- Overview
- Introducing Authentication
- Configuring AM for Authentication
- Authentication Nodes and Trees
- Authentication Modules and Chains
- About Authentication Levels for Chains
- Configuring Authentication Chains
- Login Session Timeouts for Chains
- Implementing Post-Authentication Plugins
- Customizing Authentication Chains
- Configuring Success and Failure Redirection URLs
- Configuring Realm Authentication Properties
- Authenticating (Browser)
- Authenticating (REST)
- Single Sign-On
- Social Authentication
- Suspended Authentication
- MFA: Web Authentication (WebAuthn)
- MFA: Push Authentication
- MFA: Open AuTHentication (OATH)
- Managing Devices for MFA
- Reference
- Core Authentication Attributes
- Supported Callbacks
- Authenticate Endpoint Parameters
- Authentication Nodes Configuration Reference
- Basic Authentication Nodes
- Multi-Factor Authentication Nodes
- Risk Management Authentication Nodes
- Behavioral Authentication Nodes
- Contextual Authentication Nodes
- Certificate Collector Node
- Certificate Validation Node
- Certificate User Extractor Node
- Cookie Presence Decision Node
- Device Profile Collector
- Device Match
- Device Profile Save
- Device Profile Location Match
- Device Geofencing
- Device Tampering Verification
- Persistent Cookie Decision Node
- Set Persistent Cookie Node
- Federation Authentication Nodes
- Identity Management Authentication Nodes
- Accept Terms and Conditions Node
- Anonymous User Mapping Node
- Anonymous Session Upgrade Node
- Attribute Collector Node
- Attribute Present Decision Node
- Attribute Value Decision Node
- Create Object Node
- Create Password Node
- Consent Collector Node
- Display Username Node
- Identify Existing User Node
- KBA Decision Node
- KBA Definition Node
- KBA Verification Node
- Patch Object Node
- Platform Password Node
- Platform Username Node
- Profile Completeness Decision Node
- Query Filter Decision Node
- Required Attributes Present Node
- Select Identity Provider Node
- Terms and Conditions Decision Node
- Time Since Decision Node
- Utility Authentication Nodes
- Agent Data Store Decision Node
- Choice Collector Node
- Email Suspend Node
- Email Template Node
- Failure URL Node
- Get Session Data Node
- Inner Tree Evaluator Node
- Message Node
- Meter Node
- Page Node
- Polling Wait Node
- Register Logout Webhook Node
- Remove Session Properties Node
- Retry Limit Decision Node
- Scripted Decision Node
- Set Session Properties Node
- State Metadata Node
- Success URL Node
- Timer Start Node
- Timer Stop Node
- Thing Authentication Nodes
- Scripted Decision Node API Functionality
- Authentication Module Properties
- Active Directory Module Properties
- Adaptive Risk Authentication Module Properties
- Amster Authentication Module Properties
- Anonymous Authentication Module Properties
- Certificate Authentication Module Properties
- Data Store Authentication Module Properties
- Device ID (Match) Authentication Module Properties
- Device ID (Save) Authentication Module Properties
- Federation Authentication Module Properties
- ForgeRock Authenticator (OATH) Authentication Module Properties
- ForgeRock Authenticator (Push) Authentication Module Properties
- ForgeRock Authenticator (Push) Registration Authentication Module Properties
- HOTP Authentication Module Properties
- HTTP Basic Authentication Module Properties
- JDBC Authentication Module Properties
- LDAP Authentication Module Properties
- Legacy OAuth 2.0/OpenID Connect Authentication Module Properties
- MSISDN Authentication Module Properties
- OATH Authentication Module Properties
- OpenID Connect id_token bearer Authentication Module Properties
- Persistent Cookie Authentication Module Properties
- RADIUS Authentication Module Properties
- SAE Authentication Module Properties
- SAML2 Authentication Module Properties
- Scripted Authentication Module Properties
- SecurID Authentication Module Properties
- Social Authentication Module Properties - Instagram
- Social Authentication Module Properties - OAuth 2.0
- Social Authentication Module Properties - OpenID Connect 1.0
- Social Authentication Module Properties - VKontakte
- Social Authentication Module Properties - WeChat
- Social Authentication Module Properties - WeChat Mobile
- Windows Desktop SSO Authentication Module Properties
- Authentication Modules Configuration Reference
- Account Active Check Module
- Active Directory Authentication Module
- Adaptive Risk Authentication Module
- Amster Authentication Module
- Anonymous Authentication Module
- Certificate Authentication Module
- Data Store Authentication Module
- Device ID (Match) Authentication Module
- Device ID (Save) Module
- Federation Authentication Module
- ForgeRock Authenticator (OATH) Authentication Module
- ForgeRock Authenticator (Push) Authentication Module
- ForgeRock Authenticator (Push) Registration Authentication Module
- HOTP Authentication Module
- HTTP Basic Authentication Module
- JDBC Authentication Module
- LDAP Authentication Module
- Legacy OAuth 2.0/OpenID Connect Authentication Module
- MSISDN Authentication Module
- OATH Authentication Module
- OpenID Connect id_token bearer Module
- Persistent Cookie Module
- RADIUS Authentication Module
- SAE Authentication Module
- SAML2 Authentication Module
- Scripted Authentication Module
- Social Authentication Modules
- Windows Desktop SSO Authentication Module
- Scripted Module API Functionality
- Glossary
Recovering After Replacing a Lost Device
If you register a device with AM and then lose it, you must authenticate to AM using a recovery code, delete the lost device, and then register the new device. Perform the following steps:
Log in to AM. If push authentication is enabled, enter your user ID, click Log In, and then click Use Emergency Code. If one-time passwords are enabled, when prompted to enter a verification code, instead enter one of your recovery codes.
Because recovery codes are valid for a single use only, make a note to yourself not to attempt to reuse this code.
If you did not save the recovery codes for the lost device, contact your administrator to remove the registered device from your AM user profile.
Select Dashboard from the top-level menu.
Locate the entry for your phone in the Authentication Devices section, click the context menu button, and then click Delete.
If you have not already done so, install the ForgeRock Authenticator app on your new phone. See "The ForgeRock Authenticator App".
Register your new device. See "Registering the ForgeRock Authenticator for Multi-Factor Authentication".
Users who do not save recovery codes or who run out of recovery codes and cannot authenticate to AM without a verification code require administrative support to reset their device profiles. See "Resetting Registered Devices by using REST" for more information.