Two factor authentication (TFA) adds another layer of security for these powerful accounts that are primary target of malicious attacks. Second authentication factor means, that the privileged users must use another authentication proof of their identity.

For this purpose, SkyIdentity uses One Time Password (OTP) mechanism. The OTP code is delivered to users via e-mail service. User's e-mail and privileges are retrieved on-demand straight from SkyIdentity's Identity Manager - midPoint. The whole process is illustrated on the picture below.

How does SkyIdentity's TFA with OTP work:

  1. User opens browser and enters SkyIdentity's address to access the Identity Manager (IdM).
  2. IdM component (midPoint) does not know user and requests authentication from Access Manager component - CAS.
  3. CAS prompts user to enter username and password.
  4. These credentials are sent by CAS to midPoint, that validates them and returns user's details (including e-mail and roles).
  5. If user that requests access to SkyIdentity is privileged one, CAS generates One Time Password (OTP) and sends the OTP code to the user’s e-mail.
  6. User retrieves e-mail,
  7. and enters OTP into login form.
  8. After this, user is securely logged into SkyIdentity's Identity Manager.

Note: For non-privileged users (for example an End User), step 5 to 7 is skipped and user is logged right away after basic authentication.

About SkyIdentity 

SkyIdentity Cloud IdM is a fully-fledged tool for managing users, their authorizations, and their roles. This identity manager (IdM) is provided entirely as a service. It combines the advantages of an advanced IdM with those of cloud software services (SaaS). In other words – complete functionality and easy deployment. SkyIdentity's main components are midPoint and CAS.

CAS stands for Apereo's Central Authentication Server - it is an authentication system created to provide a trusted way for an application to authenticate users. 

Evolveum's midPoint is a solution for Identity provisioning. It is a comprehensive tool that synchronizes several identity repositories and databases, manages them and makes them available in a unified form.


Author: Petr Gašparík