Permitting access after one-time password authentication

Security Access Manager can prompt users for one-time passwords when they request access to protected resources. You can use a policy to permit access to users who authenticated with a one-time password. Or, you can prompt them for the password and then permit access when they provide it.

Before you begin

Configure the TOTP one-time password mechanism. See Configuring a TOTP one-time password mechanism.

About this task

Use the steps in this scenario task to create a policy that permits access after the user authenticates with a one-time password.

Procedure

  1. Log in to the local management interface.
  2. Click Secure Access Control.
  3. Under Policy, click Access Control.
  4. In the center panel, click Add policy.
  5. Enter a name for the policy.
  6. In the Rules section, set the Precedence property to First.
    As a result, the policy returns a decision for the first rule in the policy that evaluates to true.
  7. Click Add Rule.
  8. Select authenticationTypes from the attribute list.
  9. Select has member as the operator.
  10. Type urn:ibm:security:authentication:asf:totp as the value.
    If this value is present, the request was already authenticated with a one-time password.
  11. In the Decision list, select Permit.
  12. Click OK to complete the rule.
  13. Click the arrow next to Add Rule.
  14. Click Unconditional rule.
  15. In the Decision list, select Permit with authentication.
  16. In the Authentication list, select TOTP One-time Password.
    This selection results in a request for a one-time password from the user.
  17. Click OK.

Results

This scenario uses the following settings in the policy editor.
  • Precedence: First
  • Attributes: Optional
  • Rule 1: If authenticationTypes has member "urn:ibm:security:authentication:asf:totp" Then Permit
  • Rule 2: Permit with Authentication TOTP One-time Password