HI,

We are using IBM Security Verify Access v10. I'm wanting to utilize MFA. Do I need to leverage the cloud based IBM Security Verify to do this or can I configure MFA without it? We are using OAuth for authentication on our customer webseal and want users to have MFA capabilites.

Thanks,

Scott

------------------------------
Scott Reichardt
------------------------------

You can use MFA using ISVA without using ISVA's integration with the cloud-based IBM Security Verify, if you have the ISVA "AAC" component activated. If AAC is activated, you should see an "AAC" item on the top of your LMI admin web ui. If AAC and Federation are both activated, you will see the following menu options across the top of your LMI screen:

Monitor    Web    AAC    Federation    System

If the "AAC" item is missing, you will need to install the license file for that ISVA component.

To do your initial testing, the simplest step-up authentication to set up is TOTP, because you do not need to configure anything. There is no connection to an SMS or email server, and no MMFA (Mobile Multifactor Authentication) configuration needed. All you need to do is install the "IBM Verify" mobile app on your iPhone/iPad/Android device, and register it with AAC. After an end user does a web authentication to ISVA in their browser, they can go to a page which allows them to do a TOTP device registration. After you configure the AAC component, the URL for this page might be something like this:

<ISVA-reverse-proxy-hostname>/mga/sps/mga/user/mgmt/html/otp/otp.html

Using the cloud based IBM Security Verify can simplify things once you start supporting real production workloads, including how the authenticator device registrations are stored, and the cloud based ISV has an option to add smarter adaptive access.

------------------------------
Carl Hovi
IBM

Original Message:
Sent: Thu December 17, 2020 10:24 AM
From: Scott Reichardt
Subject: MFA with IBM Security Verify Access

HI,

We are using IBM Security Verify Access v10. I'm wanting to utilize MFA. Do I need to leverage the cloud based IBM Security Verify to do this or can I configure MFA without it? We are using OAuth for authentication on our customer webseal and want users to have MFA capabilites.

Thanks,

Scott

------------------------------
Scott Reichardt
------------------------------

Thanks for the detailed reply, Carl. 

We do have the AAC component. I haven't been able to figure out how to configure it for how we are wanting to use MFA. We have a customer facing website where, when logging in to their account page, we want the user to enter a code that they receive in an email since we already have emails stored for our users. This would be in addition entering their username and password as they do today. The IBM Verify mobile app won't be an option for us, unfortunately. We may also offer an option for SMS but primarily it would be an email.

Can this be done using just the AAC component?

Thanks,

Scott

------------------------------
Scott Reichardt

Original Message:
Sent: Fri December 18, 2020 11:24 AM
From: Carl Hovi
Subject: MFA with IBM Security Verify Access

You can use MFA using ISVA without using ISVA's integration with the cloud-based IBM Security Verify, if you have the ISVA "AAC" component activated. If AAC is activated, you should see an "AAC" item on the top of your LMI admin web ui. If AAC and Federation are both activated, you will see the following menu options across the top of your LMI screen:

Monitor    Web    AAC    Federation    System

If the "AAC" item is missing, you will need to install the license file for that ISVA component.

To do your initial testing, the simplest step-up authentication to set up is TOTP, because you do not need to configure anything. There is no connection to an SMS or email server, and no MMFA (Mobile Multifactor Authentication) configuration needed. All you need to do is install the "IBM Verify" mobile app on your iPhone/iPad/Android device, and register it with AAC. After an end user does a web authentication to ISVA in their browser, they can go to a page which allows them to do a TOTP device registration. After you configure the AAC component, the URL for this page might be something like this:

<ISVA-reverse-proxy-hostname>/mga/sps/mga/user/mgmt/html/otp/otp.html

Using the cloud based IBM Security Verify can simplify things once you start supporting real production workloads, including how the authenticator device registrations are stored, and the cloud based ISV has an option to add smarter adaptive access.

------------------------------
Carl Hovi
IBM

Original Message:
Sent: Thu December 17, 2020 10:24 AM
From: Scott Reichardt
Subject: MFA with IBM Security Verify Access

HI,

We are using IBM Security Verify Access v10. I'm wanting to utilize MFA. Do I need to leverage the cloud based IBM Security Verify to do this or can I configure MFA without it? We are using OAuth for authentication on our customer webseal and want users to have MFA capabilites.

Thanks,

Scott

------------------------------
Scott Reichardt
------------------------------