Devices and Credentials
The ActivID Appliance supports a wide range of device-based authentication factors.
Whether it is a One-Time password (OTP) generated on a physical device, PKI (certificate-based) or any other device-based factor, the ActivID Appliance maps a Credential and a Device that are associated to an end user. The Device contains information (such as the serial number of the actual physical device), while the Credential contains the secret (such as transaction keys for HID Approve or synchronization seeds for OTP devices).
Examples of devices:
- HID Approve mobile application (Push-based authentication)
- ActivID OTP Device
Devices and Device Types
Each device is linked to a device type to categorize that device. Device types define device parameters leveraged during user authentication.
Two-factor authentication means that a user must authenticate using something the user knows and something the user has. The “something the user knows” can be a password or a PIN. The “something the user has” is usually a device, such as an OTP token or a smart card.
You can configure ActivID Appliance to manage multiple device types.
Each device type will have characteristics, such as:
- Authentication methods supported by that device
- If the device is PIN-protected
Devices are uniquely identified by the following attributes:
- Device type (mandatory)
- Serial number (mandatory)
- Start date
- End date
- Issue number
Devices contain credentials. Some devices are capable of generating only a single credential (like a password), or storing only a static credential. Others, such as smart cards, can contain many credentials (multiple PKI certificates and the ability to generate an OTP).
Devices carry a status. Successful authentication requires that the device being used to authenticate has an active status, a valid start date, and valid end date.
Initialization of Devices
The physical devices must be initialized with one or more credentials. Then, the credentials and the device information must be loaded into ActivID Appliance.
The process can happen in two different ways.
- Pre-initialized devices − devices, such as tokens, are initialized as a part of the manufacturing or centralized issuance process. A device file containing all the credentials is provided for importing into ActivID Appliance. ActivID Appliance supports a variety of different import formats, including SDS, PSKC (for OATH).
- Using the initialization tool − an initialization tool is provided with the ActivID Appliance distribution. It is a standalone tool to initialize our tokens. Then the resultant device file can be imported into ActivID Appliance.
Devices and Soft PINs
ActivID Appliance supports the use of soft PINs. These are used with devices such as the ActivID Mini Token and ActivKey Display Card, where the physical device is not PIN-protected.
The soft PIN must be pre-pended or appended to the OTP by the user, and the soft PIN is validated by the server as part of the authentication process. By default, Mini Tokens are pre-initialized with a default soft PIN (such as 1254). Once imported into ActivID Appliance, the soft PIN can be changed subject to the PIN policy that defines the maximum and minimum length.
The PIN policy also defines whether the PIN should be placed before the OTP, after the OTP, or either (meaning both are valid). Once the device has been imported, an end user can authenticate using the default PIN. An administrator cannot view the value of the PIN.
The user can change the PIN via the Device Details page in the ActivID Management Console.
Multiple Devices Assigned to the Same User
ActivID Appliance enables two or more devices to be assigned to the same user. Provided that all devices are valid (status, start dates etc.) and that the devices contain credentials of a type that are valid for use with the authentication policy, the ActivID Appliance will attempt to authenticate against multiple devices.
If the authentication is successful against any one of the devices, then the authentication request will be considered successful, and the statistics for the authentication record will be updated accordingly. If the authentication fails against both (or all) devices, then the authentication request will be considered “failed.” A common scenario where this is applicable is card rollover, when a replacement card is issued and there is a brief overlap period during which the user may authenticate with either card.
Device and Credential Status Management
ActivID Appliance manages the status of devices and also the status of individual credentials. Devices can be configured to reflect a deployment-specific status life cycle. The status of devices and the status of individual credentials can be updated − either through the public API or the ActivID Management Console.
Credentials and Credential Types
Each credential relates to a credential type to categorize that credential.
Credentials types define credential parameters leveraged during user authentication.
ActivID Appliance manages two credential types:
- Static credentials, such as passwords, PINs or security question responses.
These are managed as elements of an authentication record. Creating a login authentication record for a user is synonymous with setting up a password for that user. Operations such as “Change password” or “Set Security Questions responses” are functions of the authentication record itself.
- Device credentials, such as PKI certificates or OTP token keys, are managed as elements of a device.
The device is managed independently of the device authentication record. Devices can be added, updated, and deleted independently of authentication records. Likewise, Device authentication records can be added, updated, and deleted independently of the associated device(s). The authentication records are associated with the device based on the types of credential held on the device.
See also: