13.2 Authenticator Management Options

13.2.1 Enabling Sharing of Authenticators for the Helpdesk Administrators

This setting allows a user to authenticate with his or her authenticator to another user’s account. The helpdesk administrator can share an authenticator of one user with another user.

To enable sharing authenticators, set Enable sharing of authenticators to ON.

The account of an helpdesk administrator must be added to the SHAREAUTH ADMINS group to grant privilege to share the authenticators. For more information about how to allow the helpdesk administrators to share authenticators, see Local Repository.

NOTE:Shared authenticators work only in the online mode. Cached login does not work for the shared authenticators. The supported methods for sharing authenticators are TOTP, HOTP, Password, Fingerprint, Flex OTP, Card, FIDO U2F, and RADIUS Client.

For more information, see Sharing Authenticatorsin the Advanced Authentication- Helpdesk Administrator guide.

13.2.2 Disabling Re-Enrollment of the Authenticators in the Self-Service Portal

This setting allows you to restrict users from re-enrolling, editing, and deleting the enrolled authenticators in the Self-Service portal.

NOTE:This setting disables re-enrollment and removal of the authenticators only in the Self-Service portal. The setting has no effect on the Helpdesk portal.

To disable re-enrollment or removal of authenticators, set Disable re-enrollment to ON.

WARNING:If you access the Administration portal with a local user credentials such as local\admin, you might get into a lockout situation. This can happen when the administrator's password expires and it is not possible to change the password through the Self-Service portal. Therefore, to use the Disable re-enrollment option, you must configure the access of a repository account to the Administration portal. To do this:

  • Add authorized users or a group of users from a repository to the FULL ADMINS role.

  • Assign chains, which contain methods that are enrolled for users, to the AdminUI event (at a minimum with an LDAP Password method).