IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2

Authorization code authentication

An authorization code is a system-generated code used as an authentication factor for specific scenarios. There are two types of authorization code: online authorization code and offline authorization code.

An Administrator or Helpdesk can:

Issue authorization codes through AccessAdmin. If the self-service authorization code feature is deployed, user can request for an authorization code through a mobile phone (SMS).
Revoke the last-issued authorization code through AccessAdmin. However, the revocation prevents the user from reusing the same authorization code.

Online authorization code

Use this code if AccessAgent can connect to the IMS Server. The user can use the code several times until the code expires. The minimum code expiry is one day.

The online authorization code is used for:

Online password reset
AccessAgent asks the user for an authorization code and a secret.
Registration of authentication factor
AccessAgent asks for the authorization code and password for the registration of the second authentication factor device of a particular kind.
Temporary bypass of authentication factor
An authorization code is required as a temporary replacement when the user has forgotten or lost the authentication factor or the device reader is not working or is missing.

A temporary password-only lock is created for the Wallet on the computer. This temporary password-only lock expires when the authorization code expires. As such, the user can log on to the Wallet by just providing the user name and password until the authorization code expires.

Using the IMS Configuration Utility, you can:

Configure the length of the authorization code.
The code has a default of 12 characters and can have a maximum of 32 characters. Use the character set: 0123456789ABCDEF for an online authorization code. The code is not case sensitive and any hyphens entered are ignored.
Configure the validity period.
The available options are at least one day and a maximum of 31 days. One month is the period from the issue date to the same day of the next month. The exact number of days depends on the month of issue. For example: From August 26 2012, 3 p.m. to September 26 2012, 3 p.m.

Offline authorization code

Use this code if AccessAgent cannot connect to the IMS Server. The user can use the offline authorization code once because the code is issued based on the request code that is displayed on AccessAgent.

The user must have a cached Wallet to use an offline authorization code.

The offline authorization code is used for

Temporary password reset
AccessAgent asks the user for an authorization code and a secret.
Temporary bypass of authentication factor
For example, the user lost the second authentication factor and cannot log on to AccessAgent because the Wallet authentication policy requires the second authentication factor. If the user clicks but I do not have, AccessAgent asks for an authorization code as a temporary replacement for the second factor.

A temporary password-only lock is created for the Wallet on the computer. This temporary password-only lock expires when the authorization code expires. As such, the user can log on to the Wallet by just providing the user name and password until the authorization code expires.

You have the following options:

Offline authorization codes are 16 characters long. Request codes are eight characters long and the codes change every minute.

The default character set for both the request code and authorization code is Z3467ACEFHJKRWXY. The code is not case sensitive and any hyphens entered are ignored.
Configure the validity period through AccessAdmin.
The available options are at least one day and a maximum of 31 days. One month is the period from the issue date to the same day of the next month. The exact number of days depends on the month of issue. For example: From August 26, 2011, 3 p.m. to September 26, 2011, 3 p.m.

Feedback