Hi,

We would like to use passwordless MFA login using ISVA as SP and ISV as IDP.

It is true that ISV connects seamlessly with ISVA via the apollo GUI inside ISVA.

In our scenario I have connected it using the "Strong Authentication using IBM Security Verify APIs".

The problem here is that, inside the mapping rules that are created, CI_Common, CI_Authentication_Rule, etc, it is by default, looking for a username + password as a first step before it proceeds to use any further authentication. 

So if I protect a page using the policy "IBM Security Verify Authentication ...", the user will not be able to use MFA unless a session already exists (or has provided username+password, I'm not sure what is the requirement here), but the point being is, ISV will present a login page with username and password telling the user to log in first.

This is not what we want.

We want the user just to type in a username and then be able to use the MFA from ISV. No password should be involved.

Is it possible? Am I missing something?

I would not recommend that approach for authentication, even if it could be made to work. Most ISV authentication "mechanisms" are not suitable for passwordless login because they don't prove "something you know + something you have" in a single authentication experience. Of all the mechanisms we offer, only WebAuthn/FIDO does this, and for that you're better off adopting it via either native integration in ISVA, or via federated SSO from ISV.

Hi,

We would like to use passwordless MFA login using ISVA as SP and ISV as IDP.

It is true that ISV connects seamlessly with ISVA via the apollo GUI inside ISVA.

In our scenario I have connected it using the "Strong Authentication using IBM Security Verify APIs".

The problem here is that, inside the mapping rules that are created, CI_Common, CI_Authentication_Rule, etc, it is by default, looking for a username + password as a first step before it proceeds to use any further authentication. 

So if I protect a page using the policy "IBM Security Verify Authentication ...", the user will not be able to use MFA unless a session already exists (or has provided username+password, I'm not sure what is the requirement here), but the point being is, ISV will present a login page with username and password telling the user to log in first.

This is not what we want.

We want the user just to type in a username and then be able to use the MFA from ISV. No password should be involved.

Is it possible? Am I missing something?

Thanks Shane.
It looks to me that this is a major drawback in ISV. It should be up to the customer to decide which authentication mechanisms to combine, not force username+password as the minimum entry. We have relied on passwordless login here in Scandinavia for 20 years.

I would not recommend that approach for authentication, even if it could be made to work. Most ISV authentication "mechanisms" are not suitable for passwordless login because they don't prove "something you know + something you have" in a single authentication experience. Of all the mechanisms we offer, only WebAuthn/FIDO does this, and for that you're better off adopting it via either native integration in ISVA, or via federated SSO from ISV.

Hi,

We would like to use passwordless MFA login using ISVA as SP and ISV as IDP.

It is true that ISV connects seamlessly with ISVA via the apollo GUI inside ISVA.

In our scenario I have connected it using the "Strong Authentication using IBM Security Verify APIs".

The problem here is that, inside the mapping rules that are created, CI_Common, CI_Authentication_Rule, etc, it is by default, looking for a username + password as a first step before it proceeds to use any further authentication. 

So if I protect a page using the policy "IBM Security Verify Authentication ...", the user will not be able to use MFA unless a session already exists (or has provided username+password, I'm not sure what is the requirement here), but the point being is, ISV will present a login page with username and password telling the user to log in first.

This is not what we want.

We want the user just to type in a username and then be able to use the MFA from ISV. No password should be involved.

Is it possible? Am I missing something?