Authentication Policies

An authentication policy is a template containing pre-defined parameters enforced during authentication such as password lengths or constraints, OTP synchronization protocols, Push Notification Signature details...

When an authentication policy is assigned to a user it is then represented as an authentication record (that is, the user’s record of usage for that particular policy).

Channels are assigned to authentication policies which enable the enforcement parameters specified by the authentication policy to be applied to the respective channels.

Authentication policies are defined by codes in the ActivID Management Console. When authenticating a user, the calling system is required to specify an authentication code. This can be an explicit code, such as AT_CUSTOTP, or a dynamic authentication code such as DYNMC_AUTH.

ActivID Appliance supports the following authentication policies: 

  • What you know 

    • Password-based policies 

  • What you have 

    • Device-based policies: 

      • One-Time Password devices, virtual or physical 

      • Out of Band (code through SMS or Email)

      • Push-based validation with the HID Approve App 

    • PKI-based (digital certificate)

Combining authentication policies is the best way to achieve strong protection of resources. For example:

Code Description Type of factor Level of protection
AT_STDPWD Password (standard) What you know LOW

AT_STDPWD + AT_OOB

Password (standard) + Out of Band Email or SMS

What you know + what you have

STRONG

AT_STDPWD + AT_OTP

Password (standard) + One-Time Passwords, virtual or physical devices

What you know + what you have

OPTIMAL

AT_STDPWD + AT_PASA

Password (standard) + HID Approve Push notification

What you know + what you have

OPTIMAL

  • Depending on the type of Authentication policy, you can set up password constraints and validity parameters.

  • Device-based Authentication policies are assigned a set of applicable credential types. For example, an OTP device authentication policy can have a combination of Out of Band, OATH, or SKI credentials.

Authentication Policies and User Types

Authentication Policies are enabled for User Types and specify which authentication methods are available for the users of a respective user type.

For example:

  • A "Consumer Banking" User Type can have multiple policies enabled – OTP and security questions.
  • A "Business Banking" User Type can have OTP, and PKI-based authentication policies enabled.

In these examples, the respective Authentication Policies would be enabled for the User Type ensuring that users a part of that User Type can use those policies while users outside of that User Type may not.

Authentication Policies and Channels

You can think of an authentication policy as a purpose for which a credential is used as the policy enables you to configure a risk-appropriate profile for access to a particular channel (for example, the complexity of a password, or tolerance for failed authentications, etc.).

Examples of authentication policies that are defined within the default data set are:

  • System Login (for systems authenticating to the public API)
  • Operator Login (for operators logging on to the ActivID Management Console)
  • Customer OTP (for customers authenticating to a web site or other service channel)

A single user credential (for example, OTP) can be used for more than one purpose. For example, there can be multiple policies for OTP authentication with different parameters based on the risk-tolerance of the associated channel, and the user’s OTP token can be used with each policy and channel.

Setting up an authentication policy includes the definition of channel(s) over which that authentication policy will be valid. One or more channels can be permitted in an authentication policy and one or more authentication policies can be permitted per channel.

 

See also:

Configure Authentication Policies