Configure a QR Code authentication mechanism

The QR Code authentication mechanism is an authentication capability that permits a registered device to scan a QR Code to authenticate the user. It provides a completely alternative-to-password method of authenticating a user.

The mechanism requires users to scan a generated QR code to successfully authenticate using a previous registered application such as IBM Verify or an equivalent built on the IBM Verify SDK. The QR Code authentication mechanism operates in one of the following modes:

Initiate

In this mode the mechanism generates a QR code and displays it to the user. It then waits for the code to be scanned or a timeout period to be reached. The waiting process consists of polling the authentication policy using a device_session_index until it is associated with an authenticated user. Scanning the code results in the IBM Verify mobile application contacting a companion authentication policy. This policy uses the same mechanism in Response mode. After successful login with the QR Code scan, there are three attributes that are made available in the session context for downstream policies:

• urn:ibm:security:asf:qrcode.prompt- This is a confirmation message that might be used by other mechanisms to ensure the QR code login operation is what the user intended.
• urn:ibm:security:asf:qrcode.qr_login_session_index- This is analogous to the user_code from the OAuth device flow.
• urn:ibm:security:asf:qrcode.qr_device_session_index- This is analogous to the device_code from the OAuth device flow.

Response

In this mode the mechanism associates the login_session_index with the authenticated username from the request. Any associated policy using the QR code mechanism in Initiate mode that is polling on the device_session_index is unblocked and completed.

Steps

1. Log in to the local management interface.

2. Click AAC.

3. Under Policy, click Authentication.

4. Click Mechanisms.

5. Click QR Code.

6. Click .

7. Click the Properties tab.

   1. Select a property to configure.

   2. Click .

   3. Enter the value for that property.

   4. Click OK.

8. Take note of the properties for the mechanism.

   Timeout

   This is the period in seconds the QR code remains valid.

   Enable Browser Testing

   This is a flag that can be set such that if a registered device is not available to scan the QR Code, the user can simulate the back channel flow with another (authenticated) browser. This is only relevant when the mechanism is configured in Response mode and should only be used for testing the mechanism.

   1. Login to IBM Security Verify Access using a protected page. For example, <https://<reverseproxy>>.

   2. Navigate to the "backchannel" URL with a browser, where we are able to enter the login session index (LSI) to authenticate. The LSI is shown on the QR code login page in clear text for this reason: <https://<reverseproxy>/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:qrcode_response>

9. Click Save.

Parent topic: Authentication