Introduction
DualShield has an authentication method called "Emergency Code" that can be added to existing authentication methods in logon procedures, and when added (and provided an emergency code has been issued to the user), the user will be able to select this authentication method and log in using the code that was issued to them.
Emergency codes may be created using the management console, or by the user either via the Emergency Access Service, or using the DualShield Service Console.
As an example, the password reset service is normally protected by just a single logon step that will normally only offer the authentication method "Authorisation Code" to the user.
Emergency Access Service Configuration
DualShield provides an optional service than can be enabled to allow users to create Emergency Access codes for themselves.
The service is called the "Emergency Access Service", but before it can be used you will need to perform the following configuration procedure;
Introduction
The Emergency Access Service is a web portal that allows users to obtain Emergency Codes.
Before the service can be made available for the users, there are some necessary preparations that must be performed;
Setting up the Logon Procedure and Logon Steps
The Logon Procedure defines how users will be authenticated when they attempt to login to the portal. You can define a logon procedure of 1-step, 2-step and 3-step verification, for instance.
The Emergency Access Service logon procedure can be prepared using the following procedure;
In the Admin Console, navigate to "Authentication | Logon Procedures", left click on context menu for the logon procedure "Emergency Access Service", then select "Edit";
You will then be shown the logon steps used for the Emergency Access Service (the example below shows the default logon steps and methods for this service);
To change the authentications methods for a logon step, select the step to be edited, then click on the
button;
A new window will now open titled "Logon Step - Step 2" showing the currently selected authentication methods for this step;
You can define the logon steps according to your own requirements by selecting the required options in this list then clicking
;
Setting up the Application
In the Admin Console, navigate to "Authentication | Applications", then select the application "Emergency Access Service";
The application named "Emergency Access Service" is pre-defined during installation (so you would not normally need to make changes to this default setup), however the application parameters can be inspected using the context menu.
Setting up the Realm
A Realm is a group of user domains. It defines who is allowed to access the application that's associated with the realm "Emergency Access Service", and the portal can only be accessed from the domains that are specified against this realm.
The domains for the realm "Emergency Access Portal" can be specified using the following procedure;
In the Admin Console, navigate to "Authentication | Realms", then left click on the context menu for the realm "Emergency Access Service", then select "Domains";
A new window will open titled "Domains" (by default this list is empty);
You will need to add to this list any domains that your users will be members of (e.g. "pb.deepnetid.com");
After selecting the domains to be added click the
button, and the new domains will be added to the realm.
Setting up the Policy Settings
As Emergency Codes can be generated both from the Emergency Access and the Self Service Consoles, policy settings will need to be adjusted to permit access for each of the policy settings for each of these portals.
Allow users to generate emergency codes from the Emergency Access Service
Use the following procedure to allow users to generate emergency codes for themselves using the Emergency Access service;
Edit the Self-Service Policy;
From the Home page of the Management Console, left click on the menu item "Administration", select "Policies", then in the new tab "POLICIES", select the category "Self Service", then click the
button;.
The Self Service policy settings can now be viewed (or edited) by left clicking on the context menu of the Emergency Code policy, then selecting either "View" or "Edit";
Expand the section "Emergency Access Service", and ensure the setting "Allow user to request emergency code:" is enabled;
Allow users to generate emergency codes from the Self Service Console
To allow users to generate emergency codes from within the self-service console, you will need to ensure that the feature is enabled in the self service policy using the following procedure;
Edit the Self-Service Policy;
From the Home page of the Management Console, left click on the menu item "Administration", select "Policies", then in the new tab "POLICIES", select the category "Self Service", then click the
button;.The Self Service policy settings can now be viewed (or edited) by left clicking on the context menu of the Emergency Code policy, then selecting either "View" or "Edit";
Expand the section "Self Service Portal", then scroll down to the setting "Emergency Code Permissions";
If you are to allow users to generate their own emergency codes from within the Emergency Code Service, then you will need to ensure that this setting includes the option "Request", and can be enabled using the dropdown icon;
Emergency Codes Policy Settings
As well as policy settings for the emergency code and self service portals, we also have policy settings that specify features of the emergency codes themselves.
Introduction
In the case when a user has lost or misplaced their tokens and needs to access an application protected with two-factor authentication urgently, an emergency code can be issued to temporarily replace the user’s token. The policy defines the construction and lifespan of an activation code, such as the length and characters of the code.
From the Home page of the Management Console, left click on the menu item "Administration", select "Policies", then in the new tab "POLICIES", select the category "Emergency Code", then click the
button;.
The Emergency Code policy settings can now be viewed (or edited) by left clicking on the context menu of the Emergency Code policy, then selecting either "View" or "Edit";
Editing the Emergency Code Policy Settings:
Once the self service policy has been edited, a new window will open titled "Policy - Edit" (that can be used to edit the policy settings for this policy);
In addition to the settings in the main section, the Emergency Code policy also includes the following expandable sections;
These sections can be expanded out to provide additional settings related to how the Emergency Codes are sent to the user.
Message Channel
The purpose of the section "Message Channel" is to provide the system administrator with policy settings that specify the default and secondary channels that are used to send messages to users.
This option determines the main delivery channel for sending emergency codes to the user;
- SMS
Emergency Codes are to be sent to the User's mobile device as a text message. - SMTP
Emergency Codes are to sent to the User's email account. - Twitter
Emergency Codes are to be sent to the User's Twitter account.
This option determines the secondary delivery channel for sending emergency codes to the user;
- SMS
Emergency Codes are to be sent to the User's mobile device as a text message. - SMTP
Emergency Codes are to sent to the User's email account. - Twitter
Emergency Codes are to be sent to the User's Twitter account.
Available Channels
The purpose of the section "Available Channels" is to provide the system administrator with policy settings that specify which communication channels can be used to send messages to users.
Related Articles
Amongst other things, this policy will allow you to specify the size and lifetime of the emergency code.
Creating Emergency Codes
Emergency codes may be created either by using using the management console, or by the user themselves (after accessing the Emergency Access Service, or DualShield Service Console).
Creating Emergency Codes
Emergency Code can be issued to users from the Management Console either directly (via "Directory | Users", or via the Emergency code repository.
Creating Emergency Codes directly to the User Account
Navigate to "Directory | Users", select the domain, search for the user to issue the code to, then selecting the context menu option "Emergency Code";
New Emergency Codes can now be created by clicking on the
button.
Creating Tokens Via the Emergency Code repository
Navigate to "Repository | Emergency Codes", select the domain, then use the
button to issue the code to the user;
Assigning the Emergency Codes to the Users
After the
button is clicked, a new window will open titled "Emergency Code - New";
Specify the Domain and Login Name of the user that the Emergency code is to be issued to then click the
button;
A new emergency code will now have been created for the user and can been viewed in the repository;
The Emergency Code can also be viewed in the user directory (assigned to the user);
The above example created and assigned an emergency code of "50425726" to the user "TestUser".
Once the administrator has created an emergency code has been created for the user, he would pass on these details to the user (via email or SMS, but other methods could be used).
- The port number of the DualShield Emergency Access Service (DEA) portal is 8076.
The URI of the DualShield Service Console is:
https://your-dualshield-fqdn:8076/dea
If you want to allow users to access DEA from the public network then you must set up port forwarding on your firewall.
User Experience
When accessing the service you will now be presented with the following logon screen;
The user will then supply their domain and user details then will be asked to supply their access credentials for the portal.
Once logged in the user will be presented with an Emergency Code (that they can now use to access any application that includes the authentication method "Emergency Code";
The displayed code may be copied to the clipboard using the
button, and a replacement code may be requested using the 
button. - Log in to the service console, select the menu option "Emergency Codes", then click on the
button;
After clicking on the button you will be asked how many emergency codes are needed;
For this example we will select 2 codes (by increasing the count to 2, then clicking
).
The requested number of Emergency codes are then generated and presented to the user.
Deleting Emergency Codes Assignments
Emergency codes assignments can be deleted either using the management console, or by the user themselves using the self-service console;
- Emergency Codes can be deleted either from the users' account directly, or from the Emergency Code repository using one of the following methods;
Deleting Emergency Codes directly from the Users' Account
Navigate to "Directory | Users", select the domain, search for the user to issue the code to, then selecting the context menu option "Emergency Code";
Select the Emergency Codes to be to be deleted, then click on the
button;
Deleting Emergency Codes directly from the Emergency Code Repository
Navigate to "Repository | Emergency Codes", select the domain, then use the context menu option "Delete" to remove the required Emergency Code;
Whichever method is used a new window will open titled "Confirm" requesting confirmation that you want to delete the Emergency Code.
Click on the
button and the code will be removed;
Emergency Codes Deployment
Emergency codes sent (deployed) to the users by using the following procedure;
- We can send Emergency Codes to the users either by using the context menu option "Send" from the Emergency Code repository, or by using the
button against after selecting the emergency code for the user.Sending Emergency Codes directly from the Users' Account
After navigating to "Directory | Users", it is possible to send the emergency code to the user using the following procedure;
- Navigate to "Directory | Users", select the domain, search for the user to issue the code to, select the emergency code to be send then click on the
button;
Find the emergency code that is to be sent to the user, select the user then click the
button;
You will then be presented with the delivery channels that are available for this user, click on your selection from this list and the Emergency Code will be sent to the user;
A confirmation message will be shown displaying if the code was sent successfully;
Sending Emergency Codes from the Emergency Code Repository
After navigating to "Repository | Emergency codes", it is possible to send the emergency code to the user using the following procedure;
- Navigate to "Repository | Emergency codes", select the domain, then click on the
button;
Find the emergency code that is to be sent to the user, select the user then click the context menu option Send (selecting the method that the code is to be sent by);
A confirmation message will be shown displaying if the code was sent successfully;
Sending Emergency Codes using the Self-Service Console
If the Self-Service Console is in use then within the console there is also a means by which users can request emergency codes;
- It is also possible for emergency codes to be requested by the users themselves using the "Request" link (found in the bottom right hand corner of the "Emergency" menu option of the self-service console;
From the main menu select the option "Emergency"
Emergency Code details for the user will now be displayed;
Select the emergency codes you wish sent;
At the prompt "Send Emergency Codes by:" click on either the "Email" or "Text" icons to select how you are the codes are to be sent;
.A sending confirmation window will now open, click on "OK";
Your selected emergency codes will now be sent to you using the selected message channel.