The following table describes the delegation and authentication workflow of the following authentication methods, with and without a temporary passcode:
- User ID – LDAP Password – Security Code
- User ID – Security Code
- User ID – Access PIN – Security Code
Note: This information applies to VIp EG 9.8 only if a delegation server is configured within the enterprise.
Authentication Method 1: User ID + LDAP Password + Security Code
Case A: A temporary passcode is set for the user
Password Example |
Last 6 Characters of Password |
Residual Password |
Workflow |
Password123456 |
Digits |
Alpha-numeric |
Authenticate the last 6 characters with VIP Service.
- If the authentication succeeds, perform an LDAP Bind with the residual user input.
- If the authentication fails, perform an LDAP Bind with the full user input.
|
9876123456 |
Digits |
Digits |
Delegate the user input to the Delegation server as it is unlikely that the entire password is numeric. |
Pas5w0rd |
Alpha-numeric |
Alpha-numeric |
Strip the last 6 characters of the password and authenticate the same with the Cloud.
- If the authentication succeeds, the Cloud will ask the Validation Server to do an LDAP Bind with the residual user input.
- If the authentication fails, the Cloud will ask the Validation Server to do an LDAP Bind with the full user input. If the full input bind succeeds, it will lead to Out-of-Band (OOB) authentication.
|
Case B: A temporary passcode is not set for the user
Password Example |
Last 6 Characters of Password |
Residual Password |
Workflow |
Password123456 |
Digits |
Alpha-numeric |
Delegate the user input to the Delegation server as it is unlikely that all the last 6 characters of the LDAP password are numeric. This could be a case of RSA PIN + OTP. |
9876123456 |
Digits |
Digits |
Delegate the user input to the Delegation server as it is unlikely that the entire password is numeric. |
Pas5w0rd |
Alpha-numeric |
Alpha-numeric |
Strip the last 6 characters and authenticate the same with the Cloud.
- If the authentication succeeds, the Cloud will ask the Validation Server to do an LDAP Bind with the residual user input.
- If the authentication fails, the Cloud will ask the Validation Server to do an LDAP Bind with the full user input. If the full input bind succeeds, it will lead to Out-of-Band (OOB) authentication.
|
Authentication Method 2: User ID – Security Code
Case A: A temporary passcode is set for the user
Input Example |
Workflow |
123456 |
Authenticate the user input with VIP Service. There is no need to delegate the user input to the Delegation server. |
Push secret (push/send) |
Perform Out-of-Band (OOB) authentication. There is no need to delegate the user input to the Delegation server. |
Case B: A temporary passcode is not set for the user
Input Example |
Workflow |
123456 |
Delegate the user input to the Delegation server. |
Push secret (push/send) |
Perform Out-of-Band (OOB) authentication. There is no need to delegate the user input to the Delegation server. |
Authentication Method 3: User ID – Access PIN – Security Code
Case A: A temporary passcode is set for the user
Input Examples |
Workflow |
- 123456
- 1234123456
- abcd123456
- 1234
|
- If the Access PIN is set, then authenticate the user input with VIP Service. This may result in Out-of-Band (OOB) authentication.
- If the Access PIN is not set, then delegate the user input to the Delegation server.
|
Case B: A temporary passcode is not set for the user
Input Examples |
Workflow |
- 123456
- 1234123456
- abcd123456
- 1234
|
- If the Access PIN is set, and Out-of-Band (OOB) authentication is enabled, and the user has a valid OOB, then authenticate the user input with VIP Service.
- If the Access PIN is not set, then delegate the user input to the Delegation server.
|
Thanks for your feedback. Let us know if you have additional comments below. (requires login)