SAP Knowledge Base Article - Public

2364650 - Mobile: Password Difference

Symptom

There are multiple passwords used in mobile application.


• Web Login Authentication Password
• SuccessFactors Profile Password
• Device Password
• Authentication Login Password for Device Profile Activation

Resolution

Web Authentication Login Password

When user login to web site by browser, password is required to enter.

• This is Web Access password.
• It is required for authentication, login, selfactivation of mobile.
• System defines dummy password and user is required to change to own password.
• IT define rules and restriction for password.

Secured: by BizX or IdP. Never stored on device.
Rules: BizX or IdP password rules

* BizX is SuccessFactors web service
* IdP is Identity Provider

 

SuccessFactors Profile Password

Once user activated profile for the device, if Mobile admin enable password feature, user is required to choose password.
This password is Profile Password to access to device app’s secure storage.
• IT Mobile administrator to enable password feature and define rules for the
password.
• User to choose Device Profile Password during activation phase.
• User requires to enter password when application launch.
• User requires to enter password when application goes background and come foreground.

Secured: by SAP DataVault component, which follows best practices: Never stored on app sandbox but on the fly derived to compute final encryption key (hashed with profile specific seed,
(seed stored in most secure OS persistency e.g. keychain iOS) and # iterations of hashes. PBKDF2 used)
Rules: Mobile OS rules, possible to preconfigure via MDM

Mobile 1.png

 

Activation and Define Password flow

 

Mobile 2.PNG

 

Using Device Profile Password

 

Mobile 3.PNG

 

Device Password

When unlocking mobile device, password is required.
• User to choose enable device password.
• MDM forces user to setup password/advanced password
• User defines the password


Secured: by mobile OS which likely follows best practices: Never stored on device but on the fly derived to compute final encryption key (probably hashed with OS device seed and # iterations of hashes, probably PBKDF2 used)
Rules: Mobile OS rules, possible to preconfigure via MDM

Mobile 1.png

 

 

Authentication Login Password for Device Profile Activation

In case of email activation with deeplink, SuccessFactors Mobile Application invoke default browser for user to login to complete authentication.
Once authentication is completed, browser return to SuccessFactors Mobile Application to finish device profile activation. This is one time only login authentication.
• This is same as web access password.
• Authentication is one time only for device Profile activation.

Secured: by BizX or IdP. Never stored on device.

Rules: BizX or IdP password rules

 

Mobile 1.png

 

Email Activation flow

mobile 5.PNG

Keywords

Mobile Password , KBA , LOD-SF-FWK-MOB , Mobile Framework , How To

Product

SAP SuccessFactors HCM Core 1511 ; SAP SuccessFactors HCM Core 1602 ; SAP SuccessFactors HCM Core 1605 ; SAP SuccessFactors HCM Core 1608 ; SAP SuccessFactors HCM Core 1611 ; SAP SuccessFactors HCM Core 1702 ; SAP SuccessFactors HCM Core 1705 ; SAP SuccessFactors HCM Core 1708 ; SuccessFactors HCM Core 1207 ; SuccessFactors HCM Core 1210 ; SuccessFactors HCM Core 1302 ; SuccessFactors HCM Core 1305 ; SuccessFactors HCM Core 1308 ; SuccessFactors HCM Core 1311 ; SuccessFactors HCM Core 1402 ; SuccessFactors HCM Core 1405 ; SuccessFactors HCM Core 1408 ; SuccessFactors HCM Core 1411 ; SuccessFactors HCM Core 1502 ; SuccessFactors HCM Core 1505 ; SuccessFactors HCM Core 1508