Fischer Identity supports generic TOTP tokens for multi-factor authentication. This provides organizations with the ability to utilize free apps that are able to generate TOTP tokens.
How to obtain an App that supports TOTP
Any TOTP app will work if an organization decides to leverage this technology as a second factor of authentication. In many cases, organizations will license commercial MFA solutions for a certain set of their user population and want to extend free versions to standard end users to help contain the costs associated with cloud-based MFA providers. Fischer offers TOTP to help support organizations in their efforts to decrease risk as well as contain cost wherever possible. Currently, Fischer has tested with Google's Authenticator but if properly setup within the TOTP app, Fischer provides for device registration and utilization of TOTP-based authentication.
Device Registration
Multiple devices can be registered against a single identity. Depending on the authentication configuration employed by an organization there are a few variations to the registration workflow. The device registration process is similar to the registration process for using Duo Security or Fischer's Authenticator. The difference is outside of the Fischer product and focused on which TOTP technology an organization or an individual user as employed. Depending on the necessary steps to setup TOTP on the device, the user must finish those pre-requisites prior to registering with Fischer.
Global TOTP Authentication Configuration Settings
The global configuration is accessible within the administrative user interface. Once you've authenticated to the admin UI, go to "Configuration→Configuration (Function Menu)→Select "Mobile Authentication" from the combo box.
Fischer provides global configuration options when configuring mobile authentication, specifically for the Fischer Authenticator. This section will outline the global settings to be configured prior to leveraging mobile authentication.
Token - Display Show/Hide Token Button | |||||||||||||||||
This is a boolean setting. Setting this value to True will unmask the token value when the user is typing it in. Setting this to false, will mask the value while its entered on the screen. |
|||||||||||||||||
Token QR Code E-Mail Notification | |||||||||||||||||
This function provides for the setting of the email notification that will be sent to the Identity during a QR Code registration event. The QR Code will be sent to the email address specified within the mobile configuration. Important note: While Fischer does archive all notifications sent to Identities, we have taken the necessary steps to block the display of the QR Code in our archives so that it cannot be seen or potentially used to link a device by an IGA Administrator or a delegated administrator viewing notifications sent via the Self-Service Client Administration feature. |
|||||||||||||||||
Token QR Code Notification E-mail Attribute | |||||||||||||||||
This function provides IGA Administrators with the ability to set the attribute/value pair stored within Fischer's Identity Registry that will be used to communicate with the end user when a QR Code must be sent via email.
Primary Email Address vs. Secondary Email Address:
Fischer provides for the storage of multiple email addresses. When configuring the mobile authentication, IGA Administrators must take into account that the on boarding Identity most likely will not have access to their organization's email account at this point (since they are on boarding and have not set their password for their accounts at this point). It is a best practice to ensure that a secondary, authorized email address (most often it will be the Identity's private or personal email address) is configured as the email used for sending the QR Code for device registration.
If the primary (organization) email attribute is used, the user will not be able to on board unless Authenticator is used exclusively as a second factor of authentication and not as an Identity verification method. If Fischer's Authenticator is used as the primary method of Identity verification and IGA Administrators have set MFA to optional for users, they will be able to bypass device registration and authenticate using the first factor.
|
|||||||||||||||||
Token QR Code Notification Method | |||||||||||||||||
This function provides IGA Administrators with the ability to configure the delivery method of the QR Code. The available options are as follows:
|
|||||||||||||||||
Token QR Code SMS Notification | |||||||||||||||||
This function provides IGA Administrators to customize the text to be sent via SMS to a registering Identity. |