Enable push OTP and MobilePASS+
For push OTP to be permitted during authentication, the push OTP feature must be enabled, and the user must have a token on the MobilePASS+ application. To receive push notifications on their mobile devices, the user must have permitted MobilePASS+ push notifications.
Enable the allowed targets and push notifications
Push OTP functionality is enabled by default for newly created accounts, and disabled by default for upgraded accounts. Push OTP is independent per virtual server and can be enabled (or disabled) at any time. When push OTP is disabled on the virtual server side, the MobilePASS+ application does not ask the user to grant push permissions.
For push OTP to be permitted during authentication, the user must have a token enrolled in the MobilePASS+ application. The settings that you enable in this policy determine which targets are presented to users during the self-enrollment of MobilePASS tokens. You can restrict the OS types on which MobilePASS tokens are allowed to be activated or enrolled.
The enhanced approval workflow significantly accelerates the authentication process for MobilePASS+ (version 1.4 or higher) tokens. It enables users to manage push login requests without unlocking their mobile device.
Complete these steps on any virtual server that should support push OTP:
-
On the STA Token Management console, select Policy > Token Policies.
-
Select Software Token & Push OTP Settings.
-
Select Enhanced approval workflow.
If Enhanced approval workflow is enabled, users with incompatible versions of MobilePASS+ receive an error message when the application opens. You can disable the enhanced approval workflow at any time, to restore full functionality with earlier MobilePASS+ versions.
-
For each Operating System and Device Type platform, select a MobilePASS application.
For iOS, Android, and Windows 10 Desktop/Tablet, you can choose between MobilePASS 8 and MobilePASS+. You can select one MobilePASS application per OS type. For example, you can enable either MobilePASS+ or MobilePASS 8 for iOS, but not both.
-
For each platform that uses MobilePASS+, in the Push Notifications column, select either Enabled or Disabled.
It is highly recommended that you either enforce a device PIN or enable a PIN setting in the MobilePASS token template, so that only the device owner or token assignee can approve a push request.
-
Click Apply.
You can enroll a new MobilePASS+ token in parallel to an existing MobilePASS 8 token.
Set the push OTP rejection policy (optional)
Push notifications are sent to only registered devices with currently active, push-enabled tokens. You can set this user policy so that, if a user receives a push notification that they did not initiate and rejects the notification, they are sent a push notification rejection alert (see the example below). If the user’s account gets locked due to this push OTP rejection, the body of the push notification rejection alert is appended to the user lockout alert that is sent to the user.
You can customize the contents of the alert email in Comms > Communications > Email Messages. See Customize the rejection alert for the user.
-
On the STA Token Management console, select Policy > User Policies.
-
Select Push OTP Rejection Policy.
-
Select Alert user on OTP push notification rejected, and then click Apply.
The following is an example of a push notification rejection alert that is sent to a user:
Set the operator policy
You can optionally send a push notification rejection alert to the operator if a user rejects a push notification that they did not initiate. The operator can then investigate the log files if necessary.
You can customize the contents of the alert email in Comms > Communications > Email Messages. See Customize the rejection alert for the internal operator.
-
On the STA Token Management console, select Policy > Role Management > Alert Management.
-
Click the corresponding Edit hyperlink for a role.
-
Select Push Notification Rejection Operator Alert for the desired delivery methods, and then click Apply.
The following is an example of a push notification rejection alert that is sent to an operator: