Customizing User Flow 9-9 action path=expiredPassword type=com.bharosa.uio.actions.ChangePasswordAction parameter=ExpiredPassword forward name=changePassword path=changePassword forward name=success path=exit.do forward name=updateStatus path=updateLoginStatus.do redirect=true action action path=forgotPassword type=com.bharosa.uio.actions.ForgotPasswordAction forward name=forgotPassword path=forgotPassword forward name=challenge path=challengeUserForgotPassword.do forward name=success path=exit.do forward name=noproxy path=updateForgotPasswordStatus.do action action path=getUserInput type=com.bharosa.uio.actions.UserInputAction forward name=showAuthenticator path=userInput forward name=success path=exit.do action action path=userPreferencesDone type=com.bharosa.uio.actions.UserPreferencesDoneAction forward name=success path=exit.do forward name=exit path=exit.do action -- action mappings for challenge user -- action path=challengeUser type=com.bharosa.uio.actions.ChallengeUserAction forward name=success path=exit.do forward name=challenge path=challengeUser forward name=registerUser path=registerQuestions.do redirect=true forward name=registerAuthenticator path=registerImage.do redirect=true forward name=registerQuestions path=registerQuestions.do redirect=true forward name=registerQuestionsHTML path=registerQuestions.do redirect=true forward name=registerUserInfo path=registerUserInfo.do redirect=true forward name=wait path=challengeWait action action path=challengeUserTrx type=com.bharosa.uio.actions.ChallengeUserAction parameter=transaction forward name=success path=exit.do forward name=challenge path=challengeUser forward name=registerUser path=registerQuestions.do redirect=true forward name=registerAuthenticator path=registerImage.do redirect=true forward name=registerQuestions path=registerQuestions.do redirect=true forward name=registerQuestionsHTML path=registerQuestions.do redirect=true forward name=registerUserInfo path=registerUserInfo.do redirect=true forward name=wait path=challengeWait action 9-10 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager action path=challengeUserForgotPassword type=com.bharosa.uio.actions.ChallengeUserAction parameter=ForgotPassword forward name=success path=resetPassword.do redirect=true forward name=forgotPassword path=forgotPassword forward name=challenge path=challengeUserForgotPassword forward name=wait path=challengeWait action action path=changeUserId type=com.bharosa.uio.actions.ChangeUserNameAction forward name=success path=exit.do action -- action mappings for message -- action path=message type=com.bharosa.uio.actions.MessageAction forward name=success path=message action action path=exit type=com.bharosa.uio.actions.ExitAction forward name=success path=empty.jsp action action path=error type=com.bharosa.uio.actions.ErrorAction forward name=login path=loginPage.jsp redirect=true action action-mappings --The Tiles Request Processor for processing all the Tile requests-- controller processorClass=org.apache.struts.tiles.TilesRequestProcessor -- message resources -- message-resources parameter=proxyweb null=false -- tiles plug-in -- plug-in className=org.apache.struts.tiles.TilesPlugin set-property property=definitions-config value=WEB-INFtiles-def.xml,WEB-INFtiles-def-extension.xml set-property property=definitions-debug value=0 set-property property=definitions-parser-details value=0 set-property property=definitions-parser-validate value=true set-property property=moduleAware value=true plug-in struts-config 10 Using Virtual Authentication Devices 10-1 10 Using Virtual Authentication Devices Oracle Adaptive Access Manager includes unique functionality to protect end users while interacting with a protected web application. The virtual authentication devices are used to protect users during the process of entering and transmitting authentication credentials and provide them with verification they are authenticating on the valid application. Each virtual authentication device VAD has its own unique set of security features that make it much more than a mere image on a web page. This chapter contains the following sections: ■ Terminology ■ Virtual Authentication Devices and Set of Background Images ■ Virtual Authentication Types ■ Authenticator Composition ■ Virtual Authentication Device Properties ■ Displaying Virtual Authentication Devices ■ Enabling Accessible Versions of Authenticators ■ Localizing Virtual Authentication Device in OAAM 11g

10.1 Terminology

This section defines terms used in this chapter. Table 10–1 VAD Terminology Term Description Authenticator Authentipad A control for user input included in OAAM that provides a keyboard and enables personalization. Personalization Assigning an image and generated phrase during registration. The phrase and image provide end users with verification they are authenticating on the valid application. Virtual KeypadKeyboard A method for user input where the user clicks screen keys instead of an external keyboard. Jitter The act of moving key location slightly on each time the authenticator is generated. Offset The act of moving a whole key set on screen. Key Randomization The act of randomizing the key order. Timestamp A string generated from the current system time or client side time. Masking Replacing characters in an HTML input field. 10-2 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager

10.2 Virtual Authentication Devices and Set of Background Images

Virtual authentication devices are provided with Oracle Adaptive Access Manager as samples to use if you choose to. These samples are provided in English only. Source art and information in this chapter are provided to allow you to develop your own custom virtual authentication device frames, keys, personalization images and phrases. Alteration of these samples is considered custom development.

10.3 Virtual Authentication Types

The following authentication devices are described in this section: ■ TextPad ■ PinPad ■ QuestionPad ■ Keypad

10.3.1 TextPad

TextPad is a personalized device for entering a password or PIN using a regular keyboard. This method of data entry helps to defend against phishing primarily. TextPad is often deployed as the default for all users in a large deployment. Then, each user individually can upgrade to another device if he wishes. The personal image and phrase a user registers and sees every time he logs in to the valid site serves as a shared secret between the user and server. If this shared secret is not presented or presented incorrectly, the users will notice. An example TextPad is shown in Figure 10–1 . Figure 10–1 TextPad Using Virtual Authentication Devices 10-3

10.3.2 PinPad

PinPad is a lightweight authentication device for entering a numeric PIN. An example PinPad is shown in Figure 10–2 . Figure 10–2 PinPad

10.3.3 QuestionPad

QuestionPad is a personalized device for entering answers to challenge questions using a regular keyboard. The QuestionPad is capable of incorporating the challenge question into the Question image. Like other Adaptive Strong Authentication devices, QuestionPad also helps in solving the phishing problem. An example QuestionPad is shown in Figure 10–3 . 10-4 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager Figure 10–3 QuestionPad

10.3.4 Keypad

KeyPad is a personalized graphics keyboard, which can be used to enter alphanumeric and special character that can be enter using a traditional keyboard. KeyPad is ideal for entering passwords and other sensitive data. For example, credit card numbers can be entered. An example KeyPad is shown in Figure 10–4 . Figure 10–4 KeyPad