Profile saving on first login ?

Tagged: ,

This topic has 7 replies, 3 voices, and was last updated 7 years, 10 months ago by jochenr.

  • Author
    Posts
  • #1001
     jah
    Participant

    Hi,

    First question? :)

    Upon the first login to the beta site there is first a form for OTP token and after that a question about saving a profile with no further information. This seems rather vague so what is the profile that is being saved and what are the consequences of choosing “yes” or “no” ?

    BTW I chose “yes” and that question doesn’t come up anymore but it would be nice to know what exactly just happened…

    – Jari

    #1002

    Hiya Jari, the extra steps around authentication is linked to us testing a new thing in OpenAM for strong adaptive authentication. If you save the profile OpenAM is less likely to ask you for an OPT again.

    It’s a bit sensitive right now, like if you switch browsers it will ask for an OTP again, but we’re doing it in the name of science and testing :)

    After the IRM Summit in Dublin next week we will go back to a normal authentication where OpenAM does what it does in the background – and you will not see the OpenAM UI even.

    Thanks for helping with the beta!

    #1003
     jah
    Participant

    Ah so the “profile” in this case is the adaptive auth profile and not the site user profile. It is not obvious in the screen that asks if you want to save it or not.

    #1004

    Indeed, good point, thanks!

    #1014
     jochenr
    Participant

    Hi Marius,

    I suppose it’s the ‘device’ fingerprinting function of OpenAM, to remember wich device/browser/location the user’s been using, to trust the fingerprinted information to make sure that no OTP need be asked again. Similar to the 2nd factor function of some other providers, where you have a checkbox like, ‘Don’t ask for OTP again, so trust this browser’ but then in the backend, without bothering the user with it.

    #1015

    That is exactly what happens, thanks for writing that up. However it’s not what you usually would call “two factor auth” since we don’t require more than the password from the user. Instead we are testing some clever adaptive auth algorithms to determine if an OTP should be asked for or not.

    In a day or two we will turn off this extra bit of adaptive auth and go back to standard ForgeRock ID login handling. The use of OpenAM will then be transparent (no redirect), the actual authentication chatter will be REST calls behind the curtains.

    We even made a WordPress plugin for it that supports various versions of OpenAM, read more about it here:
    wordpress-openam-authentication-plugin/

    #1031

    We’re now on the normal OpenAM (ForgeRock ID) and everything is done as invisible REST calls, should be silky smooth. :)

    #1128
     jochenr
    Participant

    I know what you mean. It’s more a Multi-factor authentication as Something you know (username/pw), Something you ‘are’ (adaptive auth algorithms) and if the second doesn’t match or isn’t sufficient an OTP could be asked (Something you have).

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?