ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

[CA Mobile OTP Roaming flow in CA Adapter] Can I re-download the AOTP account in another device?

book

Article ID: 103780

calendar_today

Updated On:

Products

CA Rapid App Security CA Advanced Authentication CA API Gateway

Issue/Introduction

What is Roaming flow of ArcotID OTP?

The Advanced Authentication service offers roaming capabilities to enable end users to download their ArcotID OTP securely and authenticate from any system when the need arises. Roaming users who do not have the ArcotID OTP application or JavaScript Client on their device can set up a different device to retrieve their ArcotID OTP credential from the Advanced Authentication service. The downloaded ArcotID OTP can then be used to authenticate to any protected resource in a browser.

To enable roaming, one or more secondary authentication mechanisms must be configured for the user during enrollment. At runtime, if secondary authentication is successful, the ArcotID OTP credential is downloaded to the end user's device.

If Security Code is used for secondary authentication, during enrollment the end user is prompted to provide additional private information, which is composed of a series of user-defined question and answer pairs. Similarly, if security code is used for secondary authentication, during enrollment the end user is prompted to provide an email address or telephone number to which the security code must be sent. At runtime, an end user who tries to download the ArcotID OTP from a different device is first authenticated using the questions and answers or the security code that they received as an email message, SMS, or voice message.



Where is the AOTP re-download link available in out-of-box CA Adapter (arcotafm)?
In AOTP verification page (where user required to enter OTP) there are links forĀ "Forgot CA Mobile OTP PIN?" or "Download AOTP card on different device". User can reset Pin using the first option(Forgot CA Mobile OTP PIN?), this will recreate the AOTP account at the server end and the new one will be downloaded on the end user device. All existing AOTP accounts will not work any more. Using the second option(Download AOTP card on different device) a user can re-download the existing AOTP account to another device.

<Please see attached file for image>

AOTP Roaming flow

Environment

CA Strong Authentication - CA Mobile OTP (also known as Arcot OTP or AOTP)

Resolution

Why I don't see "Download AOTP card on different device" link in arcotafm verify OTP page?
The user can add same AOTP credential on multiple devices like Desktop and Mobile at the same time. This feature is only supported for TOTP (i.e. Roaming flow is only supported by TOTP), this is functionality is not supported for HOTP. Make sure you have below configured in your AOTP profile.

<Please see attached file for image>

TOTP configuration

HOTP = Counter based OTP
TOTP = Time based OTP

Attachments

1558700407751000103780_sktwi1f5rjvs16k4e.jpeg get_app
1558700405626000103780_sktwi1f5rjvs16k4d.jpeg get_app
Powered by Wolken Software