Configuration: Allowed Authentication Factors

🎯 Purpose

Controls which authentication factors are available to users during the login process. This configuration directly impacts the user authentication experience and determines the security levels enforced by the system.

---

📍 Configuration Location

• Module: Auth Server
• Configuration Name: allowed.auth.factors
• Access Path: Module Config Management → Auth Server → allowed.auth.factors

---

📊 Available Configuration Parameters

---

🔧 Parameter Details

🌐 rememberMe

• Function: Controls browser remembering capability
• When Enabled: Users see "Remember Me" checkbox during authentication
• User Experience: Selected browsers remain trusted for 1 year (default duration)
• Security Impact: Reduces authentication friction for trusted devices
• Admin Control: Can be disabled to prevent browser remembering

📲 smsOtp

• Function: Controls SMS OTP availability for authentication
• When Enabled: SMS OTP appears as Level 2 authenticator option
• Prerequisites: User must have registered mobile number
• User Experience: Users receive 6-digit codes via text message
• Admin Control: Can be disabled to remove SMS option entirely

📧 emailOtp

• Function: Controls Email OTP availability for authentication
• When Enabled: Email OTP appears as Level 2 authenticator option
• Prerequisites: User must have registered email address
• User Experience: Users receive 6-digit codes via email
• Admin Control: Can be disabled to remove email option entirely

🔒 alwaysAskForPassword

• Function: Forces password requirement regardless of other factors
• When Enabled: All users must enter password during login
• User Experience: Both username and password fields displayed
• Security Impact: Ensures password-based first factor for all authentications
• Use Case: Organizations requiring mandatory password verification

---

📋 Authentication Factor Control Matrix

---

🎯 Configuration Impact on User Experience

When rememberMe = true

• ✅ "Remember Me" checkbox visible during login
• ✅ Users can save browsers for future quick access
• ✅ Account chooser appears on trusted browsers
• ✅ Reduced authentication steps for returning users

When rememberMe = false

• ❌ No browser remembering option available
• ❌ Users must complete full authentication every time
• ✅ Higher security through mandatory factor verification
• ❌ Increased authentication friction

When smsOtp = true

• ✅ SMS OTP available as second factor option
• ✅ Users can register mobile numbers
• ✅ Text message delivery for authentication codes
• ✅ Works with any SMS-capable mobile phone

When smsOtp = false

• ❌ SMS OTP not available during authentication
• ❌ Users cannot use mobile numbers for verification
• ❌ SMS-based account recovery may be limited
• ✅ Eliminates SMS delivery dependencies

When emailOtp = true

• ✅ Email OTP available as second factor option
• ✅ Users can register email addresses
• ✅ Email delivery for authentication codes
• ✅ Works with any email account

When emailOtp = false

• ❌ Email OTP not available during authentication
• ❌ Users cannot use email addresses for verification
• ❌ Email-based account recovery may be limited
• ✅ Eliminates email delivery dependencies

When alwaysAskForPassword = true

• ✅ Password required for all users
• ✅ Both username and password fields shown
• ✅ Consistent authentication experience
• ❌ Users without passwords cannot authenticate

When alwaysAskForPassword = false

• ❌ Password optional based on user setup
• ✅ Username-only entry for some users
• ✅ Flexible authentication paths
• ✅ Mobile-first user experience possible

---