Authentication without authenticators

If the authenticator lookup does not return any authenticator record, authentication processing requires a static password check to succeed. However, self-assignment is still possible.

Static password verification

During static password verification, the password is compared against the password stored in the user account:

  • If the static password is valid, local authentication succeeds. However, the logon request can still fail if back-end authentication is enabled and fails (see Back-end authentication).
  • If the user account does not have a password set, the password has to be verified via back-end authentication. If the user account does not have a password set but back-end authentication is disabled, authentication without authenticators will not work. Similarly, during Dynamic User Registration (DUR) when there is no user account yet, the password has to be verified with back-end authentication.
  • If the passwords do not match and back-end authentication is enabled, the password will be verified with back-end authentication.

If the local authentication method is set to Digipass Only, static password verification on its own is not permitted. An OTP must be used during logon. This is possible using self-assignment.

self-assignment 

Users can assign an authenticator to their user account using the self-assignment mechanism, when permitted by the policy settings (Assignment Mode is set to Self-Assignment).

For self-assignment to succeed, the user needs to provide the following:

  • A static password validated by back-end authentication.
  • The serial number of an available authenticator record.
  • A valid OTP for the authenticator.
  • A new server PIN if required.

The self-assignment process is possible during Dynamic User Registration (DUR). It is also possible when the local authentication is set to Digipass Only.

When using self-assignment or auto-assignment for authenticators, the users can reset their server PIN. If Assignment Mode is set to Self-Assignment-Pin-Reset or Auto-Assignment-Pin-Reset, the server PIN is automatically reset. This is an optional feature and does not require any further administrator action, once the option has been enabled in the authenticator properties and/or the relevant policy settings.

Response-only and self-assignment

For an authenticator that supports Response-Only the user needs to type the following in the password field, depending on whether a server PIN is needed or not:

  • serial_numberpasswordotp. If no server PIN is required.
  • serial_numberpasswordpinotp. If a server PIN is required.
  • serial_numberpasswordotpnew_pinnew_pin. If a server PIN is required and no initial PIN was set.

Challenge/response and self-assignment

For an authenticator that only support Challenge/Response this process requires two steps. In the first step, the static password and serial number are specified. This results in a challenge being returned. If the correct response is given to the challenge, self-assignment is successful.

  • Step 1: serial_numberpassword
  • Step 2: otp

Serial number format

serial_number can be entered using one of two formats, depending on the serial number separator policy setting:

  • No separator specified. The full 10 digit serial number must be entered, without dashes (-) or spaces. For example: 0097123456
  • Separator value specified. The serial number can be entered as written on the back of the authenticator device. For example: 9-712345-6