Managing Out-of-Band Authentication

Out-of-Band authentication uses two independent networks to separate the OTP delivery channel from the authentication channel.

ActivID AS supports two OOB Two separate networks work independently to authenticate a user - an OTP is sent to the user via SMS or SMTP email and the user then uses the OTP to authentciate via the internet. delivery channels to deliver the OTP - SMS or Email.

The actual SMS/Email OTP is a random number generated by ActivID AS and sent to the user by SMS or email through a delivery gateway.

Note: You can configure multiple SMS and/or Email Delivery Gateways. If the primary gateway fails, then a secondary gateway is automatically used .

OOB SMS/Email OTPs can be used through a RADIUS channel or any other channel type.
SMS OTPs can be triggered through a username/activation code or by the service provider.

Users authenticate using the OTP. If the OTP is entered incorrectly, the user can try multiple times before being required to request a new OTP.

A user can be registered for both OTP device authentication and SMS authentication. The OOB authentication can be used when the token is not available (that is, lost/forgotten).

Prerequisites: The user must have a valid email address and/or telephone number, and the OOB Delivery Gateway must be configured for the OOB authenticator.

Note:

For instructions on how to manage the OOB parameters and OOB delivery gateways, see Configure OOB Delivery Gateways.
For instructions on configuring Push Notifications, see Configure Feedback for External Applications.

About OOB Authentication Records

The following data is required to create an OOB authentication record for a user:

The Authentication policy containing the predefined parameters enforced during authentication such as constraints and validity.
The Device Type to which the device is linked in the authentication server.

By default, this is OOB Virtual Device.
The OOB Activation Code the user needs to trigger the OTP delivery.

You can generate a random Activation Code or define a specific code.
The Status of the authentication record (Enabled or Disabled)

By default, Enabled is selected. If set to Disabled, the user will not be able to authenticate using this authenticator.
The Validity from which the authenticator will be valid for use in the dd/mm/yyyy format.
The default value is the current date.
The Maximum number of successful authentications allowed by the user to authenticate to ActivID AS using this authentication record.

Default value derived is from the Default expiry threshold field specified for the authentication policy. Select Unlimited if you do not want to use the expiration threshold functionality.

When you create an authentication record, the authentication policy you select governs the composition of the authentication record.

Note: The OOB credential types can be configured to define the:

Number of times a user can use the Activation Code (before the Authenticator is locked and the operator needs to create a new one). If it is locked, you can Reset the Out-of-Band Activation Code.
Number of times a user can ask for OTP via OOB (after which the SMS or email containing the OTP will no longer be sent). By default, an OOB OTP can only be requested three times using the Activation code without using it to authenticate. If the user exceeds the number of tries, you can Reset the Out-of-Band Request Counter.
Validity period of the Activation Code.
Validity period of the OTP.

Topics in this section: