Configure Device Types

Each device Device is the generic term used for both hardware devices (such as an ActivID Mini Token or a smart card) and software devices acting as hardware emulators (such as Mobile and PC soft token applications). All of these devices enable users to authenticate to protected resources. in ActivID Appliance is linked to a device type which defines the device parameters leveraged during user authentication.

Device type parameters include authentication capabilities (supported methods and functions), settings at import, soft PIN and device adapter settings.

You configure device types using the ActivID Management Console.

Important: The device type configuration is complex and requires an advanced understanding of the parameter requirements. It is strongly recommended that you contact HID Global Professional Services before modifying or creating device types.

Create a Device Type

Note: It is recommended that you create a new device type based on a default type with the required adapter. Contact HID Global Professional Services for further information.
Prerequisites: To create a new device type, you must be assigned the Create device type permission.
  1. Log on to the ActivID Management Console as a Configuration Manager.

  2. Select the Configuration tab and, under Policies, select Authentication and then Device Types.
  3. All existing device types are listed in a paged table. The total number of device types is given in the lower left corner.

    Each row corresponds to a device type. It provides the following information in the different columns:

    • Code – the unique code identifying the device type
    • Name – the name of the device type
    • Device Adapter – the device adapter associated with the device type

Launch the Device Type Credential Wizard

  1. Click Add.

  2. Enter the main information for the Device type:
    • Name – should be unique for ease of administration.
    • Code – a value is automatically generated but it can be changed. The code must be unique, a minimum of three characters, and a maximum of 10 characters. It cannot be changed once the device type is created.
    • Description – (optional) content is free-format.
  3. Proceed to Define the Capabilities.

Define the Capabilities

  1. Enter the required values for the device type Capabilities:
    FieldDescription

    Supported Authentication Methods

    Determines the options displayed in the View Device page. Select from the drop-down list:

    • Synchronous (One-Time Password) – devices of this type support synchronous authentication.
    • Asynchronous (Challenge Response) – devices of this type support asynchronous authentication.
    • Both – devices of this type support synchronous and asynchronous authentication.

    Challenge length

    Applies to devices that support asynchronous authentication.

    Defines the length of the challenge provided to a user to generate an OTP on the device (in the challenge/response mode). This parameter is used to validate the submitted challenge.

    Note: The Challenge can be used on device to generate OTP only if it belongs to the range defined in the device .sdb Challenge Min/Challenge Max parameters.

    Synchronous authentication code length

    Maximum valid length of a synchronous OTP. This parameter is used to validate the submitted OTP.

    Asynchronous authentication code length

    Maximum valid length of an asynchronous OTP, generated in response to a challenge. This parameter is used to validate the submitted OTP.

    Device Unlock

    A device might be locked if the user enters the PIN incorrectly a specified number of times. This parameter determines whether the unlock option appears in the View Device page for devices of this type.

    Select from the drop-down list:

    • Yes – devices of this type can be unlocked by a server-generated response to a device-issued challenge.
    • No – devices of this type cannot be unlocked.
    Note: The specified number of times is set on the device.

    Unlock Challenge Length

    Length of the challenge provided to a user to unlock the device, when the user has locked it by incorrect entry of their PIN a specified number of times. This parameter is used to validate the submitted unlock challenge.

    The specified number of times is set on the device.

    Synchronization Mode    

    Determines whether the resync option appears in the View Device page. Select from the drop-down list:

    • Only Automatic – devices of this type can be automatically resynchronized with host systems.
    • Only Manual – devices of this type can be resynchronized manually with host systems.
    • Support All – devices of this type can be resynchronized automatically and/or manually with host systems.
    Note: For asynchronous authentication methods, only Counter synchronization modes might be available depending on the asynchronous method variant (OCRA Suite).

    Base Synchronization Mode

    Determines fields displayed in the View Device page. For devices that support synchronous authentication, this parameter defines the variables that are stored locally on the device and therefore might require resynchronization with the server. Select from the drop-down list:

    • Counter – Devices of this type can be resynchronized with host systems using one (manually) or a range (automatically) of counter values.
    • Clock – Devices of this type can be resynchronized with host systems using one (manually) or a range (automatically) of clock values.
    • Both – Devices of this type can be resynchronized with host systems using one (manually) or a range (automatically) of counter and clock values.
    Note:  
    • For asynchronous authentication methods, only the manual synchronization mode might be available depending on the asynchronous method variant (OCRA Suite).
    • In the case of Devices with Soft PIN, if you need to allow Automatic Resynchronization without using the Soft PIN, edit the ActivID Authentication Server settings using the ActivID Console:
    • ALLOW_AUTO_SYNC_WITHOUT_SOFT_PIN=TRUE

      This setting allows you to resync the device by entering the OTP generated by the device only (as opposed to entering the device soft pin value before or after the OTP).

    Counter Range

    Maximum number of increments by which the host system will increment the counter it is holding for an individual device of this type to resynchronize with that device when attempting an automatic resynchronization.

    The auto resync process will try to increment rather than decrement the counter value.

    Time Offset Start (seconds)

    Lower limit of the time window for which the host system will test its internal system clock values against the OTP received from a device of this type to try to resynchronize with that device.

    Applicable only to device types supporting synchronous authentication and automatic resynchronization.

    The default is -3600 seconds. This sets the start of the time period as 3600 seconds before the actual internal system clock time.

    Time Offset End (seconds)

    Upper limit of the time window for which the host system will test its internal system clock values against the OTP received from a device of this type to try to resynchronize with that device.

    Applicable only to device types supporting synchronous authentication and automatic resynchronization.

    The default is 3600 seconds. This sets the end of the time period as 3600 seconds after the actual internal system clock time.

    Transaction signing

    Defines if a device can be used to digitally sign transactions.

    Select from the drop-down list:

    • Yes – devices of this type can be used for transaction signing.
    • No – devices of this type cannot be used for transaction signing.
  2. Click Next and Define the Import Settings.
Note: The Next button is only available if the validation constraints for all the parameters in the current tab are met.

Define the Import Settings

  1. Enter the required values for the device type Import settings:
    FieldDescription

    Manufacturer

    Free format, optional.

    Default PIN

    When you import a device, it will use whatever you specify here as the Default PIN. This usually applies for ActivID Mini Tokens (AE, AT, and OE).

    Important: To import ActivID AAA Server devices with a soft PIN defined, leave this field blank.

    Default Credential Type

    When importing a device through the device import framework, this attribute sets what is the default credential type to create for the device, if none is specified in the import process.

    Specify the credential type code (for example, CT_AIOE).

    Device type code from Auth SDK

    When you import a device, this attribute implements the external representation of the device type code.

    A device type code is the unique identifier for a device type as defined in the ActivID Authentication SDK framework.

  2. Click Next and Define the Soft PIN Settings.

Define the Soft PIN Settings

  1. Enter the required values for the Soft PIN settings:
    FieldDescription

    Use soft PIN

    Defines if a device can use a server soft PIN (a PIN that is managed and verified by ActivID Appliance, not by the device itself).

    Select from the drop-down list:

    • Yes – devices of this type can use a soft PIN.
    • No – devices of this type cannot use a soft PIN (required for soft tokens)

    Soft PIN Minimum length

    Defines the minimum length of characters for the server soft PIN. Set the value according to the soft PIN policy of the device.

    Important: To import ActivID AAA Server devices with a soft PIN defined, you must set this value according to the AAA device policy.

    Soft PIN Maximum length

    Defines the maximum length of characters for the server soft PIN. Set the value according to the soft PIN policy of the device.

    Important: To import ActivID AAA Server devices with a soft PIN defined, you must set this value according to the AAA device policy.

    Soft PIN position

    Defines how the user should enter the server soft PIN during authentication.

    Options are:

    • Before (the user enters the soft PIN before entering the OTP generated by the Token).
    • After (the user enters the soft PIN after entering the OTP generated by the Token).
    • Before or After (the user can enter the soft PIN either before or after entering the OTP generated by the Token).
    Important: If you want to import ActivID AAA Server devices that already have a server soft PIN defined, you must select the Either option.
  2. Click Next and Define the Device Adapter Settings.

Define the Device Adapter Settings

  1. Select the required Device Adapter:
    • TM Device Adapter
    • Token
    • Just One Credential Device
    • EMV card
    • TDS provisioning
    • TDS provisioning V4
    • Soft Token Device
    • HID Approve Offline Soft Token
    • SEOS Device
    • SEOS OTP provisioning
    • Java card created by CMS
    Note:
  2. Enter the required values for the Device Adapter settings:
    FieldDescription

    Number of credentials allowed on device [number, many]

    Determines the number of credentials allowed in the device.

    • Specifies the maximum number of credentials allowed.
    • ‘many’ implies the device can have 100 credentials.

    Allowed credential types, comma separated list of codes [any]

    Specifies a comma-separated list of codes of the credential types allowed for the device type.

    • ‘any’ - all credential types are allowed.
    • Comma-separated list of codes

    Auto resynch credential to use [credential type code/ index / no=do not allow]

    Determines the credential to perform the Auto-resync operation.

    • Specifies the credential type code (for example, CT_AIOE).
    • Specifies the index of the credential. Only the credential on that index will be auto re-synchronized.
    • ‘no’ implies auto-resync is not allowed for this device.

    Manual resynch credential to use [credential type code/ index / no=do not allow]

    Determines the credential to perform the Manual-resync operation.

    • Specifies the credential type code (for example, CT_AIOE).
    • Specifies the index of the credential. Only the credential on that index will be manually re-synchronized.
    • ‘no’ implies manual-resynchronization is not allowed for this device.

    Unlock credential to use [credential type code/ index / no=do not allow]

    Determines the credential to perform the unlock credential operation.

    • Specifies the credential type code (for example, CT_AIOE).
    • Specifies the index of the credential. Only the credential on that index will be unlocked.
    • ‘no’ implies unlocking is not allowed for this device.

    PIN credential to use [credential type code/ index / no=do not allow]

    Determines the credential to perform the PIN credential operation.

    • Specifies the credential type code (for example, CT_AIOE).
    • Specifies the index of the credential.
    • ‘no’ implies PIN is not allowed for this device.

    Verify credential to use [credential type code/ index / no=do not allow]

    Determines the credential to perform the Verify credential operation.

    • Specifies the credential type code (for example, CT_AIOE).
    • Specifies the index of the credential. Only the credential on that index will be verified.
    • ‘no’ implies Verify credential is not allowed for this device.

    Soft PIN credential to use [credential type code/ index / no=do not allow]

    Determines the credential to change the Soft PIN.

    • Specifies the credential type code (for example, CT_AIOE).
    • Specifies the index of the credential.
    • ‘no’ implies Soft PIN of this device type cannot be changed.

    Soft PIN device minimum length

    Defines the minimum length of characters for the soft PIN.

    Set the value according to the soft PIN policy of the device. It applies to ActivID Mini Tokens (for example, AE, AT, and OE).

    Soft PIN device maximum length

    Defines the maximum length of characters for the soft PIN.

    Set the value according to the soft PIN policy of the device. It applies to ActivID Mini Tokens (for example, AE, AT, and OE).

    Soft PIN device position

    When the user is authenticating with a Mini Token, he has to enter the PIN that has been assigned to this token before or after the OTP generated by the token. The options are:

    • Either
    • Before
    • After

    Maximum Number of Devices per User [integer]

    The maximum number of this type of device that can be assigned to a user.

    The default value is -1 (unlimited).

    The limit is only verified when the user attempts to activate a new device of this type and an error message is displayed if they have already reached the maximum.

    If you set a maximum, it will not affect users who already have more devices than the limit (that is, it will not block authentication nor delete or modify existing devices). However, these users will only be able to activate a new device if they discard existing devices to meet the new limit. For example, if you set the limit to 2 devices, a user with 3 existing devices will need to discard 2 to activate a new device.

  3. Click Save:
Note: The Save button is only available if the validation constraints for the parameters in the main section and in all tabs are met.

Edit a Device Type

Note: It is recommended that you contact HID Global Professional Services before modifying the device type settings.
Prerequisites: To edit a device type, you must be assigned the Update device type permission.
  1. Log on to the ActivID Management Console as a Configuration Manager.

  2. Select the Configuration tab and, under Policies, select Authentication and then Device Types.
  3. Click the Code of the Device type that you want to edit.

  4. Edit the device type settings as required in each tab.

    All the tabs are accessible and all settings can be modified except the:

    • Code
    • Device Adapter
  5. Click Save to apply your changes.

    If you want to cancel the operation, click Back to List.

Delete a Device Type

Prerequisites:
  • To delete a device type, you must be assigned the Delete device type permission.
  • Make sure the device type is not linked to a device is use.
  1. Log on to the ActivID Management Console as a Configuration Manager.

  2. Select the Configuration tab and, under Policies, select Authentication and then Device Types.
  3. To delete one or more device types, select the check boxes to the left of the names and click Delete.

  4. Click Yes to delete the types, or No to cancel the operation.

Managing Soft Token Device Types

Configure HID Approve Offline Soft Tokens

HID Approve offline soft tokens are mobile applications that can be used for OTP authentication but do not support push-based authentication.

Important: To enable offline activation in the ActivID Self-Service Portal, you must configure the Device Type and the Authentication Policy to be used for activation for the Administration Group (see Configure the Token Activation Settings per Admin Group).

For further information about offline activation, see Customize the HID Approve Activation Mode.

  1. Create a new device type (or edit an existing one).
  2. In the Device Adapter tab, define the parameters as required:
    ParameterDescription

    Maximum Number of Devices per User [integer]

    The maximum number of this type of device that can be assigned to a user.

    The default value is -1 (unlimited).

    The limit is only verified when the user attempts to activate a new device of this type and an error message is displayed if they have already reached the maximum.

    If you set a maximum, it will not affect users who already have more devices than the limit (that is, it will not block authentication nor delete or modify existing devices). However, these users will only be able to activate a new device if they discard existing devices to meet the new limit. For example, if you set the limit to 2 devices, a user with 3 existing devices will need to discard 2 to activate a new device.

    OTP type (HOTP or TOTP)

    Type of algorithm for the OTP

    Possible values:

    • HOTP - Event-based Token OATH HOTP
    • TOTP - Time-based Token OATH TOTP (default)

    Issuer

    Name of the offline soft token issuer

    Hashing algorithm

    The hashing algorithm to be used

    Possible values:

    • SHA1 (default)
    • SHA256
    • SHA512

    OTP length

    The number of digits in the generated OTP

    Possible values are 4 to 8 digits.

    The default value is 6 (six-digit OTP).

    Timestep in seconds used for TOTP

    The timestep for the TOTP algorithm (not required for HOTP)

    Possible values:

    • 30 - 30 second timestep
    • 60 - 60 second timestep

    Container protection policy (PIN or NOPIN)

    Policy to protect the credential container on the device

    Possible values:

    • PIN - container is protected by a digit-only 'password' (PIN) (default)
    • NOPIN - container is protected the device policy

    Container policy protection lock type (delay, nolock, lock)

    Locking behavior of the policy protecting the keys container

    Possible values:

    • delay – an exponential delay is inserted between each failed authentication attempt (default)

      This means the user must wait a short period before they can try again.

      This waiting time increases for each failed attempt until the Maximum number of wrong attempts is reached.

    • nolock – PIN never locks
    • lock – PIN locks when the Maximum number of wrong attempts is reached

    Number of times the waiting time is multiplied after wrong attempts

    When Container policy protection lock type is set to delay, this parameter defines the number of times the waiting time is multiplied after an incorrect authentication attempt

    The default value is two times.

    This waiting time is calculated by doubling the initial delay (two seconds) for each failed attempt.

    wait = <Number of times..> x 2^(attempts-1)

    By default, after the fourth failed attempt, the delay will be 16 seconds (where 2 x 2^3).

    If you increase the value of this parameter to 4, this delay will be 32 seconds (where 4 x 2^3).

    Maximum number of wrong attempts

    When Container policy protection lock type is set to delay or lock, defines the maximum number of incorrect authentication attempts allowed before the credential locks

    The default value is 6 attempts.

    The counter is reset to 0 on the next successful authentication.