3.5 Logon using authentication codes

For systems that use the MyID authentication server, you can configure MyID to allow a person to request a single-use authentication code that is sent to their email address or as an SMS message to their cell phone.

Once you have received an authentication code, you can use it to authenticate to the MyID authentication server, and therefore access either your own external system or the MyID Operator Client. See the Signing in using single-use authentication codes section in the MyID Operator Client guide for details of requesting and using authentication codes.

For information on using this authentication mechanism to carry out end-user authentication for your own external systems; see the Configuring the web service for OpenID Connect section in the MyID Authentication Guide.

Alternatively, you can configure MyID to allow an operator to request a single-use authentication code to be provided to another person for them to use to authenticate to the MyID authentication server. See the Sending an authentication code to a person and Viewing an authentication code for a person sections in the MyID Operator Client guide for details of sending or viewing authentication codes.

To set up MyID to use authentication codes:

  1. Set the configuration options:

    1. From the Configuration category, select Security Settings.

    2. On the Logon Mechanisms tab, set the following:

      • Authentication Code Logon – set this option to Yes to allow logon using single-use authentication codes. If this option is set to No, the Authentication Code option does not appear on the sign in screen.

    3. On the Logon tab, set the following:

      • Maximum Allowed OTP Failures – set this option to the maximum number of times you can attempt to enter a single-use authentication code. Once the number of failures exceeds this value, you cannot use the authentication code, and must request a new one.

    4. On the Auth Code tab, set the following:

      • Auth Code Complexity – specify the complexity of codes when there is no complexity specified in an email template (for example, when an operator views a code on screen).

        • Complex – uses the complexity determined by the Complex Logon Code Complexity configuration option. This is the default.

        • Simple – uses the complexity determined by the Simple Logon Code Complexity configuration option.

      • Auth Code Lifetime – set this to the number of seconds for which a long lifetime authentication code is valid. To set long lifetime authentication codes for no expiry, set this value to 0. The default is 720 hours.

        The long lifetime is used for operator-requested authentication codes when the operator selects the long lifetime at the request screen.

      • Auth Code Lifetime for Immediate Use – set this to the number of seconds for which a short lifetime authentication code is valid for logging on to the MyID Operator Client. To set short lifetime authentication codes for no expiry, set this value to 0. The default is 120 seconds.

        The short lifetime is used for self-requested authentication codes, and for operator-requested authentication codes when the operator selects the short lifetime at the request screen.

    5. Click Save changes.

  2. Configure the logon methods for the roles:

    1. From the Configuration category, select Edit Roles.

    2. Click Logon Methods, and select the Authentication Code option for each role you want to be able to log on using an authentication code.

    3. Click OK.

    4. If you want an operator to be able to send or view codes from the View Person screen in the MyID Operator Client, make sure the operator has the Send Auth Code for Logon or View Auth Code for Logon options selected for their role.

    5. Click Save Changes.

  3. From the Configuration category, select Email Templates.

    The methods of delivery for the authentication code are determined by the enabled status of the following email templates:

    • For authentication codes requested by the person at the login screen for their own use:

      • Self Requested Authentication Code Email – used to send an authentication code in an email message to the person's configured email address. By default, this delivery method is enabled.

      • Self Requested Authentication Code SMS – used to send an authentication code in an SMS message to the person's configured cell phone number. By default, this delivery method is disabled.

        Make sure the delivery methods you want to use are enabled. You can choose one or both of the delivery methods. If you disable both templates, a person can still use an authentication code to log in, but it must be requested by an operator.

    • For authentication codes requested by an operator for another person to use at the logon screen:

      • Authentication Code Email – used to send an authentication code in an email message to the person's configured email address. By default, this delivery method is enabled.

      • Authentication Code SMS – used to send an authentication code in an SMS message to the person's configured cell phone number. By default, this delivery method is disabled.

        Make sure the delivery methods you want to use are enabled. You can choose one or both of the delivery methods. If you disable both templates, a person can still request an authentication code for their own use (providing the appropriate self request templates are enabled) or an operator can view an authentication code using the View Auth Code feature.

    Note: The complexity of the code is determined by the Complexity option configured in the email template. See section 13.2, Changing email messages for details.

    Important: You can edit the content of the email templates, and enable or disable them, but do not change the Transport option, or the notifications will no longer work correctly.

  4. Set up an SMTP server.

    Note: If your business process requires operators to generate codes for other people and view codes on their screens, and you do not intend to send any codes from the MyID server through email or SMS, you do not have to set up an SMTP server.

    See the Setting up email section in the Advanced Configuration Guide for details.

  5. If you are using SMS to send the authentication codes, configure your system for SMS notifications:

    1. From the Configuration category, select Operation Settings.

    2. On the General tab, set the following:

      • SMS email notifications – set to Yes.

      • SMS gateway URL for notifications – set to the URL of your SMS gateway.

        By default, SMS messages are sent to through an email to SMS gateway, in the format <cellnumber>@<gateway>, where:

        • <cellnumber> – the cell phone number from the person's record.

        • <gateway> – the URL from the SMS gateway URL for notifications option.

        For example: [email protected]

        If this is not suitable, you can customize the sp_CustomPrepareSMS stored procedure in the MyID database.

    3. Click Save changes.

  6. Recycle the web service app pools:

    1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
    2. Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.
    3. Right-click the myid.rest.core.pool application pool, then from the pop-up menu click Recycle.

    This ensures that the MyID Operator Client picks up the configuration changes.

    Note: You must recycle the app pools whenever you make a change to these settings; for example, when changing the availability of email templates or changing the value of a configuration option.