Authentication Based on Trusted Channel

DirX Access allows users to configure authentication using a trusted channel, based on a self-contained voucher defined by the voucher authentication method.

Voucher authentication methods can be used in combination with composite authentication methods only.

In a specific step of a composite authentication method, a voucher authentication method:

  • Stops the composite processing in the current channel (no further authentication session).

  • Sends vouchers via a trusted channel.

  • Verifies the voucher provided by the user.

For greater flexibility, a trusted channel can be defined by a callout. Please follow the voucher propagation plug-in for more details about how to configure a callout.

Vouchers contain all necessary information to continue the authentication process. This allows users to resume at the same step of the composite authentication method where processing was previously stopped. Please see the voucher authentication method for more details about how to configure the source of the communication address for the trusted channel or how to limit the usage of the same communication address and voucher and the validity of the voucher.

Supported Use Cases

Password Reset when Users Has No Way to Authenticate

In combination with the explicit password change option, authentication based on trusted channel can be used when current credentials are forgotten and no other way to authenticate is available. In this case, the password change must be tied to the voucher authentication method via the composite authentication method.

Producing an Initial Authentication Voucher by HR

This option allows HR or other administrative systems to produce initial authentication vouchers and perform initial authentications for new employees with no credentials at all. Vouchers should be known only to owners of the communication address. Therefore, the option has prerequisite of having access to a trusted communication channel where the voucher is sent. In this case, the voucher authentication method is configured as the only step of a composite authentication method.