Quicklog authentication
Quicklog authentication ensures that the OTP of one of the tokens assigned to a user is accepted by STA even if a challenge is triggered. When Quicklog is not enabled, STA accepts only the OTP of the challenge-triggered token. This feature works only when pre-authentication rules are configured with [LDAP/AD password validation].
To enable Quicklog authentication:
-
On the STA Token Management console, select the Comms tab, expand the Authentication Processing module, and then select Multi-Mode Authentication Settings.
-
Select the Allow Quicklog authentication when Challenge-Response or Push OTP is triggered checkbox.
-
Click Apply.
Example: Quicklog and pre-authentication rules
The following sample shows the effect of Quicklog mode when pre-authentication rules are applied, including challenge-response (CR) mode and Quicklog (QL) mode.
Always validate the LDAP/AD password. If LDAP/AD authentication fails, reject the authentication. If LDAP/AD authentication succeeds, enforce a challenge prompt for a manual trigger.
| Authentication Case | Quicklog disabled | Quicklog enabled |
|---|---|---|
| With Pre-Auth Rule | ||
| User has AD pwd and SMS (CR) token | Challenge after AD validation | Challenge after AD validation |
| User has AD pwd and MPP (QL) | Error after AD validation | Challenge after AD validation |
| User has AD pwd and Push MPP (QL) *1 (Automatic trigger) | Push received after AD validation | Push received after AD validation |
| User has AD pwd and SMS (CR) and Push MPP (QL) (Automatic trigger) | Push received after AD validation | Push received after AD validation |
| User has AD pwd and Push MPP (QL) *1 (Manual trigger) | Empty challenge received, enter OTP from MPP or trigger PUSH | Empty challenge received, enter OTP from MobilePASS+ or trigger Push. The challenge can be processed through existing valid SMS token. |
| User has AD pwd and SMS (CR) and Push MPP (QL) (Manual trigger) | Empty challenge received, enter OTP from MPP or trigger PUSH. The SMS feature doesn't work. | Empty challenge received, enter OTP from MPP or trigger PUSH. The challenge can be processed through new or existing valid SMS token. |
| User has AD pwd and SMS (CR) and non-Push MPP (QL) | Challenge after AD validation but AUTH fails with MPP passcode | Challenge after AD validation and AUTH succeeds with MPP passcode |
| Without Pre-Auth Rule (Authentication triggers on blank passcode field) | ||
| SMS (CR) token | Challenge | Challenge |
| MPP (QL) | Error | Error |
| Push MPP (QL) | Push received | Push received |
| SMS (CR) and Push MPP (QL) | Push received | Push received |
| SMS (CR) and non-Push MPP (QL) | Challenge but AUTH fails with MPP passcode | Challenge and AUTH succeeds with MPP passcode |
*1: Push is sent on providing AD password, on approving the request authentication is successful. The NtRadping tool, in this case, does not show a challenge, but waits for authentication to complete.