The ForgeRock Authenticator App

The ForgeRock Authenticator app supports push authentication notifications and one-time passwords.

Download and install the ForgeRock Authenticator app on your phone, so that you can perform multi-factor authentication. The app is available for both Android and iOS devices, and is free to download.

Tip

For access to the source code for sample mobile applications, see How do I access and build the sample code provided for AM (All versions)? in the ForgeRock Knowledge Base.

Registering the ForgeRock Authenticator for Multi-Factor Authentication

Registering the ForgeRock Authenticator app enables it to be used as an additional factor when logging in to AM.

The ForgeRock Authenticator app supports registration of multiple accounts and multiple different authentication methods in each account, such as push notifications and one-time passwords.

For information on registering Web Authentication (WebAuthn) devices with AM, see "Creating Trees for Web Authentication (WebAuthn)".

ForgeRock Authenticator registration only needs to be completed the first time an authentication method is used with an identity provider. Use of a different authentication method may require that registration with the identity provider is repeated for that additional method.

The ForgeRock Authenticator needs access to the internet to register to receive push notifications. Registering for one-time password authentication does not require a connection to the internet.

To Register the ForgeRock Authenticator for Multi-Factor Authentication
  1. When visiting a protected resource without having any registered devices for multi-factor authentication, AM requires that you register a device.

    Initial screens in a multi-factor authentication process. Push notification on the left, and OATH authentication on the right.

    To register your mobile phone with AM, click Register Device. A screen with a QR code appears:

    The device registration screens with QR code in the multi-factor authentication process. Push notification on the left, and one-time password (OATH) authentication on the right.
  2. Start the ForgeRock Authenticator app on the device to register, and then click the plus icon:

    ForgeRock Authenticator Setup Screen

    The screen on the device changes to an interface similar to your camera app.

  3. Point the camera at the QR code on the AM page and the ForgeRock Authenticator app will acquire the QR code and read the data encoded within.

    If you are logging in to AM on the registered device and cannot scan the screen, click the button labeled On a mobile device?. The ForgeRock Authenticator app will request permission to launch. If allowed, the information required to register the device will be transferred to the ForgeRock Authenticator app directly, without the need to scan the QR code.

    ForgeRock Authenticator scanning a QR code.
  4. Once registered, the app displays the registered accounts and the authentication methods they support, for example one-time passwords (a timer icon) or push notifications (a bell icon):

    ForgeRock Authenticator with a registered account.
  5. When registering a device, you MUST make a copy of the recovery codes associated with that device.

    Depending on the device type you registered, perform one of the following steps:

    • If you registered an OATH device:

      1. Click the Login Using Verification Code button.

        You will be asked to enter a verification code.

      2. In the ForgeRock Authenticator app, click the newly registered account, and then click the Refresh button to generate a new one-time password.

      3. Enter the one-time password into the web page, and then click Submit.

      4. On the recovery codes page, make a copy of the displayed recovery codes and store them safely. The codes will never be displayed again.

        OATH recovery code display.

        When you have safely stored the recovery codes for your newly registered OATH device, click the Continue button.

    • If you registered a push device:

      1. On the recovery codes page, make a copy of the displayed recovery codes and store them safely. The codes will never be displayed again.

        Push recovery code display.

        When you have safely stored the recovery codes for your newly registered push device, click the Continue button.

Your device is now registered. You will able to use it to perform multi-factor authentication.

Read a different version of :