Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry 2FA
  3. BlackBerry 2FA - Server Configuration Guide
  4. Authentication options

Authentication options

BlackBerry 2FA
 offers the following authentication options:
If a user is assigned any two-factor option, they are also automatically allowed to use an OTP token if one is assigned to the user.
Authentication option
Description
Useful when
Two-factor authentication with enterprise password
When a user logs in, they supply a username and a directory password and then receive a prompt to confirm the authentication request on the device.
If a user is assigned this option, they are automatically allowed to use an OTP token if one is assigned to the them.
This option is supported on all devices.
Your organization places security as its most important goal for any deployment.
Two-factor authentication with passive device password
When a user logs in, they only supply a username and then receive a prompt to confirm the authentication request. If the device is locked, the user must provide the device password before they can confirm the prompt.
If a user is assigned this option, they are automatically allowed to use an OTPtoken if one is assigned to the them.
For
BlackBerry 10
 devices, users must provide the work space password if the work space is locked.
This option is supported on all devices.
Your organization places usability as its most important goal for any deployment.
Two-factor authentication with active device password
When a user logs in, they only supply a username and then they receive a prompt to confirm the authentication request on their device. The user must always provide the device password before they can confirm the prompt.
If a user is assigned this option, they are automatically allowed to use an OTP token if one is assigned to the them.
For
BlackBerry 10
 devices, users must provide the work space password.
This option is supported for
BlackBerry 10
 and
BlackBerry
 OS (version 6.0 to 7.1) devices only.
Your organization stresses usability but wants to guard against someone picking up an unlocked device and accepting the device prompt.
Single-factor authentication using enterprise password
Users log in using
Microsoft Active Directory
 authentication only.
  • The user does not have a device.
  • The user has forgotten or lost their device.
  • The user does not need to use a second factor of authentication.
In
BlackBerry 2FA
 version 2.5, you can configure user authentication options in several different ways. By default, authentication options are configured using a
BlackBerry 2FA
 profile in
BlackBerry UEM
. However, you can override this default configuration for authentication requests sent through the REST API or through VPN gateways and other RADIUS clients. For more information, see Configuring REST API endpoint connectivity or Configuring a connection between the BlackBerry 2FA server and a VPN gateway.