User Status

A user may be in various statuses during regular operation. Before enabling a user for 2FA, or uninitialized status, the Status column in the Users screen is empty.

Incomplete setup: 2FA is enabled but either the mobile application has not yet been sent to the user, or it has not been used yet.

2FA enabled : User has authenticated with 2FA to access a computer or service protected by ESA. This state also applies if only SMS-based OTPs and/or Hard Tokens are enabled for the user, though the user has not yet authenticated.

Additional information regarding Incomplete setup is available in user's profile next to each enabled 2FA method.

A user may then be enabled for either SMS-based OTPs, Mobile Application OTPs, Mobile Application Push or all. If they are enabled for all, they are in what is known as the transitioning state. This type of status is visible only in the users's profile.

user-states-all-otp-types

In this state, a user will receive SMS-based OTPs when authentication attempts are initiated, but as soon as a valid mobile OTP is used for authentication or a Push notification (authentication request) is approved, SMS-based OTPs will be disabled, and the user will only be able to authenticate using mobile OTPs or Push notifications. When a user has successfully authenticated using a mobile app OTP, a green flag is displayed in user details.

When authenticating OTPs, a user can enter an incorrect OTP 10 times. On the 11th failed OTP, the user's 2FA will be locked. This is to prevent brute force guessing of OTPs. When a user's 2FA is locked, the name is highlighted in red in the Users screen, the status changes to 2FA locked, and a red triangle with an exclamation mark along with additional information is displayed in the profile:

user-states-locked

If it has been confirmed that the user's identity is not under attack, click Actions, then Unlock to unlock the user's 2FA.

If Hard Token OTPs have been enabled and imported, there are then more states in which the user may potentially find him or herself.

The user may be in a Hard Token OTP only state, or may be enabled for any combination of the three OTP types, or the user may be in a transitioning state where all three OTP types are enabled. In this state, a user will receive SMS OTPs when authentication attempts are initiated, but as soon as a valid mobile OTP is used for authentication, SMS OTPs will be disabled, and the user will only be able to authenticate using mobile or Hard Token OTPs.

The user can also be in the state where both SMS and Hard Token OTPs are allowed.