Two Factor Authentication - User Guide (Agent Desk)
There are 3 two-factor authentication channels, implemented in the Keycloak Adapter, which will be available to the end user for authenticating himself with two-factor authentication. These channels are:
Google/Microsoft Authenticator Mobile App
SMS
RSA SecurID
Workflow for End-User
Following will be the steps performed by the user to access the applications with two factor authentication.
2FA with Google/Microsoft Authenticator
User has not registered for 2FA
User enters his login credentials on login screen (Image1) and clicks “Login”.
Image1 Login screen
User will be redirected to another screen where a QR code (Image2) and secret code (Image3) will be shown to user for registration.
There will also be an input field for OTP.(Image2 and image3)
Image2 QR Code
Image3 Secret code screen
User will scan QR code through Google/Microsoft Authenticator or enter secret code manually in the app.
An OTP will be displayed to user with his username. A new OTP will be generated after every 30 seconds.
User will enter the OTP (which is currently visible in app) in OTP field and click “Register”.
If OTP is valid then user will be successfully logged in and registered for 2FA.
User has already registered for 2FA
User enters his login credentials on login screen (Image1) and clicks “Login”.
User will be redirected to another screen (Image4) where an input field will be shown to user to enter OTP.
Image4 OTP code secret
User will enter the OTP (which is currently visible in app) in OTP field and click “Send”.
If OTP is valid then user will be successfully logged in.
2FA with SMS
User has not registered for 2FA
User enters his login credentials on login screen (sms image 1) and clicks “Login”.
sms image 1 Login screen
User will be redirected to another screen (sms image 2) and will be prompted to enter his phone number in the input field shown to him for 2FA registration.
sms image 2 Enter Phone number
User will enter his phone number in input field and click “Register”.
A dialogue box will be displayed (sms image 3) to user to confirm his phone number.
sms image 3 Phone number confirmation
If it’s wrong then user will be allowed to edit his phone number.
If it’s correct then an OTP will be sent to user via SMS.
An input field will be shown to user to enter the OTP.(sms image 4)
User can also request to resend OTP (if it is not received) by clicking “Resend OTP” button. This option will only be available while registering for 2FA.
If OTP is valid then user will be successfully logged in and registered for 2FA.
sms image 4 Enter OTP screen
User has already registered for 2FA
User enters his login credentials on login screen (sms image 1) and clicks “Login”.
User will be redirected to another screen (sms image 4) where an input field will be shown to user to enter OTP sent to his phone number.
If OTP is not received then user can re-login to receive another OTP.
User will enter the OTP received via SMS in OTP field and click “Send”.
If OTP is valid then user will be successfully logged in.
2FA with RSA SecurID
Unlike the other two 2FA channels, there will be no 2FA registration flow for RSA SecurID. This process will be managed by the Customer/Administrator.
If 2FA is enabled on the solution, each user will be required to enter an OTP during login. If a user does not have access to the OTP, they should contact the Administrator.
User enters his login credentials on login screen and clicks “Login”.
User will be redirected to another screen where an input field will be shown to user to enter OTP.
User will enter a 14 characters passcode in OTP field. First 8 characters will be the PIN setup by the user in SecurID Self Service Console and last 6 characters will be the OTP received on RSA Authenticator App.
User will be able to show/hide passcode by clicking on the eye icon.
If OTP is valid then user will be successfully logged in.
The following error will be visible if:
The OTP is invalid.
The configurations are invalid.
There is an issue with the RSA server.
