Access Management 7.2.2

The ForgeRock Authenticator app

The ForgeRock Authenticator app supports push authentication notifications and one-time passwords.

Download and install the ForgeRock Authenticator app on your phone, so that you can perform multi-factor authentication. The app is available for both Android and iOS devices, and is free to download from:

For access to the source code for sample mobile applications, see How do I access and build the sample code provided for AM/OpenAM (All versions)? in the ForgeRock Knowledge Base.

Register the ForgeRock authenticator for multi-factor authentication

Registering the ForgeRock Authenticator app enables it to be used as an additional factor when logging in to AM.

The ForgeRock Authenticator app supports registration of multiple accounts and multiple different authentication methods in each account, such as push notifications and one-time passwords.

For information on registering Web Authentication (WebAuthn) devices with AM, see Create trees for Web Authentication (WebAuthn).

ForgeRock Authenticator registration only needs to be completed the first time an authentication method is used with an identity provider. Use of a different authentication method may require that registration with the identity provider is repeated for that additional method.

The ForgeRock Authenticator needs access to the internet to register to receive push notifications. Registering for one-time password authentication does not require a connection to the internet.

  1. When visiting a protected resource without having any registered devices for multi-factor authentication, AM requires that you register a device.

    These are the screens you see the first time you authenticate when using a ForgeRock Authenticator authentication module if you have not previously registered a device. You must either register a device with AM, or opt out in the case of one-time passwords using the ForgeRock Authenticator (OATH) module.

    To register your mobile phone with AM, click Register Device.

    This is the screen you see after requesting to register a device during the multi-factor authentication if you have no devices registered yet.
  2. Start the ForgeRock Authenticator app on the device to register, and click the plus icon:

    This is the screen you see when you bring up the ForgeRock Authenticator app for the first time.

    The screen on the device changes to an interface similar to your camera app.

  3. Point the camera at the QR code on the AM page and the ForgeRock Authenticator app will acquire the QR code and read the data encoded within.

    If you are logging in to AM on the registered device and cannot scan the screen, click the button labeled On a mobile device?. The ForgeRock Authenticator app will request permission to launch. If allowed, the information required to register the device will be transferred to the ForgeRock Authenticator app directly, without the need to scan the QR code.

    Point your mobile phone at the QR code to register for multi-factor authentication.
  4. Once registered, the app displays the registered accounts and the authentication methods they support, for example one-time passwords (a timer icon) or push notifications (a bell icon):

    The icons next to a registered account represent the authentication factors supported. The timer icon represents one-time password support. The bell icon represents push notification support.
  5. When registering a device, you MUST make a copy of the recovery codes associated with that device.

    Depending on the device type you registered, perform one of the following steps:

    1. If you registered an OATH device:

      • Click the Login Using Verification Code button.

        You will be asked to enter a verification code.

      • In the ForgeRock Authenticator app, click the newly registered account, and click the refresh button to generate a new one-time password.

      • Enter the one-time password into the web page, and click Submit.

      • On the recovery codes page, make a copy of the displayed recovery codes and store them safely. The codes will never be displayed again.

        recovery-codes-oath

        When you have safely stored the recovery codes for your newly registered OATH device, click the Continue button.

    2. If you registered a push device:

      • On the recovery codes page, make a copy of the displayed recovery codes and store them safely. The codes will never be displayed again.

        recovery-codes-push

        When you have safely stored the recovery codes for your newly registered push device, click the Continue button.

Your device is registered. You can now use it to perform multi-factor authentication.