Configure a Secure Code
Use a Time-based Secure Code
To allow resynchronization between the user’s device, ActivID Appliance and HID Approve, it is recommended to use time-based OATH credentials. Setting the correct time on the user’s device will ensure successful authentication.
By default, Secure Code, Challenge Response, and Signature credentials are time-based.
If your domain was created for ActivID Appliance v8.4 or earlier and they are not the default settings, update the configuration using the following procedure:
To use a Time-based Secure Code instead of an Event-based code:
-
Log on to the ActivID Management Console as a Configuration Manager.
-
Select the Configuration tab.
-
Under Polices, expand Authentication and click Device Types.
-
Select the Mobile push based Validation (DT_TDSV4) Device type.
-
Select the Device Adapter tab.
-
Edit the Container Profile field by replacing the existing KEY2 value (CT_TDSOE) with CT_TDSOT.
Similarly, to use challenge/response and signature (OCRA), you need to replace the values for KEY3 and KEY4 with the Time-based credential types, CT_TDSOATCR and CT_TDSOATSIGN, respectively.
Edit the Length of the Secure Code
To edit the length of the Secure Code that will be generated by the mobile device:
-
Log on to the ActivID Management Console as a Configuration Manager.
-
Select the Configuration tab.
-
Under Polices, expand Authentication and click Credential Types.
-
Select either the Mobile OATH event based Credential (CT_TDSOE) or Mobile OATH time based Credential (CT_TDSOT).
-
Edit the OTP key parameters field by replacing the value for OTPLEN with the required value, (for example, set OTPLEN=8 for a length of 8).
The process is slightly different for challenge/response and signature (OCRA):
-
Log on to the ActivID Management Console as a Configuration Manager.
-
Select the Configuration tab.
-
Under Polices, expand Authentication and click Credential Types.
-
Select the required credential type and edit the corresponding OCRASuite field by replacing the value of OCRA-1:HOTP-SHA1-8:C-Qxxx with the new value, (for example, OCRA-1:HOTP-SHA1-6:C-Qxxx to set a length of 6).
Credential Type ORCASuite Field Mobile OATH OCRA event based Credential C/R (CT_TDSOAECR)
OCRASuite with counter
Mobile OATH OCRA event based Credential SIGN (CT_TDSOAESIGN)
OCRASuite with counter (plain signature mode)
Mobile OATH OCRA time based Credential C/R (CT_TDSOATCR)
OCRASuite with timestamp
Mobile OATH OCRA time based Credential SIGN (CT_TDSOATSIGN)
OCRASuite with counter (plain signature mode)
-
Edit the OTP key parameters field by replacing the value of …OCRA-1:HOTP-SHA1-8:C-QN08 with the same value you set for the OCRASuite field above.
-
Click Save.