Configuring Two-Factor Authentication

When you enable two-factor authentication, users log on with credentials defined by the first factor login module and usually a passcode as a second factor. The first factor login module can be defined in the following ways:

• In the One-Time Password Administration UI at http(s)://<host>:<port>/ssoadmin/otp

  The first factor login module that you configure in the One-Time Password Administration UI is used centrally for all applications. Furthermore, you can specify a list of login modules and then the first matching login module from the list will be used. Here you can use any login modules that are supported by SAP NetWeaver Administrator.

• In the SAP NetWeaver Administrator at http(s)://<host>:<port>/nwa

  You can set the first factor login module as a login module option of TOTPLoginModule in order to overwrite the central configuration. This is necessary for example if you would like to configure an application that does not use the central settings. For more information about the login module configuration, see Related Information.

You can also set the following additional options for two-factor authentication:

• You can allow the creation of a persistent cookie when a user initially enters both factors.

  The cookie is used as the first authentication factor. The user then logs on with the second factor (passcode, password, or another) until the cookie expires or is revoked.

  You can set the following for this cookie:

  • Require User Consent

    The cookie is issued only when the user selects Trust this computer or Trust this device checkbox on the logon page.

  • Validity

    The cookie is valid until it expires or is revoked. You revoke such a cookie for specific users under the Users tab of the One-Time Password Administration UI. For more information about the management of user accounts, see Related Information.

    Note

    The default value is 30 days.

  • HTTP only

    This property shows that the persistent cookie is not accessible from the script of the browser.

    Note

    This property is enabled by default.

  • Secure

    The persistent cookie is sent to the browser only if the HTTPS scheme is used for secure connections.

    Note

    This property is enabled by default.

• You can configure the system to send the passcode via SMS.

  You can do this if users do not have supported devices that allow the installation of an authenticator mobile application. , you need to develop a policy script.

• You can enable the use of a policy script.

  The policy scripts can be used for the following cases:

  • Controlling conditions for two-factor authentication

    You can develop a script setting conditions for a single or two-factor authentication in accordance with the location that a user is logging on from for example.

  • Sending passcodes via email

    You can develop a script for the passcodes to be send via out-of-band methods.

  • Validating passcodes generated by a third-party passcode provider.

    You can develop a script to validated passcodes generated by a third-party provider and to show the result of the user authentication.

  For details how to develop policy scripts, see Related Information.