> Members > Users.
The Users List page appears.
An authenticator is a security measure that protects an application from unauthorized access. Authenticators require that a user respond to a challenge to gain access to the application. You assign authenticators to users to allow them to access applications protected by Identity as a Service.
Consider the following when assigning authenticators to users:
● A user can be assigned multiple authenticators.
● A user must have at least one authenticator assigned to them to log in to Identity as a Service.
● A user can choose to receive their OTP by voice, email, or SMS if they have a phone number, email address, or mobile device registered to their account.
● Assigned tokens have a token state (either Active or Inactive). Only tokens in an Active state can be used for authentication.
● The resource rules associated with an application determine which authenticators can be used to log in to an application.
● Users created in either locally in Identity as a Service or through Active Directory (AD) sync can be automatically assigned an authenticator.
The authenticators allowed to access applications are set by the resource rules (see Create and manage resource rules). If a user enters an incorrect authenticator response more times than the value set in the Lockout Count (see Manage General settings, the authenticator is locked and the user cannot access the application using that authenticator.
Consider this example:
1. A user has access to two applications, Application 1 and Application 2.
2. The resource rule for Application 1 requires password + OTP or Token.
3. The resource rule for Application 2 allows Token only.
4. The Lockout Count is set to 5.
5. The user accesses Application 1 and enters a valid password, but enters in incorrect Token response 5 times, which locks the Token authenticator.
6. The user can still access Application 1 using the correct password and a valid OTP.
7. The user cannot access Application 2 because it requires Token authentication but the user has locked their token authenticator.
Note: This section explains how to set the global settings for general settings, registration, verification, and authenticators. You can additionally, override the settings for specific groups using the Group policies options.
The push transaction queuing feature is intended for organizations whose users are required to verify multiple transactions in a day and who might need time to perform other process steps before they can confirm each transaction. For example, it could be used by bank loan officers in the loan approval process. With this feature configured, Identity as a Service can deliver multiple transactions to a user's mobile soft token app and the user can address them within a configured amount of time. If the queue size is set to 1, only one transaction delivered to a soft token identity is active at a time (a new one overwrites an older one), and, typically, transactions expire after a short time.
A loan officer at AnyBank, Juan, is asked to approve about 15 loans a day. The approval is granted by responding to a transaction challenge sent to Juan's mobile soft token identity that is used with queued transactions. The transaction challenge is configured to expire after 2 days (Push Transaction Lifetime). The Entrust IDaaS administrator configured the system to hold double the number of their typical daily number of transactions in the queue (Maximum Queued Transactions) to accommodate surges of activity. This means that Juan's queue of transactions for this identity could have up to 30 transactions before the expired or oldest ones are deleted to make room for new ones. Ideally, this maximum in never reached and no transactions are deleted before Juan responds to them.
For more information, see Manage General settings.
This section describes how to set up and modify and assign user authenticators. For instructions on how users authenticate with them, see the Identity as a Service User Online Help.
To assign authenticators to individual users, complete the following:
1. Click > Members > Users.
The Users List page appears.
2. Click the User ID for the profile you want to edit. The User Profile page appears.
3. Click the Authenticators tab.
4. Click
and select the required authenticator. The new authenticator
is added to the user's authenticators list.
Topics in this section:
● Manage device fingerprint attributes
● Manage Face Biometrics by Onfido
● Manage machine authenticator settings
● Manage risk-based authenticator settings
● Manage password authenticators
● Manage Temporary Access Codes
● Manage soft token authenticators
● Manage Knowledge-based authenticators (KBA)
● Manage Passkey/FIDO2 authenticators
● Manage user certificate authenticators