Permitting access after one-time password authentication

Security Verify Access can prompt users for one-time passwords when they request access to protected resources. We can use a policy to permit access to users who authenticated with a one-time password. Or, we can prompt them for the password and then permit access when they provide it.

Configure the TOTP one-time password mechanism. See Configure a TOTP one-time password mechanism.

Use the steps in this scenario task to create a policy that permits access after the user authenticates with a one-time password.

Steps

1. Log in to the local management interface.

2. Click AAC.

3. Under Policy, click Access Control.

4. In the center panel, click .

5. Enter a name for the policy.

6. In the Rules section, set the Precedence property to First. As a result, the policy returns a decision for the first rule in the policy that evaluates to true.

7. Click Add Rule.

8. Select authenticationTypes from the attribute list.

9. Select has member as the operator.

10. Type urn:ibm:security:authentication:asf:totp as the value. If this value is present, the request was already authenticated with a one-time password.

11. In the Decision list, select Permit.

12. Click OK to complete the rule.

13. Click the arrow next to Add Rule.

14. Click Unconditional rule.

15. In the Decision list, select Permit with authentication.

16. In the Authentication list, select TOTP One-time Password. This selection results in a request for a one-time password from the user.

17. Click OK.

This scenario uses the following settings in the policy editor.

• Precedence: First
• Attributes: Optional
• Rule 1: If authenticationTypes has member "urn:ibm:security:authentication:asf:totp" Then Permit
• Rule 2: Permit with Authentication TOTP One-time Password

Parent topic: Policy scenarios