Authenticator registration

The IBM Verify application uses the OAuth authorization grant flow to perform registration, which is launched by the user in a browser.

A button to initiate the registration flow is available in the device_selection.html page, which is an example page that demonstrates how the registration might be initiated. This page is available from the appliance File Downloads area at the path access_control/pages/C/mga/user/mgmt/device/device_selection.html.

When the button is clicked, it calls the OAuth authorize endpoint to obtain an authorization code. The user is then presented with a QR code that can be scanned by the IBM Verify application to complete registration. The following steps illustrate a typical authenticator registration flow.

1. The user downloads and installs the IBM Verify application.
2. The user logs in to the ISAM User Self Care (USC) with a desktop browser and clicks a button on the page that is presented by USC to initiate the registration flow.
3. The browser starts the OAuth authorization code flow.
4. Security Verify Access responds with a QR code.
5. The user scans the QR code with the IBM Verify application.
6. The IBM Verify application completes the registration automatically.

The Security Verify Access SDK supports registration without the need for browser initiation in custom applications and also supports the OAuth ROPC flow.

Authentication registration is completed when an OAuth flow is completed with the scope set to mmfaAuthn. Other attributes that can be included and saved via the OAuth mapping rule are:

• Push token ID
• Application ID
• Device Name
• Device Type
• OS Version
• Fingerprint support included
• Front camera support included
• Tenant ID

Parent topic: Mobile Multi-Factor Authentication