3.4 Authentication

When the user runs the Self-Service App, whether in interactive mode or wizard mode, they do not have to authenticate themselves until they actually start to carry out an action or a task. By default, the app uses the Windows account name of the logged-in user, and matches this against the SAMAccountName stored in the MyID database to return the list of available tasks.

Depending on how MyID is configured, the user can authenticate to the MyID server using the following methods:

• Smart card logon (not available for automation mode)

• Security phrase logon

• Windows authentication

• Authentication codes (not available for automation mode)

• External identity providers

  Note: You cannot use an external identity provider if the credential profile requires activation.

The user can also use various combinations; for example, smart card logon backed up by authentication codes.

See the Logon mechanisms section in the Administration Guide for details of setting up the various types of authentication. The Self-Service App uses the same configuration for authentication as MyID Desktop, with the addition of external identity providers; see section 4.15, Using an external identity provider.

The Self-Service App supports an additional authentication feature – you can specify the order of authentication methods that are presented to the user. See the Logon Priority page (Security Settings) section in the Administration Guide for details.

Note: Some actions have specific requirements.

• Change My Security Phrases – you can specify the logon priority.

• Reset My PIN – you must use the mechanisms configured in the credential profile or the global configuration options.

• Change My PIN – you must authenticate using your smart card, as you must log on to your card with the existing PIN to change it.

Carrying out tasks requires the appropriate authentication mechanism:

• Collecting updates, reprovision jobs, or certificate renewals requires the device PIN.

• Collecting new or replacement devices or activating devices requires the authentication set up in the credential profile and in the MyID system configuration.

When you set up the roles for access to particular workflows, you must make sure that the role has the correct logon methods; for example, if you add all the workflows to the Applicant role, and are using security phrase logon, you must set the Applicant role to have access to the Password logon mechanism.

You can configure this using the Logon Mechanisms dialog in the Edit Roles workflow; see the Assigning logon mechanisms section in the Administration Guide.