Unless the OpenAM administrator has made one-time password authentication mandatory, users can choose to opt out of using one-time passwords by clicking the Skip This Step button on the ForgeRock Authenticator (OATH) screen. This button appears:
- When users are prompted to register their mobile devices during their initial login from a new device.
- Every time users are prompted by the ForgeRock Authenticator (OATH) authentication module to enter one-time passwords.
Disabling Mandatory Two Factor Authentication does not present the button to "skip this step" as shown in the documentation (see attached screenshot) when users are prompted to authenticate using HOTP.
Steps to reproduce:
- Select Authentication > Settings > General.
- Make sure that the Two Factor Authentication Mandatory is not enabled.
- Create example chain with HOTP as described in admin guide (DataStore as first module and set to Requisite and a ForgeRock Authenticator (OATH) module second (again as Requisite) (https://backstage.forgerock.com/docs/openam/13.5/admin-guide#proc-authn-mfa-chain-oath)
- Download and install ForgeRock Authenticator app on phone or other mobile device.
- Register OATH Device (by performing login using example chain and then using ForgeRock Authenticator app to add account using the QR code reader/camera and the QR code displayed on login page.
- Authenticate using OATH device (e.g. ForgeRock Authenticator generate one time password then, on browser page where QR code is shown, click Login using verification code (or similar) and then enter code.
- Repeat login using example chain. After login for DataStore module, user is presented with a page on which to enter OTP.
User can chose to skip OATH authentication.
No option to skip is presented.
Note: The option to skip is presented when registering a device and for TOTP. Opted out users skip the module entirely as expected.