Page tree
Skip to end of metadata
Go to start of metadata

ForgeRock existing product features around OTP e.g.: SMS and Email

(Exploration of push authentication, diagrams and discussion)

How to handle the case where QR code cannot be read?
- Click registration button on the mobile device
- Possible options for accessibility.

(Demonstration of push authentication in OpenAM)

Do we have a mobile SDK? How do we customise the app?
- App supports basic reskinning
- Most customers want to build the feature into their own app.

Some limitations around specific carriers which might affect push authentication.

Suggestion to improve in the case of being deployed on an Amazon EC2 instance; make use of local Amazon keystore available on the server.

Question around push authentication.
- First party level policy "did you just perform this operation?"
- Third party policy "do you want to allow this person to perform this operation?"

MFA selector expected in 14.5:
- OATH
- FIDO
- Push

FIDO: ForgeRock member of the FIDO alliance.
- Windows 10 supported
- Firefox has related support

-------------------------------------------------------------------------------------------------------------------

Q: Who's doing MFA today?
A: Belgium government issued all citizens smart card readers and smart cards

OATH: Can use FR authenticator or 3rd party. But not main topic of conversation for now!

ForgeRock Push Notification auth module discussed. Registered via QR to exchange a shared secret.

Q: Support for non-QR. Eg blind user, no camera.
A: If on a phone it will redirect and bypass QR. Screen reader for visually impaired should be able to detect the button.

Use account lockout to prevent message "spamming".

Demo: Pasword-login based on two chains. Combines push auth and persistent cookie. Also uses "onFail" in first chain to redirect to second chain.

S1: persistent cookie (requisite) -> push auth (sufficient) -> LDAP (required). Also onFail -> http;///..../openam/login?service=chain2

S2: LDAP (requisite) -> persistent cookie store (option)- > push reg (options) -> piush auth (sufficient)

Q: Can SNS setup be better integrated with EC2?
A: No, but good enhancement request

Q: Plans for push authorisation?
A: Roadmap item for 1st person authz (end-user). Longer term - 3rd person authz.

Q: Possible using step-up?
A: Not really, it's not atomic.

MFA Selector - part way through chain, allow user to select auth options. No support currently. Likely to be available with authentication trees later. Possible today using scripted.

FIDO - Windows 10 has support. ForgeRock are members of FIDO Alliance. Polling for opinions.

  • No labels