Factors to consider when implementing Virtual Mobile Authenticator

There are a couple of factors to consider when integrating Virtual Mobile Authenticator into an authentication service.

Authenticator assignment options

With Virtual Mobile Authenticator there are several different assignment combinations that can be used (see Table: Authenticator assignment options). The first option does not use Virtual Mobile Authenticator. The other options include either a primary Virtual Mobile Authenticator or backup Virtual Mobile Authenticator.

Table: Authenticator assignment options
Primary Backup Description
Authenticator None The user must authenticate using an authenticator.
Authenticator backup Virtual Mobile Authenticator The user usually authenticates using an authenticator, but may use the backup Virtual Mobile Authenticator feature if required. The use of backup Virtual Mobile Authenticator can be limited.
Authenticator (temporarily disallowed) backup Virtual Mobile Authenticator The user must authenticate using the backup Virtual Mobile Authenticator feature. This might be used while a user’s authenticator is lost, until the authenticator is recovered.
primary Virtual Mobile Authenticator n/a The user is assigned a primary Virtual Mobile Authenticator and must use it for authentication.

Cost

Your company will probably need to pay a fee for each text message sent. In some countries, mobile phone owners might need to pay an amount for each text message received on their mobile phone. This must be considered when deciding how to implement Virtual Mobile Authenticator functionality.

Security

The level of security provided by hardware authenticators is higher than that of Virtual Mobile Authenticator. This needs to be weighed against other considerations before deciding whether your company will implement Virtual Mobile Authenticator, and if so, how it will be implemented.

Convenience

The use of Virtual Mobile Authenticator is more convenient than a hardware authenticator for many users, since Virtual Mobile Authenticator uses ordinary mobile phones (which most users already own). There are no extra devices required. Users who do not habitually carry their mobile phone with them, though, are likely to find a hardware authenticator easier and more convenient to transport.

For users with backup Virtual Mobile Authenticator enabled, it might be the difference between going to work to pick up a forgotten authenticator and getting important work done at home.

Gateway and account

Your company will need to use an SMS gateway and an account with the gateway. The Message Delivery Component (MDC) must be configured for the gateway and the user name and password for the account. Your OneSpan supplier can assist with that process.

backup Virtual Mobile Authenticator usage guidelines

When you develop backup Virtual Mobile Authenticator usage guidelines, you should consider the following questions:

  • Will any users have access to backup Virtual Mobile Authenticator?
  • If so, will all users have access to backup Virtual Mobile Authenticator?
  • Will usage of backup Virtual Mobile Authenticator be limited?
  • If so, how should it be limited?

    • Time-limited
    • Limited number of uses
Table: Sample guidelines for backup Virtual Mobile Authenticator
Guideline Pro Con
backup Virtual Mobile Authenticator is disabled for all users by default, but enabled for individual users as required. Low text message costs Potentially heavy administration load, because each user and use case must be enabled individually.
backup Virtual Mobile Authenticator is enabled for all users, either a time or number of usage limit is set. Predictable text message costs Medium administration load, because administrators may need to reset limits frequently.
backup Virtual Mobile Authenticator is enabled for all users without any limits set. Lighter administration load Possible high text message costs

Virtual Mobile Authenticator logon options

A decision must be made about how users will authenticate using Virtual Mobile Authenticator. In particular, users with a hardware authenticator and backup Virtual Mobile Authenticator enabled must be able to request an OTP to be sent to their mobile phones when required, but to log on using the hardware authenticator at other times.

The simplest method for the user is to allow a two-step logon process, where the user enters the user ID and password only, triggering an OTP request, and is redirected to a second legion page to enter the OTP received on the mobile device. To use this method, though, your system must be set up to allow two-step logon. If uncertain, consult your system administrator.

Alternatives to the two-step logon are a sequence of two one-step logons or the use of a specific website to request an OTP, separate from the logon page.

For more information, refer to the OneSpan Authentication Server Administrator Reference, Section "Login permutations".

Virtual Mobile Authenticator usage limitation

The use of Virtual Mobile Authenticator can be limited by:

  • Using backup Virtual Mobile Authenticator only.
  • Minimizing the number of users with primary Virtual Mobile Authenticator assigned.

When a user reaches the Virtual Mobile Authenticator usage limit, an administrator must reset that user's limit. A user’s primary Virtual Mobile Authenticator usage cannot be limited.

The backup Virtual Mobile Authenticator feature may be enabled as an emergency backup for users who have left their primary authenticator at home, or for other reasons do not have access to their primary authenticator.

Use of this feature can be limited for each authenticator by the following:

Time period

User access to backup Virtual Mobile Authenticator can be set during a specific time period. When this period expires, any Virtual Mobile Authenticator requests from the user will be rejected. If the user is still unable to use the authenticator, the time period must then be extended by an administrator. Once a user starts using the authenticator again, the administrator must reset the time period if the user is to be allowed to use backup Virtual Mobile Authenticator again.

Number of uses

This sets a maximum number of times a user may request an OTP using the backup Virtual Mobile Authenticator feature. When the user has reached this number of uses, any further OTP requests from the user will be rejected. This must be reset by an administrator if further use of the backup Virtual Mobile Authenticator feature is required for the user.

Global and individual backup Virtual Mobile Authenticator settings

The backup Virtual Mobile Authenticator options can be set globally or individually to allow a standard policy for all authenticators with exceptions made where necessary. Global settings will affect all authenticators where the individual option is set to Default.

Global options are defined in the policy that controls authentication. As such, using multiple policies provides you with additional flexibility.