9.26 Smartphone

Advanced Authentication provides the Smartphone method that facilitates users to authenticate through their Smartphone. The authentication happens through the NetIQ smartphone app to perform the out-of-band authentication. The out-of-band authentication is typically a two-factor authentication that requires a secondary verification through a separate communication channel along with the ID and password.

The authentication flow for the Smartphone method in Advanced Authentication is described in the following image.

A user wants to authenticate on an endpoint such as a laptop or a website with the Smartphone method. The following steps describe the authentication flow:

  1. When the authentication request is initiated, the endpoint contacts the Advanced Authentication server.

  2. The Advanced Authentication server validates the user’s credentials.

  3. After validating the credentials, the Advanced Authentication server sends a push message to proxy.authasas.com.

  4. Depending on the platform of the Smartphone, the server selects an appropriate push service and then forwards the push message to the Smartphone.

  5. The push message is then delivered to the user’s Smartphone to inform that an authentication request has been initiated.

  6. When the user opens the Smartphone app, the app reaches the Advanced Authentication server to validate if there is an authentication needed. The authentication is indicated by the Accept and Reject options. The user’s selection is then sent to the server.

  7. Finally, the server validates the authentication and the endpoint gets authenticated.

HTTPS protocol is used for the communication.

This authentication method is recommended to use in combination with another method such as Password or LDAP Password to achieve multi-factor authentication and protect a user from getting SPAM push messages.

NOTE:To use Smartphone authentication method, at least one Advanced Authentication server from each site (if any) should be accessible from the Public URL.

Access Configurations

The following are the configurations required for the Smartphone method:

  • Advanced Authentication server must be accessible by the specified Server URL address from smartphones (HTTPS, outbound).

  • Advanced Authentication server must have a permitted outbound connection to proxy.authasas.com (HTTPS).

Scenario for Authenticating with the Smartphone Method

Bob wants to authenticate on the myexample.com website. When he logs in to the website, the Smartphone authentication method sends a push message to his mobile phone. When he opens the Smartphone app installed on his phone, the Accept and Reject buttons are displayed. If he selects the Accept option, the authentication request is sent over the mobile network (secure) back to the Authentication framework. Without specifying an OTP code, Bob authenticates to myexample.com.

When your smartphone does not have a network connection, you can use a backup OTP as offline authentication.

This section covers the following configurations related to the Smartphone method:

NOTE:You can customize the authentication request message that is displayed on the NetIQ Auth app using the Custom Messages policy.

For more information about customizing the authentication request message, see Customizing Authentication Request Message For Smartphone Method.