Page tree
Skip to end of metadata
Go to start of metadata

OTP, Push & FIDO, moving to passwordless using mobile apps for authentication

  • Introduction to Authenticator application
  • Introduction to HOTP (Authenticator) 
  • Introduction to Push (Authenticator)
  • Introduction to the Mandatory 2FA setting
  • Demonstrated "usernameless" flow by using persistent cookie to store username, and a failover from one login chain to the next.


How does a user provision an Amazon SNS account through ForgeRock?

  • Use Backstage account, request Cloud Services → Provision New Amazon SNS Push Provider

What are the differences between TOTP and HOTP

  • Time-based vs HMAC-based (mistakenly answered "heuristic-based" during the UnSummit - oops!)
  • Both based on the same technology, essentially Time-based and HMAC both 'step' a counter forward, generating a new code.

What is the cost of using the Amazon SNS through ForgeRock? Are there additional charges?

  • No initial additional charges. ForgeRock may contact customers who see a significant volume of messages through this system.

Is it possible to implement your own delegate, rather than using the Amazon SNS?

  • Yes so long as their own PushDelegate is instantiated via the appropriate factory class as pointed to in the Push Service's config.
  • Customers will need to request access to the code specifically for this purpose, JavaDoc should explain enough to developers to be able to construct their own delegates

Are customers looking to use the ForgeRock Authenticator, or augment their own applications with ForgeRock authentication/authorization technology?

  • Majority are looking to augment their own applications, not use ForgeRock's application directly.

Can customers use the ForgeRock application with their own SNS delegate?

  • No, as the messages to the ForgeRock Authenticator must be signed by our certificate. By creating an SNS provider via the BackStage provisioning system, a child certificate of the ForgeRock certificate will be granted to your account, allowing the ForgeRock Authenticator to be able to communicate with the endpoint. However, creating your own delegate - or using a non-ForgeRock generated Amazon SNS account - will require your own app.

What level of interest in FIDO-support?

  • Around 1/4 of the participants in the discussion were interested in FIDO support.
  • Some individuals requested FIDO support during one-to-ones with David Luna throughout the day.
  • No labels