Authenticator lookup
The first step of local authentication is to search for authenticator records applicable to the authentication request. Normally, this is a simple search for all authenticators assigned to the user account. However, there are exceptions.
No user account
If there is no user account, no search will be done. This can occur if Dynamic User Registration (DUR) is enabled.
Policy restrictions
The policy can specify restrictions on which authenticator types and/or authenticator application types may be used. Any combination of the following restrictions can be defined:
Application names
This refers to a list of named applications. Only authenticators that have one or more of the named applications can be used.
Application type
This can be either Response-Only, Challenge/Response, or multi-mode. If the application type is set to Response-Only or Challenge/Response, only authenticators with that application type can be used. If it is set to multi-mode, all application types will match.
For more information, see Authenticator application types.
Authenticator type
This is a list of models, such as Digipass GO 7 or Digipass 760. Only authenticators from the listed models can be used.
Because of theses policy restrictions, it is possible that a user account that has an authenticator assigned will not be able to use it to authenticate, when a certain policy applies. Such a user will be regarded as a user without an authenticator. In a different kind of logon (using a different client component), a different policy may apply without restrictions. In that case, the same user would be regarded as a user with an authenticator.
A company has Digipass GO 7 (DPGO7) authenticators and primary Virtual Mobile Authenticator (DPVTL). The Outlook Web Access logon permits both, so its policy does not restrict the authenticator types. However the RADIUS VPN logon requires to use the Digipass GO 7, so its policy sets DIGIPASS Type to DPGO7.
Linked user accounts
If a person has multiple user accounts (e.g. an administrative account and a regular user account), those accounts can be linked together. This provides the ability for the two accounts to share an authenticator. In this case, the authenticator is assigned to one of the accounts and the other user account is linked to it.
When a user account used for authentication is linked to another user account, the search for authenticators will be done for the other account.
Linked user accounts support Response-Only and Challenge/Response authentication, signature validation, push notification–based authentication, and push notification–based transaction data signing.
User account 2 is linked to user account 1. The authenticator is assigned to user account 1. When user account 1 logs on, the authenticator search is done for that account. When user account 2 logs on, the authenticator search is done for user account 1.