This is Part 2 of 8 in the series Getting started with ForgeRock Identity Cloud journeys.

Building a journey with multiple factors of authentication (MFA) ~ 15 minutes

A journey can include multiple factors such as:

• Password
• Device
• Biometric

ForgeRock Identity Cloud comes with ready-to-use nodes that can be used to build an MFA journey. The steps below guide you to build a journey with MFA.

MFA journey with the ForgeRock Authenticator app

Before getting started, install the ForgeRock Authenticator app from the App store on iOS devices or Play Store on Android devices.

The expected outcome of the MFA journey with the ForgeRock Authenticator app is as follows:

• The journey starts with nodes that collect the username and password of the user.

• The Data Store Decision node in the journey validates the collected credentials against a datastore.

• If the validation against the datastore is true, the user can register a device by scanning a QR code on the screen using the Authenticator app installed on the device.

• Upon successful registration of the device, the journey can be modified to optionally display a list of recovery codes.

• By supplying the OTP generated in the ForgeRock Authenticator app, the user can gain access to the Identity Cloud end user dashboard.

Building the Authenticator application MFA journey

1. In a supported browser, log into your Identity Cloud Admin UI.

2. Go to Journeys > + New Journey.

3. Using the following information as a reference, complete the new journey form:

   • Name: frAuthApp
   • Identity Object: Alpha realm – Users managed/alpha_user
   • Description: Journey that uses ForgeRock Authenticator Application for MFA

4. Click Save.

5. Drag the following nodes from the Nodes list onto the journey canvas. Use the Filter nodes search facility if needed:

   • Page Node (Utilities)
   • Platform Username (Identity Management)
   • Platform Password (Identity Management)
   • Data Store Decision (Basic Authentication)

6. Drag the Platform Username into the Page Node. Drag the Platform password node to under the Platform Username node in Page node.

7. Connect nodes as shown in the screenshot below. To make a connection, hover the mouse over the outcome points of a node and drag the dotted arrow to another node.

   

   gs_mfa_journey11398×514 48.6 KB

8. Drag the following nodes onto the canvas. Use the Filter nodes search facility if needed:

   • OATH Token Verifier (Multi Factor Auth)
   • OATH Registration (Multi Factor Auth)

9. Connect the nodes as shown in the screenshot below.

   

   gs_mfa_journey21530×606 124 KB

   To complete the journey, a few more items are needed:

   • An option to display recovery codes once a device is registered.
   • A step to validate the OTP generated by the Authenticator application on the mobile device.
   • A step to configure the OATH Token Verifier to accept the recovery codes and add another node to validate the recovery code.

10. Drag the following nodes onto the canvas. Use the Filter nodes search facility if needed.

    • Recovery Code Display (Multi Factor Auth)
    • Recovery Code Collector Decision (Multi Factor Auth)

11. Make the following node connections:

    • OATH Registration node Success outcome → Recovery Code Display node
    • Recovery Code Display node → OATH Token Verifier node

12. Click on the OATH Token Verifier node to open the node properties window. Select the Allow Recovery Codes property at the bottom of the node property window.

    

    gs_oath_token_verifier480×1276 86.5 KB

13. Close the OATH Token Verifier node property window. Notice the new outcome “Recovery Code” on the OATH Token Verifier node.

14. Make the following node connections:

    • OATH Token Verifier node Recovery code outcome → Recovery Code Collector Decision node
    • Recovery Code Collector Decision node True outcome → Success node
    • Recovery Code Collector False outcome → Failure node

15. Click Save.

    

    gs_mfa_journey31600×770 86.9 KB

Testing the ‘frAuthApp’ journey

The following steps expect that the ForgeRock Authenticator application is installed on an iOS or an Android device

1. Go to the list of journeys in the alpha realm of Identity Cloud and select the ‘frAuthApp’ journey.

2. Copy the preview URL of the journey and paste it on a text editor for review. Note that the URL has the authentication endpoint set to /alpha realm and the value for the authIndexValue URI parameter is set to the journey name. It appears as follows:

   https://<tenant_name>.forgeblocks.com/am/XUI/?realm=alpha&authIndexType=service&authIndexValue=frAuthApp
   

3. In a supported browser, different from the one that has the Identity Cloud administrator’s active session, paste and go to the journey URL copied above.

4. If you followed the steps Part 1 of this Getting Started series, enter the credentials for the user ‘fruser1’ and click Next. If not, go ahead and enter credentials of a test user that you might already have in your Identity Cloud tenant UI > Identities > Manage.

   

   gs_mfa_end_user_sign_in1600×418 22.9 KB

   The Success outcome of the Data Store Decision node will take the user to the OATH Token Verifier node. When a device is not registered, the journey proceeds to the OATH Registration node, which then displays a QR code to the user to register a device.

   

   gs_mfa_end_user_qr_code1600×660 117 KB

5. Scan the QR code displayed by the user using ForgeRock Authenticator application installed on a mobile device. Use the + option at the bottom right corner of the FR Authenticator app and the Scan QR Code to complete device registration.

   

6. Click Next on the browser.

   The journey is now at the Recovery Code Display node and a set of recovery codes is displayed. Each code is valid only once.

   

   gs_device_sign_in_enabled1600×736 112 KB

7. Copy the codes or print them for future use when the device registered is not accessible during authentication.

8. Click Done.

   The journey is now back at OATH Token Verifier node, expecting a one-time passcode (OTP).

9. Use the ForgeRock Authenticator application on the registered mobile device to view OTP generated for the user account.

   

   gs_accounts_fr473×1024 72.3 KB

10. Enter the OTP from the Authenticator application in the browser and click Submit. If it times out, use the newly generated OTP from the Authenticator application.

    

    gs_verification_code1600×417 26.8 KB

    The user has completed two factors of authentication to get to the end user dashboard page of Identity Cloud.

    

    gs_end_user_login_screen_mfa1600×828 84.7 KB

11. Click Edit Your Profile to confirm that 2-Step Verification is turned on for the user.

12. Sign out of the end user dashboard.

Modifying the ‘frAuthApp’ journey to provide MFA registration options

There may be situations where users expect flexible options to be presented to them, such as the option to defer device registration to a future login session.

This section covers adding additional nodes to the ‘frAuthApp’ journey to provide the following MFA options when the user’s device is not registered yet.

• Register the device
• Defer the registration of device

To modify the journey to provide MFA registration options:

1. Access the Identity Cloud tenant URL and log in with the administrator credentials.

2. Go to alpha > Journeys and click on the ‘frAuthApp’ journey.

3. Make a copy of the ‘frAuthApp’ journey by clicking … next to the journey and selecting Duplicate.

   

   gs_duplicate_journey_menu1600×719 161 KB

4. Keep the default values for a new journey and click Save.

   

   gs_duplicate_journey_dialog1600×695 144 KB

   Save a copy of ‘frAuthApp’ as a backup. The new nodes will be added to the original ‘frAuthApp’ journey.

5. Click ← Journeys to go back to the alpha realm Journeys list and edit the ‘frAuthApp’ journey.

6. Click and drag the following nodes onto the journey.

   • MFA Registration Options (Multi Factor Auth)
   • Opt-out Multi-Factor Authentication (Multi Factor Auth)

7. Connect nodes to build the journey as shown in the screenshot below.

   

   gs_frauthapp_journey1600×681 104 KB

8. Click Save to save the journey.

9. Click ← Journeys to return to the main page of Identity Cloud Admin UI.

10. Create two more users in the alpha realm in your Identity Cloud Admin UI by going to Identities > Manage > +New Alpha realm – User. Use the following as a reference:

Testing the modified ‘frAuthApp’ journey with MFA registration options

1. In the Identity Cloud Admin UI, go to alpha > Journeys, select the ‘frAuthApp’ journey and copy its preview URL.

2. In a supported browser different from the one that has the Identity Cloud administrator’s active session. Open the ‘frAuthApp’ preview URL.

3. On the login page, enter the credentials of one of the newly created fruser2 and click Next.

   Since the user does not have a device registered with Identity Cloud yet, additional registration options are displayed.

   

   gs_registration_options1268×568 77.1 KB

4. Click Skip this step.

   The user is logged into the end user dashboard successfully without MFA.

5. Sign out of the end user dashboard.

Modifying the ‘frAuthApp’ journey with Get the App option

1. In the Identity Cloud Admin UI Journeys > ‘frAuthApp’ journey and click on preview image.

2. Drag the Get Authenticator App (Multi Factor Auth) node onto the journey.

3. Make the following node connections:

   • MFA Registration Options Get App Outcome → Get Authenticator App node
   • Get App Authenticator App node → MFA Registration Options node

   The below screenshot of the modified journey can be used as a reference.

   

   gs_frauthapp_journey_modified1600×816 113 KB

4. Click Save.

Testing the modified ‘frAuthApp’ journey with Get the App option

1. Access the ‘frAuthApp’ journey again.

2. On the login page, enter the credentials of the same user you tested previously, for example, fruser2, and click Next.

3. On the MFA registration options page, click on an option to get the app.

   

   gs_get_app1600×330 25.3 KB

   Clicking on either of the links in the window displayed opens a new browser tab with ForgeRock Authenticator application details in Apple App Store or Google Play.

4. Click Continue.

5. Complete the journey by skipping the registration step.

6. Sign out of the end user dashboard.

Debugging journeys

You can debug end user journeys in your development environment as you create them. By setting a journey to debug mode, you can view information stored in shared, transient, and secure state, as you navigate the journey. This lets you confirm that information is being passed correctly from node to node in the journey. Here is a detailed documentation on debugging Identity Cloud end user journeys.

Further reading

Other guides in the Getting started with ForgeRock Identity Cloud journeys series:

• Part 1 - Introduction to building journeys
• Part 3 - Twilio MFA journey with SMS or Voice OTP
• Part 4 - Self-registration journey
• Part 5 - Social authentication
• Part 6 - Reset Password journey
• Part 7 - Device Profile journey
• Part 8 - Exporting and importing journeys

@rajeshr - We implemented this journey but it has a bug that recovery codes can not displayed to user if in OATH Registration Node - Store device data in shared state = Enabled.

And if you disabled - Store device data in shared state, then even if you do not scan the QR code it will allow you to move ahead and consider the registration is done - false alert.
And when user try to relogin - will ask to enter verification code.
And now user is stuck as he/ she has not scanned the QR code.

Hi Srinath, cc: @rajeshr, @ramya.parimi

Thank you for bringing this to our attention and for implementing the journey outlined in our Getting Started guide.

It sounds like you’ve encountered a bug in the registration process, particularly regarding the display of recovery codes and the behavior when the “Store device data in shared state” option is enabled or disabled.

To expedite resolution and ensure we address this promptly, I suggest contacting our Support team through submitting a ticket. Your request will be prioritized, and our Support team will provide the necessary assistance to address the issue.

In the meantime, if you have any other pertinent information or have taken any steps that could assist us with our investigation, please don’t hesitate to share them with us. The additional context can help expedite the process of pinpointing the underlying cause.

Please refer to What should I include in my Support Ticket for additional guidance.

Thank you,

Sheila