Complete enrollment

The feature is available only for partially enrolled users - the operator can use it and finish the user's enrollemntenrollment on behalf of the user. EnrollmentThe enrollment process is done by the operator on behalf of the user. In specific casescases, it is also possible for the operator from one tenant to enrollenrol the user to another tenant (in case thatthe operator has all requested permissions and privileges defined on the target tenant side).

Create emergency access

Emergency access is a feature that allows an operator to generate a special one-time-time password (OTP) for a user who has lost all means of authentication using a second factor - for example, a lost mobile phone. The OTP generated in this way has a limited validity and gives the user the possibility to log in to the application and perform the necessary actions to register new second second-factor authentication methods (for example, registration of new tokens on a new mobile phone, etc.). EmergencyAn emergency access code could be also used as an approval method.

Note: The emergency code can be used to log in as a replacement for a standard OTP or as part of the approval process. Its validity is defined based on a template, BUT this code is deactivated when any of the following operations are performed:

• when the OTP address in the token changes (virtual, sms,SMS, email)
• the new token is enrolled
• the token is activated

Show magic questions

Display the user's magic questions and answers.

Authenticate user

The userUser authentication is a feature that is used by operators to verify the identity of the caller. It consists inof sending a specifically generated OTP in a chosen way (for example to a mobile phone) and its return verification during communication with the caller. If the OTP communicated by the user is correct, it can be assumed that he is who he claims to be.

Unlock user

FeatureA feature used by the operator to unlock a user account locked in ANT ID - OTP auth application. UserUsers can lock due to multiple wrong password input.inputs.

Synchronize user

FeatureA feature used by the operator to immediateimmediately update of user from external resourceresources (first name, last name, status and etc).

Enable/Disable user

  /  

FeatureA feature used by the operator to enable disabled userusers or to disable active userusers in AD.

Un-enroll user

Re-enroll user feature allows the operator to delete enrolled userusers from the system in case of any problems with usersuser configurations. During the deletiondeletion, all user data and enrolled tokens are removed from the database and relevant storages.storage. The user receives an email with information about the link to make a new enrollment.

Delete user

Permanently delete the user from the system and from source LDAP as well - depending on adminsadmin configuration.

The drawer with the detaildetails of the user consists of a header with the details of the user:

• Username  - username of the user
• First name  - first name of the user
• Last name  - last name of the user
• Resource  - a resource of user's data (AD)
• Account expiration  - expiration date of user's account in resources (AD)
• Last login  - date of last login and used authentication method (token)
• Last failed login  - date of last failed login
• Last sync  - date of last synchronization of user data (with resource)
• Enabled  - status of the user (Yes - enabled, No - disabled)
• Password change required  - information about password change requirement

The The Tokens  tab displays a list of the user's registered tokens - see more detail on on the User tokens page.

The The Contacts  tab displaydisplays athe contact details of the user - see more details on on the Contacts  page.

The The Documents  tab displays a list of user's documents uploaded within the enrollment process or later via the Account/Documents page - see more detail on on the User documents page.

The The Groups & privileges  tab displays a list of groups that the user is a member of - see more details on on the Groups & privilegsPrivileges page.

1

This function could be run as a part of of the invitation process (see above -  Invite new user - Create new user) OR as sa stand-alone feature from the Users list in the Operational console - open the the Users  menu option in the the Operational Console  menu, switch to to Partially enrolled enrolled users and use the the Complete enrollment  menu option from the context menu

2

The first step of enrollment on-behalf form will be displayed.

The content of the form is defined on the administrator level.

3

Fill in all mandatory fields and press press the CONTINUE  button.

4

The second step of enrollment on-behalf form is displayed. This step contains the enrollment of tokens. Press the the ADD NEW TOKEN  button [    ] to select which type of token sholdshould be enrolled - see the the token enrollment help page

The types of tokens that could be enrolled are defined on the administrator level.

5

EnrollEnrol the required number of tokens and press press the ENROLL USER  button.

6

The user is enrolled in ANT ID and capable toof log-in using the enrolled token.

1

Press the the CREATE EMERGENCY ACCESS ACCESS button [    ] within the chosen user from the context menu [    ].

2

Select the template according to which emergency accesaccess OTP is to be created and press the the GENERATE  button.

• depending on the chosen template the validity in hours or max number of usage countcounts will be displayed.

note: theThe naming of templates depends on the setup of each tenant

3

The OTP will be generated hidden, but by using the the HIDE HIDE button button 

[    ] its value can be displayed.

The code can also be viewed in the the NATO phonetic transcription  for better communication with the users - use the button [    ] to display the transcription.

• Note: The emergency code can be used to log in as a replacement for a standard OTP or as part of the approval process. Its validity is defined based on a template, BUT this code is deactivated when any of the following operations are performed:

• when the OTP address in the token changes (virtual, sms,SMS, email)

• the new token is enrolled

• the token is activated

4

The The COPY-TO-CLIPBOARD  button [    ] will then copy the OTP to the clipboard. AlsoAlso, the expiration date will be displayed.

5

If you want to generate the code again, you can replace the template and repeat the whole process again.process.

1

Press the the SHOW MAGIC QUESTIONS QUESTIONS button [    ] within the chosen user from the context menu [    ].

2

The list of user's magic questions and answers will be displayed.

3

Press the the EYE  button [    ] within the chosen question and hold. The eye icon will be changed and the saved answer will be displayed.

1

Press the the AUTHENTICATE USER USER button [    ] within the chosen user from the context menu [    ].

2

Select how the OTP is to be delivered and press press the NEXT  button.

The list of methods is based on contact details filled within the Enrollment process or in the Contact details  feature - the feature doesn't use the user's tokens but only contact details like a mobile phone number or email address

3

The system will send the OTP to the user in the selected way.

4

Request the delivered OTP from the user and fill it toin the OTP field and press press the CONFIRM  button

5

If the entered OTP is correct the system will display a message about successful authentication of the user.

5

If the entered otpOTP is not correct, the user is not authenticated. Authentication could be done repeatedly.

1

Press the the UNLOCK USER USER button [    ] within the chosen user from the context menu [    ].

2

The application will call ANT ID - OTP Auth app and reset the number of failed attempts so the user can try to log-log in again.

1

Press the the SYNCHRONIZE USER USER button [    ] within the chosen user from the context menu [    ].

2

The application will call an external AD database, fetch user data (name, surname, status...) and refresh stored data.

1

Press the the ENABLE USER USER button [    ] or or DISABLE USER USER button [    ] within the chosen user from the context menu [    ].

Enable user feature is available for disabled userusers and and Disable user  feature is available only for active users

2a

For For disabledisabled user: users: the user will be disabled in resource AD - the the Enabled  status will be set to to NO.

Disabled user is forbidden to log-log in.

2b

For For enable  user: the user will be disabled in resource AD - the the Enabled  status will be set to to YES.

Enabled userusers can log-log in without any restrictions.

1

Press the the UN-ENROLL USER USER button [    ] within the chosen user from the context menu [    ].

• The application removes all user details from the system and at the same time all registered tokens from the management systems.
• the user receives an email with information about the link to make a new enrollment

2

Confirm the modal confirmation modal window by pressing pressing the UNENROLL  button.

The part of un-Un-enroll process is to send the email to the unenrolled user so he can start the enrollment process again.

3

ListA list of users will be displayed where the un-Un-enrolled user won't be displayed.

1

Press the the DELETE USER USER button [    ] within the chosen user and confirm the deletion.

• The application removes all user details from the database and at the same time all registered tokens from the management systems and LDAP system.

2

Confirm the modal confirmation modal window by pressing pressing the DELETE USER  button.

The user can be deleted only from the ANT ID database or even from LDAP - the level of deletion is configured by the administrator.

3

ListA list of users will be displayed where the removed user won't be displayed.