Separate User Identification and Password-only Authentication steps

Flexible authentication flows may require separate user identification and password entry steps. To support this feature the Password-only Authentication Step was introduced.

With the introduction of the Password-only Authentication Step in IAM 7.7 the existing Password Authentication Step was renamed to Username Password Authentication Step.

The Password-only Authentication Step must follow after a user-identifying step. This combination of steps is vulnerable to user enumeration attacks. If this is a concern, the Username Password Authentication Step should be used instead.

• The following is an incomplete list of typical use case scenarios for the Password-only Authentication Step:
• User-selectable authentication factor:
• Step 1: The user provides the username
• Step 2: The user chooses whether a password, mTAN OTP or e-mail OTP will be used for authentication.
• Password as fallback authentication mechanism:
• Step 1: The user provides the username
• Step 2: The default authentication mechanism is a 2nd-factor using push (e.g. Airlock 2FA). A button is provided (using Goto) to use password authentication.

A user-identifying step must be configured early in the flow since many steps rely on user information being present in the flow.

• The following list shows a selection of steps that will always provide the required user-identifying information:
• User Identification Step
• SSO Ticket Authentication Step

Other steps (e.g. Remember-Me User Identifying Step) will act as a user-identifying step if the optional information is present.

The Password-only Authentication Step is used to check the password after the user has been identified successfully. This step is typically placed right after a user-identifying step within an authentication flow, working as the first authentication factor.

The step offers the same features as the Username password authentication in the Loginapp REST API.