Authentication options

ESET Secure Authentication (ESA) provides several options for authenticating users to access computers or services protected by two-factor authentication.

OTP (one-time password) received via SMS—requires SMS Credits or custom delivery utilizing a custom SMS gateway

OTP generated via ESA mobile application

oEvent-based OTP (HOTP)—expires when used or when generating a new OTP

oTime-based OTP (TOTP)—expires within a few seconds (expiry animation displayed in the mobile application) even if not used

OTP delivered via email

Push Authentication

Hard tokens

OTP received via custom delivery option

FIDO—only one FIDO authenticator can be registered per user


note

Security of authentication options

ESA offers a wide range of 2FA methods that fit the varying preferences of our customers.

The most secure and highly usable is Mobile Application Push (Push authentication).

Still highly reliable, but in some situations, less convenient are: Mobile Application OTP, Hard Token, and FIDO.

SMS-based OTPs, thus still available, are not considered the most secure mainly due to the underlying security used in the SMS delivery systems.

When choosing the delivery of OTP by email, there might be usage schemas having weaker security.


note

Reliability of SMS delivery

Due to the technical nature of SMS messages, which are typically handled by local operators of telecommunication services, the reliability of SMS delivery to end-user mobile phone cannot be guaranteed by ESET.

Authentication options available offline


note

Before offline use

1.ESA must be activated using a license key or ESET Business Account credentials.

2.To enroll and provision users, ESA core must be able to access esa.eset.com.

When the Authentication Server cannot connect to the internet, the following options are available to authenticate a login attempt:

Hard tokens

FIDO

SMS OTP utilizing custom delivery within your internal network not connecting to the internet

OTP generated via ESA mobile application (activate (provision) the mobile app online)

Windows Login protection in offline mode

When using the Windows Login protection in offline mode, the following options are available to authenticate a login attempt:

Hard tokens (event-based OTP only)

OTP generated via ESA mobile application (event-based OTP only)

FIDO


note

Offline OTPs

In offline mode, only 20 OTPs are cached by default. Cache renewal occurs in the following ways:

Automatically after successful login in online mode

10 minutes after successful offline login, the ESA component attempts to download new OTPs. The next attempts are every 60 minutes

If a new network is connected (for example, the network adapter is restarted), the ESA component attempts to download new OTPs immediately