Configure Device Types

Each device Device is the generic term used for both hardware devices (such as an ActivID Mini Token or a smart card) and software devices acting as hardware emulators (such as Mobile and PC soft token applications). All of these devices enable users to authenticate to protected resources. in ActivID Appliance is linked to a device type which defines the device parameters leveraged during user authentication.

Device type parameters include authentication capabilities (supported methods and functions), settings at import, soft PIN and device adapter settings.

You configure device types using the ActivID Management Console.

Important: The device type configuration is complex and requires an advanced understanding of the parameter requirements. It is strongly recommended that you contact HID Global Professional Services before modifying or creating device types.

Default Device Types

OTP Device Types

Code	Name	Adapter
DT_DSPCD	ActivID Display Card OE	Token
DT_AD_OT	ActivID Display Card OT	Token
DT_SMTCARD	ActivID Java Cards	Token
DT_JCARD	Java Card OTP (No PIN Unlock)	Java card created by CMS
DT_AD_AT	ActivKey Display AI AT	Token
DT_BTT_OE	Blue Trust Token (OE)	Token
DT_BTT_OT	Blue Trust Token (OT)	Token
DT_NANO_OA	Crescendo Key OA	Token
DT_NANO_OE	Crescendo Key OE	Token
DT_NANO_OT	Crescendo Key OT	Token
DT_DESKTOP	Desktop Token	Token
DT_DKTO_OA	Desktop Token OA	Token
DT_DKTO_OE	Desktop Token OE	Token
DT_DKTO_OT	Desktop Token OT	Token
DT_FXT_AI	Flexi Token AI	Token
DT_FXT_OA	Flexi Token OA	Token
DT_FXT_OE	Flexi Token OE	Token
DT_FXT_OT	Flexi Token OT	Token
DT_KEY_AT	Keychain V2 AT	Token
DT_KEY_OA	Keychain V2 OA	Token
DT_KEY_OE	Keychain V2 OE	Token
DT_KEY_OT	Keychain V2 OT	Token
DT_MIN_AE	Mini Token (AE) - NO PIN	Token
DT_MIN_AEP	Mini Token (AE) + PIN	Token
DT_MIN_AT	Mini Token (AT) - NO PIN	Token
DT_MIN_ATP	Mini Token (AT) + PIN	Token
DT_MIN_OE	Mini Token (OE) - NO PIN	Token
DT_MIN_OEP	Mini Token (OE) + PIN	Token
DT_MIN_OT	Mini Token (OT) - NO PIN	Token
DT_MIN_OTP	Mini Token (OT) + PIN	Token
DT_POCK_AT	Pocket Token AT	Token
DT_POCK_OA	Pocket Token OA	Token
DT_POCK_OE	Pocket Token OE	Token
DT_POCK_OT	Pocket Token OT	Token
DT_TK1V2	Token One V2	Token
DT_T2_OA	Token One V2 OA	Token
DT_T2_OE	Token One V2 OE	Token
DT_T2_OT	Token One V2 OT	Token

ActivID CMS Device Types

Code	Name	Adapter
DT_CMS_OA	CMS OATH OCRA device	Token
DT_CMS_OE	CMS OATH OE device	Token
DT_CMS_OT	CMS OATH OT device	Token

EMV Card Device Types

Code	Name	Adapter
DT_EMVOCR	EMV Card - IAF=00	EMV Card
DT_EMVOSGN	EMV Card - IAF=80	EMV Card

FIDO Device Types

Code	Name	Adapter
DT_FIDO	FIDO device	Just One Credential Device

Push Device Types

Code	Name	Adapter
DT_TDSV4	Mobile push based Validation	TDS provisioning V4
DT_TDSOOB	Mobile Registration Virtual Device	Just One Credential Device

Soft Token Device Types

Code	Name	Adapter
DT_STP_OE	PC Soft Token OATH Event	Soft Token Device
DT_STP_OT	PC Soft Token OATH Time	Soft Token Device
DT_STM_OE	Mobile Smart Phone Soft Token OATH Event	Soft Token Device
DT_STM_OT	Mobile Smart Phone Soft Token OATH Time	Soft Token Device
DT_STW_OE	Web Soft Token OATH Event	Soft Token Device
DT_STW_OT	Web Soft Token OATH Time	Soft Token Device

PKI Device Types

Code	Name	Adapter
DT_SERVER	PKI Container on Server	Just One Credential Device
DT_JWT	PKI JWT Container on Server	Just One Credential Device
DT_SCPKI	SmartCard/PKI Device	Just One Credential Device

Other Device Types

Code	Name	Adapter
DT_PRFDEV	Profiled Computer	TM Device Adapter
DT_DVID_OE	Registered Computer OATH Event	Soft Token Device
DT_DVID_OT	Registered Computer OATH Time	Soft Token Device
DT_SEOS_AB	Seos(OE) - NO PIN	SEOS device
DT_TXOOB	SMS Transaction OOB	Just One Credential Device
DT_OOB	OOB Virtual Device	Just One Credential Device

Create a Device Type

Note: It is recommended that you create a new device type based on a default type with the required adapter. Contact HID Global Professional Services for further information.

Prerequisites: To create a new device type, you must be assigned the Create device type permission.

Log on to the ActivID Management Console as a Configuration Manager.
Select the Configuration tab and, under Policies, select Authentication and then Device Types.

All existing device types are listed in a paged table. The total number of device types is given in the lower left corner.

Each row corresponds to a device type. It provides the following information in the different columns:

Code – the unique code identifying the device type
Name – the name of the device type
Device Adapter – the device adapter associated with the device type

Launch the Device Type Credential Wizard

Click Add.

Enter the main information for the Device type:

Name – should be unique for ease of administration.
Code – a value is automatically generated but it can be changed. The code must be unique, a minimum of three characters, and a maximum of 10 characters. It cannot be changed once the device type is created.
Description – (optional) content is free-format.

Proceed to Define the Capabilities.

Define the Capabilities

Enter the required values for the device type Capabilities:

Field	Description
Supported Authentication Methods	Determines the options displayed in the View Device page. Select from the drop-down list: Synchronous (One-Time Password) – devices of this type support synchronous authentication. Asynchronous (Challenge Response) – devices of this type support asynchronous authentication. Both – devices of this type support synchronous and asynchronous authentication.
Challenge length	Applies to devices that support asynchronous authentication. Defines the length of the challenge provided to a user to generate an OTP on the device (in the challenge/response mode). This parameter is used to validate the submitted challenge. Note: The Challenge can be used on device to generate OTP only if it belongs to the range defined in the device .sdb Challenge Min/Challenge Max parameters.
Synchronous authentication code length	Maximum valid length of a synchronous OTP. This parameter is used to validate the submitted OTP.
Asynchronous authentication code length	Maximum valid length of an asynchronous OTP, generated in response to a challenge. This parameter is used to validate the submitted OTP.
Device Unlock	A device might be locked if the user enters the PIN incorrectly a specified number of times. This parameter determines whether the unlock option appears in the View Device page for devices of this type. Select from the drop-down list: Yes – devices of this type can be unlocked by a server-generated response to a device-issued challenge. No – devices of this type cannot be unlocked. Note: The specified number of times is set on the device.
Unlock Challenge Length	Length of the challenge provided to a user to unlock the device, when the user has locked it by incorrect entry of their PIN a specified number of times. This parameter is used to validate the submitted unlock challenge. The specified number of times is set on the device.
Synchronization Mode	Determines whether the resync option appears in the View Device page. Select from the drop-down list: Only Automatic – devices of this type can be automatically resynchronized with host systems. Only Manual – devices of this type can be resynchronized manually with host systems. Support All – devices of this type can be resynchronized automatically and/or manually with host systems. Note: For asynchronous authentication methods, only Counter synchronization modes might be available depending on the asynchronous method variant (OCRA Suite).
Base Synchronization Mode	Determines fields displayed in the View Device page. For devices that support synchronous authentication, this parameter defines the variables that are stored locally on the device and therefore might require resynchronization with the server. Select from the drop-down list: Counter – Devices of this type can be resynchronized with host systems using one (manually) or a range (automatically) of counter values. Clock – Devices of this type can be resynchronized with host systems using one (manually) or a range (automatically) of clock values. Both – Devices of this type can be resynchronized with host systems using one (manually) or a range (automatically) of counter and clock values. Note: For asynchronous authentication methods, only the manual synchronization mode might be available depending on the asynchronous method variant (OCRA Suite). In the case of Devices with Soft PIN, if you need to allow Automatic Resynchronization without using the Soft PIN, edit the ActivID Authentication Server settings using the ActivID Console: ALLOW_AUTO_SYNC_WITHOUT_SOFT_PIN=TRUE This setting allows you to resync the device by entering the OTP generated by the device only (as opposed to entering the device soft pin value before or after the OTP).
Counter Range	Maximum number of increments by which the host system will increment the counter it is holding for an individual device of this type to resynchronize with that device when attempting an automatic resynchronization. The auto resync process will try to increment rather than decrement the counter value.
Time Offset Start (seconds)	Lower limit of the time window for which the host system will test its internal system clock values against the OTP received from a device of this type to try to resynchronize with that device. Applicable only to device types supporting synchronous authentication and automatic resynchronization. The default is -3600 seconds. This sets the start of the time period as 3600 seconds before the actual internal system clock time.
Time Offset End (seconds)	Upper limit of the time window for which the host system will test its internal system clock values against the OTP received from a device of this type to try to resynchronize with that device. Applicable only to device types supporting synchronous authentication and automatic resynchronization. The default is 3600 seconds. This sets the end of the time period as 3600 seconds after the actual internal system clock time.
Transaction signing	Defines if a device can be used to digitally sign transactions. Select from the drop-down list: Yes – devices of this type can be used for transaction signing. No – devices of this type cannot be used for transaction signing.

Click Next and Define the Import Settings.

Note: The Next button is only available if the validation constraints for all the parameters in the current tab are met.

Define the Import Settings

Enter the required values for the device type Import settings:

Field	Description
Manufacturer	Free format, optional.
Default PIN	When you import a device, it will use whatever you specify here as the Default PIN. This usually applies for ActivID Mini Tokens (AE, AT, and OE). Important: To import ActivID AAA Server devices with a soft PIN defined, leave this field blank.
Default Credential Type	When importing a device through the device import framework, this attribute sets what is the default credential type to create for the device, if none is specified in the import process. Specify the credential type code (for example, CT_AIOE).
Device type code from Auth SDK	When you import a device, this attribute implements the external representation of the device type code. A device type code is the unique identifier for a device type as defined in the ActivID Authentication SDK framework.

Click Next and Define the Soft PIN Settings.

Define the Soft PIN Settings

Enter the required values for the Soft PIN settings:

Field	Description
Use soft PIN	Defines if a device can use a server soft PIN (a PIN that is managed and verified by ActivID Appliance, not by the device itself). Select from the drop-down list: Yes – devices of this type can use a soft PIN. No – devices of this type cannot use a soft PIN (required for soft tokens)
Soft PIN Minimum length	Defines the minimum length of characters for the server soft PIN. Set the value according to the soft PIN policy of the device. Important: To import ActivID AAA Server devices with a soft PIN defined, you must set this value according to the AAA device policy.
Soft PIN Maximum length	Defines the maximum length of characters for the server soft PIN. Set the value according to the soft PIN policy of the device. Important: To import ActivID AAA Server devices with a soft PIN defined, you must set this value according to the AAA device policy.
Soft PIN position	Defines how the user should enter the server soft PIN during authentication. Options are: Before (the user enters the soft PIN before entering the OTP generated by the Token). After (the user enters the soft PIN after entering the OTP generated by the Token). Before or After (the user can enter the soft PIN either before or after entering the OTP generated by the Token). Important: If you want to import ActivID AAA Server devices that already have a server soft PIN defined, you must select the Either option.

Click Next and Define the Device Adapter Settings.

Define the Device Adapter Settings

Select the required Device Adapter:
- TM Device Adapter
- Token
- Just One Credential Device
- EMV card
- TDS provisioning
- TDS provisioning V4
- Soft Token Device
- SEOS Device
- SEOS OTP provisioning
- Java card created by CMS
Note:
- To configure a push-based Device Adapters, see Configure the Push-Based Validation Device Type

Enter the required values for the Device Adapter settings:

Field	Description
Number of credentials allowed on device [number, many]	Determines the number of credentials allowed in the device. Specifies the maximum number of credentials allowed. ‘many’ implies the device can have 100 credentials.
Allowed credential types, comma separated list of codes [any]	Specifies a comma-separated list of codes of the credential types allowed for the device type. ‘any’ - all credential types are allowed. Comma-separated list of codes
Auto resynch credential to use [credential type code/ index / no=do not allow]	Determines the credential to perform the Auto-resync operation. Specifies the credential type code (for example, CT_AIOE). Specifies the index of the credential. Only the credential on that index will be auto re-synchronized. ‘no’ implies auto-resync is not allowed for this device.
Manual resynch credential to use [credential type code/ index / no=do not allow]	Determines the credential to perform the Manual-resync operation. Specifies the credential type code (for example, CT_AIOE). Specifies the index of the credential. Only the credential on that index will be manually re-synchronized. ‘no’ implies manual-resynchronization is not allowed for this device.
Unlock credential to use [credential type code/ index / no=do not allow]	Determines the credential to perform the unlock credential operation. Specifies the credential type code (for example, CT_AIOE). Specifies the index of the credential. Only the credential on that index will be unlocked. ‘no’ implies unlocking is not allowed for this device.
PIN credential to use [credential type code/ index / no=do not allow]	Determines the credential to perform the PIN credential operation. Specifies the credential type code (for example, CT_AIOE). Specifies the index of the credential. ‘no’ implies PIN is not allowed for this device.
Verify credential to use [credential type code/ index / no=do not allow]	Determines the credential to perform the Verify credential operation. Specifies the credential type code (for example, CT_AIOE). Specifies the index of the credential. Only the credential on that index will be verified. ‘no’ implies Verify credential is not allowed for this device.
Soft PIN credential to use [credential type code/ index / no=do not allow]	Determines the credential to change the Soft PIN. Specifies the credential type code (for example, CT_AIOE). Specifies the index of the credential. ‘no’ implies Soft PIN of this device type cannot be changed.
Soft PIN device minimum length	Defines the minimum length of characters for the soft PIN. Set the value according to the soft PIN policy of the device. It applies to ActivID Mini Tokens (for example, AE, AT, and OE).
Soft PIN device maximum length	Defines the maximum length of characters for the soft PIN. Set the value according to the soft PIN policy of the device. It applies to ActivID Mini Tokens (for example, AE, AT, and OE).
Soft PIN device position	When the user is authenticating with a Mini Token, he has to enter the PIN that has been assigned to this token before or after the OTP generated by the token. The options are: Either Before After
Maximum Number of Devices per User [integer]	The maximum number of this type of device that can be assigned to a user. The default value is -1 (unlimited). The limit is only verified when the user attempts to activate a new device of this type and an error message is displayed if they have already reached the maximum. If you set a maximum, it will not affect users who already have more devices than the limit (that is, it will not block authentication nor delete or modify existing devices). However, these users will only be able to activate a new device if they discard existing devices to meet the new limit. For example, if you set the limit to 2 devices, a user with 3 existing devices will need to discard 2 to activate a new device.

Click Save:

Note: The Save button is only available if the validation constraints for the parameters in the main section and in all tabs are met.

Edit a Device Type

Note: It is recommended that you contact HID Global Professional Services before modifying the device type settings.

Prerequisites: To edit a device type, you must be assigned the Update device type permission.

Log on to the ActivID Management Console as a Configuration Manager.
Select the Configuration tab and, under Policies, select Authentication and then Device Types.
Click the Code of the Device type that you want to edit.

Edit the device type settings as required in each tab.

All the tabs are accessible and all settings can be modified except the:
- Code
- Device Adapter
Click Save to apply your changes.
If you want to cancel the operation, click Back to List.

Delete a Device Type

Prerequisites:

To delete a device type, you must be assigned the Delete device type permission.
Make sure the device type is not linked to a device is use.

Log on to the ActivID Management Console as a Configuration Manager.
Select the Configuration tab and, under Policies, select Authentication and then Device Types.

To delete one or more device types, select the check boxes to the left of the names and click Delete.

Click Yes to delete the types, or No to cancel the operation.