArcotID OTP Only flow.
• You have configured the Credential Handling Service to protect the resource realm with the CA SiteMinder authentication scheme corresponding to the ArcotID OTP Only flow.
• The end user’s device does not have the ArcotID OTP application installed and the ArcotID OTP credential is not provisioned to the device.
• The end user's browser supports JavaScript Client.

The Flow:

1. In a browser window, the end user attempts to access a protected resource.
2. On the login page, the end user is prompted for their user name and OTP.
3. The end user clicks the Help icon next to the One Time Password field.

   The resulting help page provides three links to enroll for advanced authentication, reset PIN, and perform roaming authentication.

4. The end user clicks the My phone is unavailable link to perform roaming authentication.
5. On the resulting page, the end user is prompted for their user name.
6. If the user name is valid, the end user is prompted for secondary authentication using security question or security code.
7. If the authentication is successful, then depending on whether two-step authentication is enabled, either of the following steps take place:
   • If two-step authentication is not enabled, an ArcotID OTP credential associated with that end user is provisioned to the web browser store, and the end user is prompted for their PIN.
   • If two-step authentication is enabled:
     1. The end user is authenticated again using another form of secondary authentication.

     Note: If security question was used the first time, then security code is used in this step. Conversely, if security code was used the first time, then security question is used in this step.

     1. If the verification is successful, an ArcotID OTP credential associated with that end user is provisioned to the web browser store, and the end user is prompted for their PIN.
8. If the PIN is correct, a JavaScript client on the end user's device implicitly generates an OTP and sends it to the Advanced Authentication application.
9. The Advanced Authentication application invokes the Advanced Authentication Server to verify the OTP.
10. If the OTP verification is successful, then the browser is redirected to SiteMinder with a success message.

Forgot My PIN Flow

This section describes how end users who forget their PIN can reset it.

The flow described here is based on the following assumptions:

• An ArcotID PKI credential has been issued to the end user.
• The end user had set the PIN at the time of enrollment, but has forgotten it.

End users can reset their PIN as follows:

1. When trying to access a protected resource in a browser, the end user is prompted for their user name and OTP.
2. The end user, who has forgotten their PIN, specifies their user name and clicks the Help icon next to the One Time Password field.

   The resulting help page provides three links to enroll for advanced authentication, reset PIN, and perform roaming authentication.

3. The end user clicks the Forgot my PIN link.
4. On the resulting page, the end user is prompted for secondary authentication using the security question or security code mechanism.
5. The end user successfully completes the secondary authentication.
6. Depending on whether two-step authentication is enabled or not, either of the following steps take place:
   • If two-step authentication is not enabled, the end user is sent an activation email with a one-time password.
   • If two-step authentication is enabled:
     1. The end user is authenticated again using another form of secondary authentication.

     Note: If security question was used the first time, then security code is used in this step. Conversely, if security code was used the first time, then security question is used in this step.

     1. If the verification is successful, the end user is sent an activation email a one-time password.
7. The end user is prompted for this one-time password, after which they can set a new PIN and confirm the same.
8. On resetting their PIN, a new ArcotID OTP credential is placed on the end user’s device.

   The end user will get mail with details to download the ArcotID OTP card in the ArcotID OTP client.

9. The end user must activate thier device again.
10. The end user is then taken back to the login page to proceed with authentication.

ArcotID OTP New Device Activation Flow

This section describes the flow to activate an end user's device for ArcotID OTP generation. The flow described here is based on the assumption that the device is a trusted device and the end user plans to use it for OTP generation.

An end user can activate a new device for ArcotID OTP generation in either of the following ways:

• Selecting CA ArcotID OTP Enrollment from the User Console.

  Note: This option is available to users that an administrator has given privileges of the role Advanced Authentication Self Manager.

• Directly on the Modify Security Settings page of the User Console.
• By raising a request with the tenant administrator. The tenant administrator then adds the device from the User Console.

An end user activates a new device for OTP generation as follows:

1. An end user logs in to the User Console and:
   • Selects CA ArcotID OTP Enrollment if avaialable, or
   • Accesses the Modify Security Settings page.
2. The user selects the Generate Activation Code check box.

   An email is sent to the end user with the activation code and instructions to configure their new device for OTP generation.

3. The end user follows the instructions and configures their new device.

A tenant administrator activates a new device for OTP generation as follows:

1. The tenant administrator:
   • Assigns users the priveleges of the Advanced Authentication Self Manager role and instructs users to select CA ArcotID OTP Enrollment in the User Console.
   • The administrator completes the following steps:
   1. Log in to the User Console and navigate to the Arcot OTP Mobile Activation page in the Advanced Authentication section.
   2. Search for the user who requested for activation of their new device, and clicks Select.
   3. On the resulting screen, the tenant administrator selects the Generate Activation Code check box.

      An email is sent to the end user with the activation code and instructions to configure their new device for OTP generation.

2. The end user follows the instructions and configures their new device.