Separate User Identification and Password-only Authentication steps

Flexible authentication flows may require separate user identification and password entry steps. To support this feature the Password-only Authentication Step was introduced.

 
Notice

With the introduction of the Password-only Authentication Step in IAM 7.7 the existing Password Authentication Step was renamed to Username Password Authentication Step.

 
Risk

The Password-only Authentication Step must follow after a user-identifying step. This combination of steps is vulnerable to user enumeration attacks. If this is a concern, the Username Password Authentication Step should be used instead.

Use Case Scenarios for the Password-only Authentication Step

The following is an incomplete list of typical use case scenarios for the Password-only Authentication Step:

  • User-selectable authentication factor:
    • Step 1: The user provides the username
    • Step 2: The user chooses whether a password, mTAN OTP or e-mail OTP will be used for authentication.
  • Password as fallback authentication mechanism:
    • Step 1: The user provides the username
    • Step 2: The default authentication mechanism is a 2nd-factor using push (e.g. Airlock 2FA). A button is provided (using Goto) to use password authentication.

Configuration of User Identification

A user-identifying step must be configured early in the flow since many steps rely on user information being present in the flow.

The following list shows a selection of steps that will always provide the required user-identifying information:

  • User Identification Step
  • SSO Ticket Authentication Step

Other steps (e.g. Remember-Me User Identifying Step) will act as a user-identifying step if the optional information is present.

Password-only Authentication Step

The Password-only Authentication Step is used to check the password after the user has been identified successfully. This step is typically placed right after a user-identifying step within an authentication flow, working as the first authentication factor.

The step offers the same features as the Username password authentication in the Loginapp REST API.