Authenticators
Depending on your scenario, you can configure authenticators in the following locations:
- Configuration→Authenticators
- Applications tab in the policy card
- Authenticators tab in the user profile
General settings
The Configuration→Authenticators section contains general settings for all authenticators installed on the Access Manager server. These settings apply to all users. Settings vary depending on the selected authenticator.
Enable/Disable using and editing authenticators
To allow using and editing authenticators:
- Select an authenticator.
- Navigate to the Main settings section:
- In the Disable using setting, specify whether users can use or register the selected authenticator.
- Configure other settings depending on the authenticator type.
- For authenticators that require registration, navigate to Actions available to users:
- In Registration of new authenticators, specify whether users can register new authenticators.
- In Editing existing authenticators, specify whether users can modify already registered authenticators.
- In Deleting of existing authenticators, specify whether users can delete already registered authenticators.
- In Enable editing authenticator comment, specify when users can edit comments for already registered authenticators.
Change the maximum number
In the Configuration→Authenticators section, you can define the maximum number of authenticators that a user can register. This setting is available for the following authenticators:
To set the maximum number of authenticators, perform the following actions:
- Select an authenticator.
- In the Maximum number field, enter the required value.
- Click Save.
Configure automatic block
For most authenticators, you can configure automatic blocking in case of unsuccessful login attempts.
You cannot configure authenticator blocking in Management Console for two-factor authentication within RADIUS Extension applications.
To configure automatic blocking in Management Console, perform the following actions:
Select an authenticator.
For Block authentication method after several unsuccessful attempts, set the value to Yes.
Set values for the following parameters:
Number of authentication attempts before blocking. This parameter determines the number of unsuccessful authentication attempts before the login method is blocked. The login method remains unavailable until the administrator unblocks it or until the blocking timeout expires. The default value is 5. The specified value must be greater than or equal to 1.
Reset blocking counter after ... minutes. This parameter determines how many minutes must pass after an unsuccessful login attempt and before the counter of unsuccessful attempts is reset to 0. The default value is 5. The specified value must be greater than or equal to 1. Time interval before the blocking counter is reset must not exceed the login method blocking timeout, unless the latter value equals 0.
Login method blocking timeout (in minutes). This parameter determines the period during which the specified login method is blocked. After the timeout expires, the login method is automatically unblocked. The default value is 5. If set to 0, the login method remains unavailable to a user until the administrator unblocks it in Management Console.
Click Save.
Configure mandatory verification
You can configure mandatory verification to register Software TOTP, Secured TOTP, and Software HOTP authenticators.
If you enable authenticator mandatory verification, an additional confirmation window appears during the registration of authenticators.
Prerequisites
This setting is available in Management Console for version 8.2.6 or higher. If an older version is installed, an update is required. You can view the version information in the Help and Support section of the Management Console sidebar.
To add the mandatory verification setting to Management Console, use the EA.Settings.Migration.Tool utility.
To enable mandatory verification:
- In the Configuration→Authenticators section, select Software TOTP, Secured TOTP, or Software HOTP.
- In the Main settings section, enable mandatory verification.
To confirm registration, enter the received authentication data and click Confirm.
When registering Storage SMS, mandatory verification is performed by default.
Policy settings
You can also configure authenticator settings that apply to all users within the policy. These settings are available in the policy card in Management Console.
To configure authenticator settings for users within the policy, perform the following actions:
- In the Management Console sidebar, select Policies.
- Select a policy.
- Go to the Applications tab. This tab contains the information about applications and integration modules added to the policy. For more information about policy settings, see Policies.
- Select an application.
- In the Available authentication methods section, enable or disable using authenticators.
- For Identity Provider, Windows Logon, ESSO Agent, and ADFS Extension, select the Axidian Key Provider operating mode.
- For Identity Provider, ADFS Extension, and IIS Extension, select the Telegram Provider operating mode.
Settings for an individual user
You can configure authenticator settings for an individual user in user profiles of Management Console.
To open a user profile:
- In the Management Console sidebar, select Users.
- Locate the user. For more information about search settings, see Users.
- In the user profile, go to the Authenticators tab. This tab contains the information about the number of registered user authenticators and their parameters.
Register
Before registering authenticators, create a policy and apply it to end users.
Email OTP and SMS OTP providers do not require registration and can be used if a user has specified an email or a phone number. If parameters are not specified, the authenticators are not displayed in the list of available authenticators for a user.
To register an authenticator:
Click Register and from the drop-down list, select an authentication method.
If a user has registered the maximum number of authenticators for a specific method, then this authentication method is be displayed.
Configure additional settings to complete registering an authenticator. The windows view and available actions vary depending on the selected authenticator.
After successful registration, the authenticator status is Active.
If a provider with registered authenticators was deleted, then the authenticator status is Not Installed.
The authenticator appears in the list of registered authenticators for a user.
Disable
You can restrict using an authenticator.
You cannot disable the Windows Password authentication method. We recommend that you deactivate a user account in Active Directory if you need to block the domain password.
To disable using an authenticator:
- Select an authenticator.
- Click Disable.
After disabling the authenticator, a user cannot use this login method. The authenticator status is Disabled.
In the user profile, you can disable using an authenticator for a single user. You can disable using an authenticator for all users in the Configuration → Authenticators section.
Enable
To enable using an authenticator:
- Select an authenticator.
- Click Enable.
After you enable the authenticator, a user can start using this login method. The authenticator status is Active.
In the user profile, you can enable using an authenticator only if this authenticator is disabled for an individual user. You can enable using an authenticator for all users only in the Configuration → Authenticators section.
Unblock
If automatic unblocking after unsuccessful login attempts is disabled for an authenticator, you need to unblock it manually in the user profile. To perform this action:
- Select the blocked authenticator.
- Click Unblock.
The login method becomes available to a user.
Delete
- Select an authenticator.
- Click Delete.
- Confirm deletion.
The authenticator disappears from the list of authenticators registered for a user.