Limits of multi-factor authentication

Users - Security policies: Max. number of login attempts

The maximum number of failed login attempts can be defined in the security guidelines of the user administration (main menu "Users / Configuration / Security / Security guidelines"). Please note that this setting does not apply when using multi-factor authentication. The tokens can still be entered as often as required.

Permitted authentication type

In the Intrexx user administration, settings for logging into the portal can be defined in the user configuration (main menu "Users / Configuration / Authentication").

Please note that multi-factor authentication can only be used with Intrexx authentication.

This concerns the binding of the following systems:

• Web

• Client secret

• Web services

• OData

• WebDAV

Incompatibilities with multi-factor authentication

The following services cannot be performed with multi-factor authentication:

• Data transfer

• Admin API

• IOS App

• Andorid App

User Self Service App

When using the User Self Service App, the "Forgot password" function should no longer be used.

If the "Forgot password" function has been activated, the portal user's currently configured authentication method is completely deleted.

The behavior is therefore comparable to the behavior described in "Situation 2: Authentication type is finally deactivated". This means that the portal user must reconfigure their multi-factor authentication.

The User Self Service App should be updated to the latest version in connection with the use of multi-factor authentication.

Authentication via customized login implementation

If you use customized implementations for web login (getlogin.vm or similar) and use $AuthProxy in Velocity, you may need to make adjustments.

The following classes have been changed

• de.uplanet.lucy.server.auxiliaries.AuthProxy.login(ISession, String, Map<String, String>) now returns a map instead of a string.

• A separate function (de.uplanet.lucy.server.auxiliaries.AuthProxy.loginAnonymous(ISession, String)) is now provided for an explicit login of the anonymous user.

The following classes have been removed

• de.uplanet.lucy.server.auxiliaries.AuthProxy#isPasswordAcceptable(java.lang.String)

• de.uplanet.lucy.server.auxiliaries.AuthProxy#getChallenge(de.uplanet.lucy.server.connector.IServerBridgeRequest, java.lang.String, java.lang.String, boolean)

• en.uplanet.lucy.server.auxiliaries.AuthProxy#invalidateChallenge(java.lang.String)

• de.uplanet.lucy.server.auxiliaries.AuthProxy#fakeChallenge(java.lang.String, java.lang.String)