Using MFA for Mobile Application
Kron PAM’s built-in MFA can be used as a secondary layer of authentication for logging into the Mobile Application for its online features (Approval Management, Geo-Fencing, and Password Manager).
To enable MFA for Mobile Applications:
- Admin and user must install the Kron PAM Mobile App and register a token to receive Offline Tokens with the mobile app. (You get the Offline Tokens from the Offline Token > Add > Register Token menu).
- MFA must be enabled for the user group that will be using MFA for Mobile Application connections. (See sections Sending the MFA QR Code to Users, Creating a Connection Between Kron PAM and the Kron PAM Mobile Application, Enabling Multi-Factor Authentication (MFA)
- Navigate to Administration > System Configuration Manager.
- Set the mobile.application.otp.enabled parameter as true.
After these settings are done and a login operation is started on the mobile application, the application will automatically look for a Registered Token in its Offline Tokens with the name that matches the tfa.otp.issuer parameter. If there is a registered token with another name, then it will prompt the user to change the registered token. The user selects yes and enters a new token on the next page window forward to the token page for entering a new token. If the token is matched the user can log in. Once the current six-digit value of the Offline Token is validated with the server, login will be successful.
If there’s no Registered Token in the mobile application and MFA is enabled with the parameter above, registering a token also requires a Multi-Factor Authentication. The system will send a one-time- password (OTP) to the user’s phone number. The user will be asked to enter the OTP on his/her mobile application.
The Mobile Application MFA functionality works only with the registered tokens to ensure that the offline tokens are only working in one application at a time.