Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Push OTP

Verify a caller using MobilePASS+ push (Helpdesk push verification)

search

Please Note:

Verify a caller using MobilePASS+ push (Helpdesk push verification)

Helpdesk push verification lets a service-desk operator confirm a caller's identity by sending a MobilePASS+ push notification to the user's enrolled mobile device. Operators can use this verification before performing sensitive account actions such as password resets, PIN changes, or token revocation.

Unlike a normal push OTP (which is triggered by an end user during application sign-in — see Push OTP authentications), a helpdesk push is initiated by an operator from the STA Token Management console, and is used purely as a caller-identity check.

Prerequisites

Before you can send a helpdesk push:

  • The user must have an active, push-enabled MobilePASS+ token. See Token management and enrollment.

  • Push OTP must be enabled on the virtual server. See Enable push OTP and MobilePASS+.

  • Your operator role must have Edit access to the Assignment > Authentication Methods module.

  • The Helpdesk Push Verification feature must be enabled on the account. Contact your account administrator if you do not see the Send Push button.

Choose the verification mode

Helpdesk push verification uses the existing MobilePASS+ numerical-challenge setting on the virtual server to decide which mode to use:

  • Numeric Challenge mode — When Enable MobilePass Numeric Challenge is selected on the virtual server (Policy > Token Policies > Authentication Policy), the operator's screen displays a 2-digit verification number. The user is shown three numbers in MobilePASS+ and must tap the matching one. This protects against the user blindly approving a request.

  • Plain Push mode — When the numerical-challenge setting is cleared, no verification number is shown. The user simply taps Approve or Reject in MobilePASS+.

Both modes use the same operator workflow described below; only the panel contents and the user-side experience differ.

Send a push for verification

  1. On the STA Token Management console, search for the user on the Assignment tab.

  2. Click the User ID to open the user record.

  3. Expand Authentication Methods, select the user's MobilePASS+ token, and then click Manage.

  4. Click Send Push.

    The Send Push button appears only for push-enabled MobilePASS+ tokens. It is hidden for password tokens, hardware tokens, and any token that does not have push enabled.

    The Push Verification panel opens, showing the user name, token serial number, push status, and a "Waiting for user response..." message.

  5. Tell the caller what to do, depending on the mode:

    • Numeric Challenge — Read the admin verification number shown in the panel to the caller. Ask them to open MobilePASS+ on their device and select the matching number from the three numbers displayed.

    • Plain Push — Ask the caller to open MobilePASS+ and tap Approve to confirm, or Deny to reject.

  6. Wait for the panel to update with the result. The panel polls the server every 2 seconds and waits up to 2 minutes for the user's response.

Read the verification result

The Push Verification panel displays one of the following outcomes.

Use the recommended action to decide whether it is safe to proceed with the caller's request.

Result message What it means Recommended action
User Authenticated — Service team can proceed with password/privilege changes. The user approved the request (and, in Numeric Challenge mode, picked the matching number). Identity confirmed. You may proceed with the requested change.
Authentication Failed — Wrong number selected. Service team should NOT proceed. Numeric Challenge mode only. The user picked one of the wrong numbers in MobilePASS+, so identity could not be confirmed. Do not perform the requested change. Treat as a failed verification and follow your escalation procedure.
Authentication Failed — Service team should NOT proceed. The user rejected the push request (tapped Deny). Do not perform the requested change. Confirm with the caller whether they actually have the device, and follow your escalation procedure.
Push authentication timed out. Please escalate to next verification tier. The user did not respond within the 2-minute window. Do not perform the requested change. Use an alternative verification method (for example, a knowledge-based question or an SMS one-time passcode).
Failed to send push notification. Please check the token configuration and try again. The push could not be dispatched (for example, the token has push disabled or the device is unreachable). Verify that push is enabled for the token and that the user's device is online, then try again.

The panel auto-hides a few seconds after a result is shown. The Send Push button is re-enabled, so you can send another verification request if needed.

Cancel an in-flight request

You can cancel a push verification request if the caller cannot respond. For example, the caller may no longer have the device with them, or you may decide to switch to a different verification method. To cancel, click the (close) icon at the top right of the Push Verification panel.

The panel closes immediately and the in-flight server poll is cancelled, so no result is recorded against the verification attempt. The user may still receive the push notification on their device, but any response they make is discarded.

Audit logging

Every helpdesk push verification attempt is logged in two places, so you can trace who initiated the verification, who responded, and what was the outcome.

Authentication Activity

Open the user record and select Authentication Activity (or use the global Snapshot > Authentication Activity view). Each terminal outcome is logged as an authentication event with one of the following messages in the Message column:

  • Login from Helpdesk push verification — approved
  • Login from Helpdesk push verification — denied
  • Login from Helpdesk push verification — wrong number selected
  • Login from Helpdesk push verification — timed out

The Result column shows only Success or Failure. To see the specific outcome of a verification attempt (approved, denied, wrong number selected, or timed out), refer to the corresponding entry in the Message column.

Operator Activity

The Operator Activity log records every helpdesk push verification action performed by an operator. For each verification attempt, the log contains two entries with the action type HelpdeskPushVerification:

  • Dispatch entry — Created when the operator clicks Send Push. This entry records who initiated the verification and when it was sent.

  • Outcome entry — Created when the verification reaches a terminal state (approved, denied, wrong number selected, timed out, or dispatch failed). This entry records the final result of the verification.

Together, these entries provide a complete audit trail that shows which operator triggered each verification and what the user's response was.

Visibility and limitations

  • The Send Push button is visible only when all of the following conditions are true:

    • The selected token is a MobilePASS+ token.

    • Push OTP is enabled on the token.

    • The Helpdesk Push Verification feature is enabled on the account.

  • Helpdesk push verification is independent of any in-progress application sign-in. It does not grant the user access to any application — it only confirms that the person on the call is in possession of the enrolled device.

  • The user's MobilePASS+ device shows the same login-request screen as a normal push OTP (resource name, organization name, user name, timestamp). The organization name is the value configured under Set the custom organization name.

On this page