Troubleshoot Push Authentication
FAQs
How long is an OTP valid?
The validity of OTP is defined by OTP key parameters of the credential type. Contact your system administrator for further details.
How long is a Push Transaction valid?
A Push transaction is valid as long as it exists in the transaction pending table on the server-side.
After timeout, the transaction will no longer be retrieved by the app or, if it has already been retrieved, the approval/decline operation will fail.
The timeout is defined in the Authentication Policy settings (by default, this is 3600 seconds). Contact your system administrator for further details.
What is the difference between a Push and a Pending Request?
- Push is a Notification (for transaction) that is pushed to the mobile from the delivery provider (Google, Apple or Windows).
- Pending Request is a transaction pulled by the mobile from the server when the user requests it or when the app starts/wakes up.
Can the user choose the device to which the Push is sent?
The ability of the user to select the device depends on the push-based integration.
- For RADIUS/VPN integrations, the notification is sent to the last used device (the active device that has the most recently used credential for the authentication policy in the request). The user cannot select the device.
- For ActivID Self-Service Portal integrations, the user can select the device.
- For applications integrating with the ActivID Appliance API, the application can specify the device or can let ActivID Appliance decide based on the last used device.
HID Approve Registration Issues
What to do if the registration fails with error 300?
Try one of the following:
- Ask the user to restart the registration process to generate a new QR code and scan it.
- Ask the user to manually enter the correct User ID and Invite Code.
- Go to the user's Details page and reset the challenge counter for the user.
What to do if the registration fails with error 0?
On the user's device:
- Make sure that the user's device is using a recent version of Google services (or update them).
- Ask the user to uninstall the application.
- Ask the user to re-install the HID Approve app.
- Make sure that the device has a sufficient internet connection (mandatory for the registration).
- Restart the app (this makes sure that the device’s PushID is set correctly).
On the server:
Authentication and Push Issues
What to do if OTP authentication fails?
- Check if the user's Push Authenticator is locked (represented by a red icon
): - Check if the device counter or clock is desynchronized:
- If the credential is event-based, ask the user to resynchronize the device using the ActivID Self-Service Portal.
- If the credential is time-based, ask the user to check the device's time settings.
If it is, reset the failure counter.
What to do if the Push notification is not received?
- Check Push configuration and server time (contact your system administrator).
- Check the network connectivity and if Notifications are enabled on the device.
- Check that the device system time is correct.
- On Android devices, you can also check the following settings:
- Disable "restrict background data" on the device and for HID Approve app and Google Play services.
- Deactivate Android’s Battery Saver mode or add HID Approve to exclusion list.
- Make sure that the Google services are a recent version on the user's device (or update them).
- Ask the user to retrieve the requests using the HID Approve Pending Requests option.
What to do if the Push authentication fails with error 300?
Check if the user's Push Authenticator is locked (represented by a red icon ).
If it is, reset the challenge counter.
What to do if pending does not retrieve an expected transaction?
Check if the user's Mobile application update authenticator is locked (represented by a red icon ).
If it is, reset the failure counter.
Error Codes
Internal Errors
| Code | HIDErrorCode | Error | Comment |
|---|---|---|---|
|
0 |
HIDInternal |
Unexpected error occurred |
Incorrect parameters in DT_TDSV4 Contact your system administrator. |
|
1 |
HIDNotImplemented |
Method is not implemented |
|
|
2 |
HIDUnsupportedOperation |
Operation is not supported by the object |
|
|
3 |
HIDInvalidArgument |
The given parameter is not valid or required |
Rejected by input validation controls |
|
4 |
KeyGenerationFailure |
Unable to generate internal credential |
SDK initialization failure at startup |
|
5 |
ProtectionPolicyFailure |
Unable to create or locate internal protection policy |
SDK initialization failure at startup |
|
6 |
SecureDataFailure |
Unable to create or locate internal credential data |
SDK initialization failure at startup |
| 7 | UnsupportedVersion | Container version is not supported and cannot be upgraded | |
| 8 | InvalidContainer | Container identifier is invalid or does not exist |
Credential Errors
| Code | HIDErrorCode | Error | Comment |
|---|---|---|---|
|
100 |
HIDAuthentication |
Authentication failure |
Incorrect password entered or locked password |
|
101 |
HIDInvalidPassword |
Password fails policy requirements |
Locked password |
|
102 |
HIDCredentialsExpired |
Credentials used to sign the transaction have expired |
Check Key validity period set in server key Credential Types |
|
103 |
HIDPasswordExpired |
Password has expired and requires a change of password |
Check "HISTMAXAGE“ policy in DT_TDSV4>Device type Adapter "Container keys protection policy" Contact your system administrator. |
|
104 |
HIDPasswordNotYetUpdatable |
Password cannot be changed yet |
Check "HISTMINAGE“ policy in DT_TDSV4>Device type Adapter "Container keys protection policy" Contact your system administrator. |
|
105 |
HIDPasswordRequired |
No password provided |
Invalid fingerprint |
|
106 |
HIDLostCredentials |
Provisioning key securing the transaction has been wiped |
|
|
107 |
HIDInvalidChallengeTooLong |
Challenge is too long with respect to the OTP generator configuration |
Application could not generate secure code as signature data does not respect length policy (as defined in the Credential Type OCRA suite) |
|
108 |
HIDInvalidChallengeBadFormat |
Challenge does not have the format expected by the OTP generator configuration |
Application could not generate secure code as the signature data does not have the correct format (as defined in the Credential Type OCRA suite) |
|
109 |
HIDPasswordCancelled |
The password event has been canceled by the user |
|
|
110 |
SerialNumberRequired |
Device serial number is required to upgrade from HID Approve 5.1 or lower (Android) |
Device Errors
| Code | HIDErrorCode | Error | Comment |
|---|---|---|---|
|
200 |
HIDUnsupportedDevice |
Device Configuration is not supported |
Rooted phone |
|
201 |
HIDUnsafeDevice |
Device is not safe enough to store sensitive secrets |
|
|
202 |
HIDFingerprintNotEnrolled |
Fingerprints have not been enrolled |
No user biometrics on phone |
|
203 |
HIDUserCancelled |
User has canceled the operation |
User canceled biometrics |
|
204 |
HIDFingerprintAuthenticationRequired |
Authentication with fingerprint is required to perform the operation |
|
|
205 |
HIDUnsupportedOperationMode |
Device configuration is not supported |
Non-FIPS device in a FIPS configuration |
|
206 |
GooglePlayServicesObsolete |
Google Play Services is not up to date (Android) |
|
|
207 |
BiometricAuthenticationNotEnabled |
Enabling biometric authentication is required to perform the operation |
Communication Errors
| Code | HIDErrorCode | Error | Comment |
|---|---|---|---|
|
300 |
HIDServerAuthentication |
Authentication failure |
|
|
301 |
HIDInternal |
Unexpected error occurred server protocol version is not supported by the client |
|
|
302 |
HIDServerProtocol |
Unexpected failure has occurred in the implementation layer |
Incorrect policy in DT_TDSV4 Container keys protection policy Contact your system administrator. |
|
303 |
HIDRemote |
Execution of a remote method call failed |
Possible SSL handshake failure - verify the proxy configuration Contact your system administrator. |
|
304 |
ServerUnsupportedOperation |
The server does not support the requested operation |
Service Key renewal is requested for server not supporting SKR (server responds with an HTTP error 400) |
|
305 |
HIDServerOperationFailed |
The server was not able to execute the requested operation |
Service Key renewal is requested for an unassigned device (server responds with an HTTP error 500) |
|
306 |
ServerCustomizationInvalid |
The server's mobile-app customization package is invalid or contains an invalid data |
Transaction Errors
| Code | HIDErrorCode | Error | Comment |
|---|---|---|---|
|
1000 |
HIDTransactionExpired |
Transaction has expired |
Transaction exceeded its validity and has been removed from the list of pending transactions. Check validity in AT_TDS (for action) or AT_PASA (for login) > Constraints > "Challenge timeout period (s)" Contact your system administrator. |
|
1001 |
HIDTransactionContainerInvalid |
Transaction id refers to a container that does not exist |
The service was deleted on the phone but not on the server |
Other Errors
| Code | HIDErrorCode | Error | Comment |
|---|---|---|---|
|
10000 |
UnexpectedError |
An unexpected error occurred |
System upgrade error on server. The user needs to renew the service on the upgraded server. |
|
10003 |
BadUrl |
URL is incorrect |
The user has entered an URL that contains unsupported characters during manual registration. The user needs to re-enter the correct URL to manually register a service. |
|
10007 |
CredentialExpired |
The credential has expired |
The user selected a service with an expired OTP credential or performed a push operation (Logon/Action) for a service with expired RSA keys credentials. The user needs to re-register the service to create a new credential. |
|
10008 |
(null) |
The Push ID is missing |
The user's device fails to retrieve a push ID from Apple, Google or Windows Azure server. Contact your system administrator. |
|
10009 |
(Windows 10) Incorrect_URI |
This service cannot be registered |
Server configuration error. Contact your system administrator. |
