October 28, 2014 at 5:11 pm #1001jahParticipant
First question? :)
Upon the first login to the beta site there is first a form for OTP token and after that a question about saving a profile with no further information. This seems rather vague so what is the profile that is being saved and what are the consequences of choosing “yes” or “no” ?
BTW I chose “yes” and that question doesn’t come up anymore but it would be nice to know what exactly just happened…
– JariOctober 28, 2014 at 5:19 pm #1002
Hiya Jari, the extra steps around authentication is linked to us testing a new thing in OpenAM for strong adaptive authentication. If you save the profile OpenAM is less likely to ask you for an OPT again.
It’s a bit sensitive right now, like if you switch browsers it will ask for an OTP again, but we’re doing it in the name of science and testing :)
After the IRM Summit in Dublin next week we will go back to a normal authentication where OpenAM does what it does in the background – and you will not see the OpenAM UI even.
Thanks for helping with the beta!October 28, 2014 at 5:42 pm #1003jahParticipant
Ah so the “profile” in this case is the adaptive auth profile and not the site user profile. It is not obvious in the screen that asks if you want to save it or not.October 28, 2014 at 5:50 pm #1004
Indeed, good point, thanks!November 5, 2014 at 11:31 am #1014jochenrParticipant
I suppose it’s the ‘device’ fingerprinting function of OpenAM, to remember wich device/browser/location the user’s been using, to trust the fingerprinted information to make sure that no OTP need be asked again. Similar to the 2nd factor function of some other providers, where you have a checkbox like, ‘Don’t ask for OTP again, so trust this browser’ but then in the backend, without bothering the user with it.November 5, 2014 at 11:58 am #1015
That is exactly what happens, thanks for writing that up. However it’s not what you usually would call “two factor auth” since we don’t require more than the password from the user. Instead we are testing some clever adaptive auth algorithms to determine if an OTP should be asked for or not.
In a day or two we will turn off this extra bit of adaptive auth and go back to standard ForgeRock ID login handling. The use of OpenAM will then be transparent (no redirect), the actual authentication chatter will be REST calls behind the curtains.
We even made a WordPress plugin for it that supports various versions of OpenAM, read more about it here:
wordpress-openam-authentication-plugin/November 6, 2014 at 11:41 pm #1031
We’re now on the normal OpenAM (ForgeRock ID) and everything is done as invisible REST calls, should be silky smooth. :)November 12, 2014 at 10:05 am #1128jochenrParticipant
I know what you mean. It’s more a Multi-factor authentication as Something you know (username/pw), Something you ‘are’ (adaptive auth algorithms) and if the second doesn’t match or isn’t sufficient an OTP could be asked (Something you have).
You must be logged in to reply to this topic.