Protection levels

1.19.1. Protection levels#

With LinOTP you can use different protection levels. This means you can assign different tokens to one person where this person has to use a hardware token to login to a secure environment (Application A) while the person can use his software token to login to a less secure environment (Application B).

This can be implemented by the use of different realms. You need to configure Application A that users from RealmA are allowed to login and Application B that users from RealmB are allowed to login.

Then define a UserIdResolver ResolverA pointing to this very user object. Also define a UserIdResolver ResolverB which will also point to the same user object. The ResolverB may be an exact copy of ResolverA just with the other name. Now put ResolverA into RealmA and ResolverB into RealmB.

Now you can use policy definitions to enroll hardware tokens in RealmA and software tokens in RealmB. Now the person has two tokens, but may only log on with the hardware token to the secure Application A and with the soft token to the less secure Application B.