This article details how to manage and configure authentication within Nervepoint Access Manager and is broken into two parts. The first details the administrator view of authentication, how to manage and configure authentication across the application. The second part which is detailed towards the bottom of this article covers the end-user view, what he/she sees and what needs to be done when an authentication flow changes.
Types of Authentication
There are many different types of authentication available in Access Manager. Here's a look at them.
- Primary
- Reset Questions (Default)
- PIN
- Passphrase
- OTP - One Time Password sent by email
- SMS - One Time Password sent by SMS
- Secondary
- IP Restrictions
- Profile Check
- Anti-Bot
- reCAPTCHA
- Slider CAPTCHA
reCAPTCHA by Google protects the system from spam and bots while letting your real users through with ease. Users are required to correctly input the displayed numbers or text from the image in order to pass authentication.
Slider CAPTCHA is a very simple yet powerful system that protects the system from bots. The user is required to slide the bar from left to right in order prove they are a human user and pass authentication.
Use of Authentication
Authentication is used in a number of places within the application but all centre mainly around the password self service actions, breakdown of areas that require authentication is provided below:
- Web-portal access
- Create Account
- Password Reset
- Account Unlock
- Administration Login
- User Portal Login
- Mobile app access
- Account Unlock
- Password Change
- Password Reset
- User Portal Login
- Windows Desktop access
- Account Unlock
- Password Reset
Default Authentication
During installation you are required to define a number of questions for QA authentication as this is the initial default authentication method used throughout the application.
Once you have finished installing the application this can then be altered.
Extending Default Authentication
Authentication is all managed from the Authentication page.
From here you can manage all areas that require authentication. The general process follows four steps:
- Choose the Front-end to configure
- Choose the Self Service action to configure
- Drag the authentication modules into the authentication flow diagram
- Save
Each step is detailed further below.
Choose the Front-end
Firstly select the Front-end from the drop-down at the top.
All three front-ends can be configured, web-portal, authentication used by the mobile app and those used by the desktop component. Selecting one of these will allow you to configure the self service action. Some front-ends do not have access to all self service actions.
Choose a Self Service Action
With a front-end selected choose the self service action that you wish to configure. Selecting a self service action from the table will refresh the authentication flow image to show what modules are currently configured. In the image below you can see that for the Browser front-end and the Password Reset action, username and Questions have been configured.
Select the Authentication Modules
With the front end chosen and the self service action its now time to choose which authentication modules to add. Available authentication modules are shown to the right.
Simply drag and drop the modules from this list into the authentication flow diagram below.
Rules for adding authentication modules:
- Every authentication flow must start with a module that accepts a username, this can either be Username or Username and Password modules except for IP restrictions which can be first in the flow.
- Every authentication flow must end in a Validate and End module.
- reCAPTACH, Slider CAPTCH and IP restrictions require a Validate module immediately after these will be automatically added to the flow.
Once you have configured your authentication module simply hit save.
End Users View
For every authentication module added your end-users will be required to configure authentication information within their My Account profile page as shown below.
Nervepoint Access Manager avoids clutter by only showing authentication options that require configuring. For example, if only PIN has been added then only the PIN tab will be visible - one exception to this is the QA authentication tab which is always visible. The image below shows that Passphrase and PIN have been configured by the admin.
Selecting each tab provides the end user with the ability to set answers for each more on this can be found in the corresponding authentication article from the knowledge base.
Sending End Users Authentication Reminders
Whenever you set or change authentication for any part of the system its worth remembering that your end users are not aware of this and without some notice you might find your end users can no longer access the system or reset their passwords. Nervepoint Access Manager provides administrators with the ability to send reminders to all users who have not yet configured answers for the authentication modules configured. For example if you change the default authentication flow for Password Reset from QA authentication to QA authentication + PIN your end users need to provide PIN numbers for their Identities, if not they will not be able to reset their passwords.
Reminders can be sent from either the Dashboard or the Identities page, the Identities page can show a detailed summary prior to sending the reminders if you select all users and view the Profiles tab.
Select Send Incomplete Profile Reminders and all your users will be notified to set answers for the appropriately missing authentication module in this example PIN. This will only send emails to those users that have yet to set answers for any one of the authentication modules, again in this example it would be either QA answers or a PIN number.
