factor | Description | factor_detail | Description |
|---|---|---|---|
certificate | Authentication factors based on X.509 certificates and PKI infrastructure. | No factor details are provided for X.509 certificate authentication. | |
cram | cram = Challenge-Response Authentication Mechanism (e.g. https://csrc.nist.gov/glossary/term/CRAM) Authentication factors based on challenge-response mechanisms where the user must take some action to either calculate or approve the calculation of a response. | airlock_2fa_one_touch | One-Touch (Push) authentication with Airlock 2FA. |
airlock_2fa_mobile_only | Airlock 2FA authentication involving only a mobile device. | ||
airlock_2fa_qr_code | Airlock 2FA authentication using a QR code. | ||
cronto | A technology provided by OneSpan (Vasco) | ||
kobil_ast | A technology provided by Kobil | ||
matrixcard | Also known as "scratch list" | ||
mobile_id | A technology using a key storage in the mobile phone | ||
otp | otp = One Time Password Authentication factors based on one time passwords where the user must receive and return the one time password. This may involve hardware tokens or multiple communication channels. | airlock_2fa_passcode | Passcode authentication with Airlock 2FA |
digipass | A technology provided by OneSpan (Vasco) | ||
An OTP sent by email | |||
mtan | An OTP sent to a mobile phone | ||
oath | A TOTP calculated on a smartphone using an App | ||
radius | An implementation of the RADIUS protocol. | ||
secur_id | A technology provided by RSA | ||
password | Authentication factors based on knowledge: username/password, username/PIN, secret questions | No factor details are provided for username password authentication | |
preauth | States that the user cannot be authenticated using Airlock 2FA (before an actual factor is chosen). | airlock_2fa | May occur in the following scenarios:
|
token | Authentication factors based on tokens or tickets where the client must present a (bearer-) token to prove his authorization to act on behalf of the user. | iak | A method using an initial activation key (e.g. activation letter) |
kerberos | A method implementing the kerberos protocol | ||
oauth2 | A method implementing the OAuth 2.0 specification | ||
saml | A method implementing the SAML 2.0 specification |
Availability of authentication data
Authentication processes will provide factor information for the reporting logs if their components have been enhanced to produce such metadata. More specifically, authentication flow steps must return AuthenticationStepResults (REST engine) and AuthenticationResults must contain AuthenticationFactorInfo with AuthenticationFactorInfoItems (classic engine). IAM product components already provide such metadata. In order to benefit from detailed reporting data, custom components should also be enhanced to provide such metadata.