To configure the Smartphone method, specify the following details:
|
Parameter |
Description |
|---|---|
|
Learn timeout |
The time that is valid for the user to scan the QR code for enrollment. he default timeout is 60 seconds. |
|
TOTP Length |
The length of OTP token used for backup authentication. The default length is 6 digits. |
|
TOTP step |
The time a TOTP is displayed on a screen before the next OTP is generated. The default time is 30 seconds. |
|
TOTP time window |
The time in seconds in which the specified TOTP is accepted. The default time is 300 seconds. |
|
Server URL |
The URL of Advanced Authentication server to where the smartphone app connects for authentication. This URL points to the Public External URLs (Load Balancers) policy. For example, http://<AAServerAddress>/smartphone (/smartphone cannot be changed). It is recommended to use http only for testing and https in the production environment. When using https, you must upload a valid certificate in Server Options. |
|
Require PIN |
Set to ON to enforce the Enable PIN for authenticating to the Smartphone application. A user cannot edit the settings on the application. NOTE:If the PIN is not set, then the user is prompted to set the PIN on launching the app. On the first launch of the app, the user must set the PIN irrespective to the settings. |
|
Minimum PIN length if the PIN is required |
The minimum length of the PIN. The available options are 4,5, and 6. |
|
Require biometrics |
Set to ON to enforce the fingerprint or facial recognition settings for authenticating to the Smartphone application. A user cannot edit the settings on the application. NOTE:Before Advanced Authentication 6.3 Service Pack 5 Patch 1 enabling Require biometrics enabled the Require PIN option. Also, it was not possible to disable Require PIN without disabling Require biometrics. Following are different possibilities of using the Require biometrics and Require PIN options:
|
|
Enroll TOTP method when enrolling Smartphone |
Set to ON to enable enrolling both the Smartphone and TOTP methods during the Smartphone method enrollment. After enrollment, the NetIQ Advanced Authentication application on the user's Smartphone displays only one authenticator. However, it corresponds to both Smartphone and TOTP authenticators enrolled on the Self Service Portal. IMPORTANT:Even if you set the option to OFF, the user can use the Smartphone method in following ways:
|
|
Allow to accept/reject authentication through push notification |
Set to ON to display the action buttons Accept and Reject with the notification in the mobile notification bar. This allows users to take action directly from the notification without opening the app. This option is applicable for Android and iOS versions of the NetIQ Authentication app. NOTE:After enrolling the Smartphone method, for the first authentication the actions buttons are not displayed with the notification in the notification bar. Therefore, the user is required to launch the NetIQ Authentication app to accept or reject the request. |
|
Prevent login from a rooted device |
Set to ON to enable a root check for mobile devices. The smartphone app must detect whether the device is rooted and prevent login from that device. Rooted devices can provide administrative privileges to third-party software that is not secured and mostly not allowed by device vendors. |
|
Use image on mobile devices |
Select the option to use a customized image on your Smartphone app. Browse the image. This image is displayed in the About screen of your Smartphone app. The resolution of the image must be 2732×637 pixels. NOTE:The Require PIN, Require biometrics, and Use image on mobile devices policies are automatically applied on the smartphone if a user has an enrolled authenticator in the smartphone app and the app is open on one of the screens: Authentication Requests, Enrolled Authenticators, or Requests History. It takes 2 to 30 seconds to display the authentication request.
|
|
Disable Offline OTP Options NOTE:In Advanced Authentication 6.4 SP1 and prior versions, the label is Disable Offline Authentication. |
Select this option to disable users from authenticating with the Smartphone TOTP. By default this option is disabled and users are allowed to log in using Smartphone even when without the network. Enabling this option prevents users from using the One-Time Password of the Smartphone method to login to the offline mode. |
|
Allow as first authentication method |
Option that allows a user to authenticate using a chain where Smartphone authenticator is the first authentication method. The option is set to ON by default. Set this option to OFF to prevent user from authenticating using a chain where Smartphone authenticator is the first authentication method. If the option is set to OFF, and a user tries to authenticate using a chain where the Smartphone method is the first authentication method, the user is displayed a The method cannot be first in the login chain message and the user cannot authenticate. |
|
Advanced Settings |
These settings are optional. |
|
Default Vendor |
The Default Vendor is set to NetIQ and this vendor sends the push notifications to the NetIQ Advanced Authentication app for users to complete the Smartphone authentication. NOTE:You can add only the approved vendor as a default vendor. A certificate for your custom application must be provided to Micro Focus and be applied to proxy.authasas.com. |
|
Priority Vendor |
Click Add to add the preferred vendor as a priority vendor that sends push notifications to the custom smartphone application. To understand the requirements to add the priority vendor, see Priority Vendor Requirements. NOTE:You can add only the approved vendor as a priority vendor. A certificate for your custom application must be provided to Micro Focus and uploaded to proxy.authasas.com. Before adding a priority vendor, the default vendor manages all the smartphone enrollment and authentication requests. After you add a priority vendor, new enrollment requests get associated with the priority vendor. Even after adding the priority vendor, the default vendor continues to process the authentication requests of the enrollments that were associated earlier. If you add more than one priority vendor, then the Vendor list appears for the user to select the preferred vendor while enrolling the Smartphone method on the Self Enrollment portal. |
|
Google project ID |
You can specify Google Project ID for your Android app if you have an approved vendor and the Private key (in JSON format) has been generated, provided to Micro Focus, and applied on the proxy.authasas.com. The push notifications are sent only to the application which matches the configured Google Project ID. |
|
Geo Zones |
You can configure Geo-fencing with the Smartphone method. Geo-fencing allows you to authenticate with the Smartphone method with one more factor, which is the geographical location. When you enable geo-fencing, users will be able to authenticate with Smartphone from only allowed geographical locations. You must enable the policy Geo Fencing Options to use geo-fencing. To set up the Geo-fence, see Setting Up Geo-fence for Smartphone. |
NOTE:To use geo-fencing, ensure that access to the location is enabled for the NetIQ Advanced Authentication app on the smartphone.
To configure the Smartphone method as second factor authenticator to secure Windows workstation, see
NOTE:The NetIQ Advanced Authentication app icon displayed in the video has been updated. However, the concept and configuration steps remain same.