Recent Changes - Search:


Mobile App-Google Authenticator

Mobile App / Google Authenticator

Tags: Authentication Methods

Problem Definition

You have an installation of PortalGuard and are interested in using the PortalGuard mobile app or Google Authenticator as a an authentication method.


Attach:Mobileapp1.jpg Δ

Allow Mobile Authenticator One-Time Passcodes - This setting allows users to authenticate with a One-time Password (OTP) from an enrolled mobile phone app. This is a good alternative when users do not have a cellphone signal. Google Authenticator and PortalGuard’s own Mobile Password Reset app are the only mobile apps supported and must be downloaded from the appropriate mobile app store.

Authenticator Description Template - This template controls the description displayed in the mobile authenticator above the generated TOTP. The following placeholders are supported:

  • {USER} - The user's login name
  • {EMAIL} - The user's email address (from the primary directory)
  • {SSPMEMAIL} - The user's self-service email address (typically enrolled with PG for SSPM purposes)

Allow Users to Override Description - Enable this setting if users should be allowed to set their own description. When enabled, the template is still evaluated and presented as the default value.

Mobile Authenticator OTP Type - The Google Authenticator app supports two different types of OTPs:

  • Time-based OTP (TOTP) - The OTP automatically changes every 30 seconds. Based on RFC 6238, this requires the PG server and mobile device clocks to be in synch.
  • HMAC-based OTP (HOTP) – An older method where OTPs are generated 'on demand' by end users. Based on RFC 4226, a numeric counter value is maintained on both the PG server and mobile app.

NOTE: PortalGuard's Mobile Password Reset app requires this field be set to TOTP.

Disable Enrollment - Completely prevents users from enrolling this authentication type during login to the PortalGuard website. The user can still enroll from the PortalGuard Account Management page.

Optional Enrollment - May remind unenrolled users to enroll during each login, but does not force them to.

Optional Enrollment Reminders - Three options for reminding unenrolled users:

  • Always - Always prompt the user until they actually enroll
  • Suppressible - Allows users to suppress the enrollment reminder by checking a box on the logon screen
  • Never - Never prompts the user to enroll regardless of their enrollment status

Force Enrollment - Forces users to enroll this authentication type before allowing them to login.

Maximum Enrollment Deferments - The maximum number of times users can defer/skip enrollment before being forced. Set to 0 to disable this functionality and force users to enroll during their next login.

Page last modified on March 14, 2016, at 02:56 PM