Predefined authentication policies
Authentication policies are workflows. They specify the authentication mechanisms that are required so the user can access a resource.
Each step in the workflow consists of an authentication mechanism. Each mechanism has requirements with which the user must comply to successfully authenticate. Most authentication policies require that the user present some credentials, but some requirements can be completed without any user action. The following table describes the predefined authentication policies:
| Policy | The user authenticates |
|---|---|
| Consent Register Device | When prompted for consent to register a device. Optionally, the user can assign a name to the device to be registered. |
| Email Message | Email Message authentication policy. |
| Email One-Time Password | With a one-time password that is delivered by email. The one-time password value is generated and verified with the MAC one-time password. |
| End-User License Agreement | With the End-User License Agreement. |
| FAPI Cert Authentication | With FAPI Certificate based Client Authentication. |
| HOTP One-Time Password | With a counter-based, one-time password. No one-time password delivery is required. The one-time password value is verified with the HOTP one-time password provider. |
| HTTP Redirect | With the HTTP redirect authentication policy. |
| Knowledge Questions | With knowledge questions. |
| MAC One-Time Password | With a MAC one-time password. The user is prompted for a password delivery method. |
| MMFA Fingerprint Authentication | With a MMFA Transaction. This policy initiates a MMFA transaction. |
| MMFA Fingerprint Authentication Response | With fingerprint authentication through a registered MMFA authenticator. |
| MMFA User Presence Authentication | With a MMFA Transaction. This policy initiates a MMFA transaction. |
| MMFA User Presence Authentication Response | With user presence authentication through a registered MMFA authenticator. |
| One-Time Password | With a one-time password. The user is prompted for the type of one-time password to use. |
| QR Code Login Initiate | With a QR Code scanned by an authenticator. This policy initiates a QR Code login. |
| QR Code Login Response | With login through a registered QR Code authenticator. |
| reCAPTCHA | With reCAPTCHA verification policy. |
| reCAPTCHA V3 | With reCAPTCHA V3 verification policy. |
| RSA SecurID | With a user name and password and RSA SecurID authentication. |
| SMS One-Time Password | With a one-time password that is delivered by SMS. The one-time password value is generated and verified with the MAC one-time password provider. |
| TOTP One-Time Password | With a time-based one-time password. No one-time password delivery is required. The one-time password value is verified with the TOTP one-time password provider. |
| Two-factor - Username Password and HOTP | With a user name and password and an HOTP one-time password. |
| Two-factor - Username Password and MAC | With a user name and password and a MAC one-time password. |
| Two-factor - Username Password and RSA | With a user name and password and an RSA one-time password. |
| Two-factor - Username Password and TOTP | With a user name and password and a TOTP one-time password. |
| Two-factor - Username Password and OTP | With a user name and password and a MAC one-time password. The user is prompted to select the type of one-time password to use. |
| Two-factor - Username Password and Email | With a user name and password and a MAC one-time password. The one-time password is delivered through email. |
| Two-factor - Username Password and SMS | With a user name and password and a MAC one-time password. The one-time password is delivered through SMS. |
| Two factor - Username Password and End-User License Agreement | With a user name and password and the End-User License Agreement. |
| Two-factor - Username Password and Knowledge Questions | With both of the following:
|
| Username Password | With a user name and password. |
Several predefined authentication policies do not end in authentication and are instead used for user self-care (USC) flows. The following table describes the USC predefined authentication policies:
| Policy | Description |
|---|---|
| USC Account Create | New user enrollment policy that requires reCAPTCHA and email one-time password. |
| USC Lost ID | Lost ID policy, requiring reCAPTCHA. |
| USC Passkey Account Create | New user enrollment policy that requires reCAPTCHA, email one-time password, and prompts the user to enroll a passkey. |
| USC Password Reset | Password reset policy, that requires reCAPTCHA and email one-time password. |