Quicklog authentication
Quicklog authentication ensures that the OTP of one of the tokens assigned to a user is accepted by SAS even if a challenge is triggered. When Quicklog is not enabled, SAS accepts only the OTP of the challenge-triggered token. This feature works only when pre-authentication rules are configured with LDAP/AD password validation.
To enable Quicklog authentication:
-
On the SAS Token Management console, select the Comms tab, expand the Authentication Processing module, and then select Multi-Mode Authentication Settings.
-
Select the Allow Quicklog authentication when Challenge-Response or Push OTP is triggered checkbox.
-
Click Apply.
Always validate the LDAP/AD password. If LDAP/AD authentication fails, reject the authentication. If LDAP/AD authentication succeeds, force challenge-response.
The following table shows an example of the effect of the multi-mode settings when a pre-authentication rule is or is not applied. The example in the table includes the challenge-response (CR) mode and Quicklog (QL) mode.
| Authentication Case | Multi-mode disabled | Multi-mode enabled |
|---|---|---|
| With Pre-Auth Rule | Allow Quicklog authenticaion option is disabled |
Allow Quicklog authenticaion option is enabled |
| User has AD pwd and SMS (CR) token | Challenge after AD validation | Challenge after AD validation |
| User has AD pwd and MPP (QL) | Error after AD validation | Challenge after AD validation |
| User has AD pwd and Push MPP (QL) *1 (Automatic trigger) | Push received after AD validation | Push received after AD validation |
| User has AD pwd and SMS (CR) and Push MPP (QL) (Automatic trigger) | Push received after AD validation | Push received after AD validation |
| User has AD pwd and Push MPP (QL) *1 (Manual trigger) | Empty challenge received, enter OTP from MPP or trigger Push | Empty challenge received, enter OTP from MPP or trigger PUSH. The challenge can be processed through existing valid SMS token. |
| User has AD pwd and SMS (CR) and Push MPP (QL) (Manual trigger) | Empty challenge received, enter OTP from MPP or trigger Push. The SMS feature doesn't work. | Empty challenge received, enter OTP from MPP or trigger PUSH. The challenge can be processed through new or existing valid SMS token. |
| User has AD pwd and SMS (CR) and non-Push MPP (QL) | Challenge after AD validation but AUTH fails with MPP passcode | Challenge after AD validation and AUTH succeeds with MPP passcode |
| Without Pre-Auth Rule (Authentication triggers on blank passcode field) | ||
| SMS (CR) token | Challenge | Challenge |
| MPP (QL) | Error | Error |
| Push MPP (QL) | Push received | Push received |
| SMS (CR) and Push MPP (QL) | Push received | Push received |
| SMS (CR) and non-Push MPP (QL) | Challenge but AUTH fails with MPP passcode | Challenge and AUTH succeeds with MPP passcode |
*1: Push is sent on providing AD password, on approving the request authentication is successful. The NtRadping tool, in this case, does not show a challenge, but waits for authentication to complete.