2-step Virtual Mobile Authenticator logon

The 2-step Virtual Mobile Authenticator logon is possible when using a SOAP client, the RADIUS Access-Challenge mechanism or an IIS Module in form-based authentication mode. The static password is required in either the first or the second step, but not both.

However, many RADIUS environments, IIS Module basic authentication, and Digipass Authentication for Windows Logon do not support the 2-step logon process. If the 2-step logon process is not possible, two separate 1-step logons are required. The second logon must include the password as well as the OTP, but it is not necessary to provide the password in the first logon, if only a keyword is used.

Using the Cleartext Combined password format, all inputs in the table below are entered into the Password field. In addition, with the Cleartext Separate password format, the keyword and/or password are always entered into the Static Password field, while the OTP is entered into the OTP field.

Table: Logon permutations – Virtual Mobile Authenticator
Logon type Request method 2-Step logon Two 1-step logons
Step 1 Step 2 Step 1 Step 2
Normal logon Keyword Keyword Password+OTP Keyword Password+OTP
Password Password OTP Password Password+OTP
Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP
Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP
Keyword-Only N/A N/A Keyword OTP
Changed password Keyword Keyword Password+OTP Keyword Password+OTP
Password Password OTP Password Password+OTP
Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP
Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP
Keyword-Only N/A N/A Keyword Password+OTP

Digipass Authentication for Windows Logon does not support 2-step Virtual Mobile Authenticator logon and requires two 1-step logons to be performed consecutively instead.

The Keyword-Only request method is only available with Digipass Authentication for Windows Logon.

The Keyword-Only request method must be used if Windows Password Randomization is enabled in the policy when using Digipass Authentication for Windows Logon.

Virtual Mobile Authenticator OTP request is not possible if RADIUS CHAP or MSCHAP is used.