I have a small question and hopefully someone has solved this already. When I enable One Time Password via e-mail, only when the operator logs in for the first time -or- when (s)he needs to change the password (for example via Force new password on next logon), the e-mail with the OTP code will be send to that operator. In all other instances of logging in - from either the same terminal as well as from a different PC - the operator is logged in without Pega asking for the OTP.
Any ideas on the logic behind this?
I have tried on Pega 7.4, 8.2 and 8.3.
We did manage to set pyLongLivedToken in a DT pyChangePasswordOTPParams and verified it was called before pxSendOTP but it did not make any difference.
Alternatively: how do you override the OTP behavior using Custom Authentication Service? The page I keep getting directed to only mentions to create either activity or JSON service, but no further information on how to implement this.
Partially answering my own question: You need to add Multi-Factor authentication to the Authentication Service record as well (for example: "Platform Authentication", "Security Policies" add: "Multi-Factor Authentication").
Next step: how do I override the code generation and validation for the entire system?
Not more than I stated before. You can add Two Factor Authentication in the Authentication Service rule (see image). But on how to implement different TFA implementations; I don't know. Documentation about it is horribly bad in my opinion.