Protecting Tokens with MFA

kron pam ’s built in mfa can be used as a secondary layer of authentication for logging into the mobile application for its online features (approval management, geo fencing, and password manager) admin and user must install the kron pam mobile app and register a token to receive offline tokens with the mobile app (you get the offline tokens from the offline token > add > register token menu) otp must be enabled for the user group that will be using mfa for mobile application connections to enable mfa for mobile application navigate to administration > system config man set the mobile application otp enabled parameter as true after these settings are done and a login operation is started on the mobile application, the application will automatically look for a registered token in its offline tokens with the name that matches the tfa otp issuer parameter if there are registered tokens with other names, then it will prompt the user to select a registered token if the current six digit value of the offline token (either the automatically or the manually selected one) is validated with the server, login will be successful if there’s no registered token in the mobile application and mfa is enabled with the parameter above, registering token also requires a multi factor authentication the system will send a one time password (otp) user’s phone number the user will be asked to enter the otp on his/her mobile application the mobile application mfa functionality works only with the registered tokens to ensure that the offline tokens are only working in one application at a time