Introduction to authentication
Authentication is the act of confirming a user’s identity, for example, by providing a set of credentials.
In access management, authentication is tightly coupled with authorization; usually, not only is it important to confirm that a user is who they say they are, but also to ensure that they can only access a subset of information.
Consider a user who wants to access an online shop. As the owner of the shop, you want to ensure the user identity is confirmed (since it is tied to their shipping and email addresses and payment information) and you also want to ensure that they can only access their own information.
You can deploy a ForgeRock web agent on the web server hosting the online shop. The agent redirects the user’s request to an Identity Cloud login page, where the user enters their credentials, such as username and password. Identity Cloud determines who the user is, and whether the user has the right to access the protected page. Identity Cloud then redirects the user back to the protected page with authorization credentials that can be verified by the agent. The agent allows the user authorized by Identity Cloud to access the page.
In the same way, you can also use Identity Cloud to protect physical devices connected on the Internet of Things (IoT). For example, a delivery van tracking system could have its proxying gateway authenticate to a brokering system using an X.509 certificate to allow it to enable an HTTPS protocol and then connect to sensors in its delivery trucks. If the X.509 certificate is valid, the brokering system can monitor a van’s fuel consumption, speed, mileage, and overall engine condition to maximize each van’s operating efficiency.
Identity Cloud uses authentication nodes and journeys to implement authentication.
Identity Cloud creates an authentication session to track the user’s progress through an authentication journey. After the user has authenticated, Identity Cloud creates a session to manage the user’s access to resources. To learn more about sessions, refer to Sessions.
Multi-factor authentication (MFA) is an authentication technique that requires users to provide multiple forms of identification when logging in to Identity Cloud.
Multi-factor authentication provides a more secure method for users to access their accounts with the help of a device. Note that the word device is used in this section to mean a piece of equipment that can display a one-time password or that supports push notifications using protocols supported by Identity Cloud multi-factor authentication (MFA). Devices are most commonly mobile phones with authenticator applications that support the OATH protocol or push notifications, but could also include other equipment.
The following is an example scenario of multi-factor authentication in Identity Cloud:
In the Identity Cloud admin UI, configure an authentication journey to capture the user’s username and password and to create one-time passwords.
An end user authenticates to Identity Cloud using that authentication journey.
Identity Cloud prompts the user to enter the username and password—the first factor in multi-factor authentication.
If the user ID and password were correct, Identity Cloud sends the user an email with a one-time password.
The user provides the one-time password to Identity Cloud to successfully complete authentication—the second factor in multi-factor authentication.
Identity Cloud supports the following multi-factor authentication protocols:
MFA: Use codes from ForgeRock app using OATH to enable one-time password authentication.
MFA: Authenticate using push notification to receive push notifications in a device as part of the authentication process.
MFA: Authenticate using a device with WebAuthn to enable authentication using an authenticator device, such as a fingerprint scanner.