1 Managed Access Gateway One-Time Password Guide Version 1.0 February 2017
2 Contents About One Time Password (OTP)... 3 OTP Credential Types... 3 What is the Proofing Upgrade?... 3 How to Determine if You Require the Proofing Upgrade... 3 About the Registration Process... 4 Purchasing... 4 Purchasing an OTP Credential through your MAG Account... 4 Registering OTP Credentials... 10 Adding the Proofing Upgrade to OTP Credentials... 11 About Live Video Proofing... 13 Rescheduling a Video Proofing Appointment... 16 Completing Identity Proofing and Activating Your OTP Credential... 17 About Credit Bureau-Based Proofing... 17 Completing Credit Bureau-Based Proofing... 18 Activating your OTP Credential after Completing Credit Based-Bureau Proofing... 20 Registering OTP Credentials without the Proofing Upgrade... 20 Registering the OTP Hardware Token without the Proofing Upgrade... 20 Registering Phone OTP without the Proofing Upgrade... 23 Credential Elevation... 25 Elevating Using the OTP Hardware Token... 26 Elevating Using Phone OTP... 27 Additional OTP User Guides... 28
3 About One Time Password (OTP) A One Time Password (OTP) credential generates a single-use password on a physical credential each time you log into Exostar's Managed Access Gateway (MAG) to access an application. Shared MAG user accounts, phone numbers or devices are NOT permitted. The OTP credential is used in combination with your MAG user ID and password. Using this two-factor authentication (password + OTP credential) reduces the risk of unauthorized access to your account and provides added security. OTP Credential Types Depending on the credential requirement for the partner application you are accessing, you will require an OTP Hardware Token without the proofing upgrade, OTP Hardware Token with the proofing upgrade, Phone OTP without the proofing upgrade or Phone OTP with the proofing upgrade. What is the Proofing Upgrade? Upgrading the credential includes adding identity proofing to the credential. The proofing upgrade increases the Level of Assurance (LOA) Exostar and application owners have about your identity when using the credential. Identity proofing is the process of verifying your identity with Exostar. Users in the US are prompted to answer questions about their credit history provided by a credit bureau. Users outside of the US, or those in the US who are unable to complete credit bureau-based questions will be required to complete agent-based proofing with a proofing agent via webcam, someone in your company, or someone within your buyer s organization. How to Determine if You Require the Proofing Upgrade Users can determine if they require an OTP credential with the proofing upgrade credential based on the application(s) that they access through Exostar s Managed Access Gateway (MAG). Most partner applications will require OTP with the proofing upgrade. However, several of the BAE Systems applications accept the OTP credential without the proofing upgrade. Please note that the credential requirement for a partner application is determined by the partner and not Exostar. If you are unsure what the credential requirement is please contact Exostar Tier I Support.
4 About the Registration Process In order to obtain an OTP credential, a purchase is required. Once the purchase has been completed and payment has been received, the purchaser will receive a license key via email. This is required as part of the OTP registration process. The license key you purchase will determine whether you are guided through Identity Proofing as part of the OTP registration process. After the license key has been entered, you will need to complete registration. Purchasing Before completing a purchase, please ensure that you have or will have access to the application that requires the OTP credential. If you are unsure if you require access to the application, please work with your buyer partner or your MAG Application Administrator. If you are an existing MAG account holder, you can purchase OTP credentials by logging into your Exostar Managed Access Gateway (MAG) account and click on Billing and Support. If you are certain that you require an OTP credential but do not have a MAG account, please visit the Exostar Webstore. Purchasing an OTP Credential through your MAG Account Log into your Exostar Managed Access Gateway (MAG) account and click on Billing and Support.
5 If you have never logged into your MAG account, you will need to complete First Time Login. After clicking on Billing & Support, click on Exostar Webstore-Home Page. You will be able to purchase OTP Credentials or the upgrade from Exostar s webstore. You will need to select the OTP credential that you require and click Purchase Now. If you are purchasing an upgrade, click on the credential that you currently have that you wish to add the upgrade to.
6 If purchasing Phone Based OTP, select the partner that you are doing business with and then make the appropriate selection. If purchasing OTP Hardware Token, select the partner that you are doing business with and then make the appropriate selection.
7 Once you have made your selection, click Add to Cart. If you have purchased an upgrade, you will need to select the users that you want to purchase the upgrade for. You will be unable to select users who do not require the upgrade. After making your upgrade selections, click Add to Cart. After you click Add to Cart, the item will appear in your cart. Click Proceed to Checkout.
8 You will be presented with the Payment Information page. You will have the option to pay by credit card or by invoice. Enter your payment information and click Continue. Note: If you select the invoice option, your payment must be received and processed before you will receive the license key to complete the activation of your OTP credential. Additionally, if you have a Reference or PO Number for your invoice, you must submit it to transactions@exostar.com. Please review your order and the disclaimer. Before submitting your order, you will need to check the box acknowledging you have read and agree to the disclaimer.
9 You will receive an order confirmation page with your sales order. You will also receive an order email notification. Once payment has been received, you will receive a second email with the activation for your license key. You need this license key before you initiate the process of registering your OTP credential. If you have purchased an upgrade, you will not receive a license key. IMPORTANT: A single license key may contain one or more licenses, depending on the quantity purchased (e.g. if the purchaser purchases five licenses within a single transaction, one license key will be issued that can be used by five different MAG users). Once a license key has been utilized by a MAG user to begin the OTP registration process, one license will be applied to that MAG user s account and the number of licenses on that key will be reduced by one. However, if the MAG user needs to restart the registration process, the user may use the same license on the license key again as long as they are restarting the registration process with the user id that was previously used.
10 Registering OTP Credentials Log into your Exostar Managed Access Gateway (MAG) account with your username and password. Once you are logged in, select the My Account tab and then the Manage OTP sub-tab. If you are activating a telephone-based credential (Phone OTP), you will have the opportunity to test your phone s ability to receive SMS (text) messages or voice calls from Exostar before you start the registration process. Testing your phone allows you verify that your mobile telephone or land-line telephone is able to receive messages.
11 Before beginning the registration process, please click What is required of me and review the information. Check I understand what is required of me when you are ready to proceed. Enter the license key that you received via email in the License Key field and click Register. If you are registering an OTP Hardware Token, please reference the OTP Hardware Token User Guide. If you are registering a Phone OTP credential please reference the Managed Access Gateway Phone One-Time Password Guide. Adding the Proofing Upgrade to OTP Credentials Once a purchase has been completed and payment has been received for the upgrade, the user will need to complete identity proofing. Users who registered an OTP credential that went through the Boeing vetting process prior to June 2016 already have a proofing upgraded licensed to their accounts and will be able to upgrade proofing without having to complete a purchase. Identity proofing is the process of verifying your identity with Exostar by answering credit bureaubased questions. Users who are unable to complete credit bureau-based questions will be required to complete agent-based proofing with a proofing agent via webcam, someone in your company or someone within your buyer s organization. If you are based internationally, you will have to complete live video proofing. Answering credit bureau-based questions is not an available option for international users.
12 Log into your MAG account and select Manage OTP. From the Proofing Upgrade section, review the information and check the I understand what is required of me box. Click Upgrade. Note: In order for user to proceed with an upgrade from the Manage OTP section of their MAG account, a purchase and payment are required. Users who registered an OTP credential that went through the Boeing vetting process prior to June 2016 already have a proofing upgraded licensed to their accounts and will be able to upgrade proofing without having to complete a purchase. You will need to confirm your legal first and last name. You will also need to select your country. After completing these actions, click Next.
13 A. If you are located in the United States, you will be asked to answer questions about your credit history to prove your identity. B. If you do not answer the questions correctly but the credit bureau is able to locate you with your personal information (e.g. name and address), you will receive the activation code via postal mail. C. Users in the US who cannot be located by the credit bureau, those in the US who opt out of credit history proofing, or those outside of the US will be required to complete agent-based proofing with a proofing agent via webcam. To opt out of credit history proofing, click I Disagree, you will need to follow the steps to be routed to schedule a live video proofing appointment. Once clicking on I Disagree, you cannot be routed back to complete credit bureau-based questions. Credit history proofing and video proofing are described in detail in the sections below. About Live Video Proofing Exostar s Live Video Proofing requires you to present valid Government issued photo identification to prove your identity to an Exostar Proofing Agent over a live webcam-based proofing session. Please review the Acceptable Documentation requirements. Exostar Live Video Proofing takes place within an encrypted Cisco Webex meeting. Before your appointment we highly recommend performing the Webex System Test on your machine, as there will be very limited time during the proofing session to troubleshoot your system configuration. Excessive troubleshooting time during the proofing appointment will likely result in the need to reschedule. For additional information about live video proofing requirements including acceptable documentation and troubleshooting, please reference the Live Video Proofing Resource page. Mobile devices running the Cisco WebEx app may also be used.
14 Scheduling a Video Proofing Appointment You will need to review the information and confirm that you have a functioning webcam (by checking the box) before clicking Next. To schedule your proofing appointment, click Click! to Schedule. Select an appointment date and time from the calendar.
15 Once you have selected a date and time, click Continue. Enter your contact information and click Confirm.
16 You will receive an appointment confirmation page. You should also receive an appointment confirmation email. You will be contacted by an Exostar Proofer on your scheduled appointment date. The proofing appointment can take up to 30 minutes. Rescheduling a Video Proofing Appointment If you need to reschedule your proofing appointment, from your MAG account, select the My Account tab, Manage OTP and click Reschedule Proofing.
17 You will be presented with the option to schedule a new appointment date. Completing Identity Proofing and Activating Your OTP Credential On your scheduled appointment date, you will be contacted by an Exostar Proofer. You will be required to answer a series of yes or no questions and provide your acceptable, unexpired identification via a webcam to the proofer. If you successfully complete proofing, you will be provided with an activation code. The activation code will be required to complete the registration process for your mobile or land-line telephone. If you do not successfully complete the proofing appointment, you will need to reschedule your appointment from your MAG account. The Exostar Proofer will not be able to schedule a new proofing appointment on your behalf. To complete the activation of Phone OTP Credential after completing live video proofing, please reference the Managed Access Gateway Phone One-Time Password User Guide. To activate your OTP Hardware Token after completing live video proofing, please reference the OTP Hardware Token User Guide. About Credit Bureau-Based Proofing Exostar s credit bureau-based proofing requires to verify your identity by answering questions about your credit history to register your credential. If you successfully complete these questions, you will be instructed to register your credential. Credit Bureau-Based Proofing is only available for users located in the United States.
18 Completing Credit Bureau-Based Proofing After entering your license key (illustrated on page 8), you will need to confirm your legal first and last name. You will also need to select your country. After completing these actions, click Next. If you are located within the United States, you have the option to answer credit bureau-based questions. Enter the required information and review the credit bureau consent document before clicking on I Agree.
19 You will be presented with a list of questions. After selecting your responses, click Next.
20 Note: If you do not answer the questions correctly but the credit bureau is able to locate you with your personal information (e.g. name and address), you will receive the activation code via postal mail (for additional information about being directed to the mail option during the phone OTP activation process, please see the FAQs). Activating your OTP Credential after Completing Credit Based-Bureau Proofing If you successfully answer the questions, you will be directed to register your OTP credential. To complete the activation of Phone OTP Credential after completing live video proofing, please reference the Managed Access Gateway Phone One-Time Password User Guide. To activate your OTP Hardware Token after completing live video proofing, please reference the OTP Hardware Token User Guide. Registering OTP Credentials without the Proofing Upgrade After you have entered the license key and clicked Register (illustrated on page 9), you will need to complete the registration process for the appropriate credential. Registering the OTP Hardware Token without the Proofing Upgrade You will need to confirm your legal first and last name. You will also need to select your country. After completing these actions, click Next.
21 You will receive a notification alerting you that can use multiple credentials. Click Submit. Enter the Token Serial Number.
22 This can be found on the back of the hardware token. Press the button on your OTP Hardware Token to generate the first password. Enter this number into the One-Time Password One field. Wait 30 seconds. Press the button on your OTP Hardware Token to generate the second password. Enter the number into the One-Time Password Two field. Click Submit. NOTE: Clicking Skip to Next allows you to register a Phone OTP credential or register an OTP Hardware Token at a later time.
23 You will receive a notification alerting you that you have successfully registered your OTP Hardware Token. Click Complete. You have now registered your OTP Hardware Token. If you would like to elevate your current credential strength from username and password to OTP Hardware Token, please reference the Credential Elevation section in this guide. Registering Phone OTP without the Proofing Upgrade You will need to confirm your legal first and last name. You will also need to select your country. After completing these actions, click Next.
24 You will receive a notification alerting you that can use multiple credentials. Click Submit. Select the delivery method that you want to receive the OTP code on and complete the required fields. Once you have completed all fields, click Send Code. Enter the verification code that you received through your registered delivery method. Click Submit. This may take a few minutes to receive. Please note that the code expires two minutes
25 after you receive it. You can resend the code by selecting Resend Code. You will receive a message stating that you have successfully registered your phone. You will have the ability to add an additional phone. If you would like to add another phone at a later time, click Complete. Credential Elevation MAG provides you with the ability to change what credential strength you are logged in with. For example, if are trying to access an application that requires the OTP credential and you have logged in using only your username and password, you can use credential elevation to change what credential you used to log in, without having to log out and log back in with the correct credential.
26 You can confirm your credential strength from your MAG account. This information will be located in the upper, right hand side of the page. Elevating Using the OTP Hardware Token From My Account, Manage OTP, click Elevate. You will be prompted to enter a one-time password. Press the button on your OTP Hardware Token to generate the password. Enter the number into the One-Time Password field. After you have entered the number, click Authenticate.
27 Your credential strength will now say Hardware OTP. You can now access the application(s) from your Home tab that require this credential strength. Elevating Using Phone OTP To elevate using Phone OTP, go to My Account, Manage OTP and click Elevate. Select the phone that you want to receive the OTP code on so you can elevate. Click Send.
28 You will receive the OTP code on your telephone. Enter the code in the OTP Code field. Click Submit. Note: Once you receive the code, the code expires after two minutes. You can resend the code by selecting Resend Code. Your credential strength will now say Phone OTP. You can now access the application(s) from your Home tab that require this credential strength. Additional OTP User Guides Product specific information about registration, identity proofing, credential management and more can be found in the OTP Hardware Token User Guide and the Phone OTP User Guide. OTP Support Guides can be accessed at http://www.myexostar.com/one-time-password/.