Two-factor authentication (2FA) generally relies on user knowledge of a secret (a password or PIN value) together with user possession of a device (a security token or mobile phone).

Echidna provides the flexibility to support the different combinations that may be required in various situations.

If the security token itself is PIN protected, there is usually no need for additional user passwords or PINs.
If the security token or OTP messaging channel is not PIN protected, the password from the user store can be used to provide the ‘knowledge’ factor. Echidna supports validation of Active Directory (AD) or LDAP passwords via LDAP binding, and stored encrypted or hashed passwords for database backed user stores.
The second factor would be the one time password generated by the security token or sent via the messaging channel.

The Echidna supported mechanisms can be combined in a flexible manner to support a diverse user base with multiple mechanisms, and even support individual users with multiple available mechanisms.