Advanced Configuration for Push Authentication

Maximum Number of Devices per User [integer]

The maximum number of this type of device that can be assigned to a user.

The limit is only verified when the user attempts to activate a new device of this type and an error message is displayed if they have already reached the maximum.

If you set a maximum, it will not affect users who already have more devices than the limit (that is, it will not block authentication nor delete or modify existing devices). However, these users will only be able to activate a new device if they discard existing devices to meet the new limit. For example, if you set the limit to 2 devices, a user with 3 existing devices will need to discard 2 to activate a new device.

The default value is -1 (unlimited).

URL for operation validation

URL used to communicate with the application for Logon or Action validation

https://<server>:<port>

Configure with the public URL of your ActivID AS. Mobile devices must be able to reach this URL from public network.

For example, if your authentication server is publicly available as myServerHostName on default port 443 then set this parameter as

https://myServerHostName

Server TLS certificate

Server TLS certificate complete value used by the device and ActivID AS to compute the session key. It corresponds to the body of the ActivID AS TLS certificate.

This value can be obtained by viewing the certificate file with Notepad.

This parameter supports configuration of multiple certificates (in PEM format) if your deployment includes multiple access points for HID Approve. Append the certificates such as:

-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIEco0o3jANBgkqhkiG9w0BAQsFADBWMRYwFAYDVQQLEw1B
...
ax0oW532uDwEQKUpTOIhRjEbP6p8uhyPG4dyV46tPA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAwIBAgIJAKHzwx0jDzrsMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV
...
5F6PlD4k5Q9hBUKFdbO5wxc6R9cENfoEoZVnvtwCmbo=
-----END CERTIFICATE-----

Retrieve the SSL certificate of the authentication server (connecting with a browser) and save it as PEM BASE 64 encoded (for example, as myserverSSLcertificate.crt).

Then edit this file with Notepad and copy the content, including the -----BEGIN CERTIFICATE----- & -----END CERTIFICATE----- mentions.

Container Profile

Defines the list of credentials and authenticators to generate during registration, as well as the mapping between each authentication policy and its channel, separated by |.

Each item uses the format:

type:credential_type:authentication_policy:channel

The default value is:

• Key 1: Credential (AES Key) used for Mobile Service communications
  One CT_SMKV4 credential (SMK) associated with a:

  • AT_SMK authenticator

  • CH_SMK channel

• Key 2: OATH Time-based credential (secret key) used to generate Secure Codes
  One CT_TDSOT credential (OTP) associated with a:

  • AT_CUSTOTP authenticator

  • CH_PASA channel

• Key 3: Single-parameter Challenge/Response authentication
  One CT_TDSOATCR credential (OTP) associated with a:

  • AT_CUSTOTP authenticator

  • CH_PASA channel

• Key 4: Multi-parameter Challenge/Response authentication
  One CT_TDSOATSIGN credential (OTP) associated with a:

  • AT_CUSTOTP authenticator

  • CH_PASA channel

• Key 5: Credential (RSA key) used during the Logon validation process
  One CT_PASAV4 credential (RSA) associated with a:

  • AT_PASA authenticator

  • CH_PASA channel

• Key 6: Credential (RSA key) used during Action validation process
  One CT_TDSV4 credential (RSA) associated with a:

  • AT_TDS authenticator

  • CH_TDS channel

Container UI Customization file

Defines the customization file used for the application, and as well the server public key pins used for the certificate pinning mechanism.

See Customizing the Solution.

<empty>

Policy Rules

Rules that define mobile device characteristics (such as OS, OS version, key store mode or rooted state), allowing to excluded matching devices from Service Registration.

"rules": {
"refreshinterval": 1440,
"version": 1,
"provisioning": [{
"ruleid": 1,
"phonestates": [
{ 
"isRooted": "true"
}
],
"outcome": "deny",
"message": "Not allowed to provision for rooted or jailbroken devices"
}]
}						

Container keys protection policy

See Key Protection Policy Parameters.

Container transaction history

Defines the behavior of HID Approve application for operation (that is, Logon/Action validations) history.

None (do not modify)

VERSION

Defines the minimum version of the provisioning protocol supported by the server.

v5 (do not modify)

TYPE

Type of registration process:

pki.token = registration using the HID Approve application integrating HID Approve SDK.

pki.token (do not modify)

OPMODE

• fips_strict – mobile operates in FIPS mode strictly as recommended by the NIST guidelines.
• fips_devbinding – mobile operates using FIPS-approved algorithms and continues to use Secure Element in device for binding (when it exists, even if the FIPS-certified status is unknown).
• default – mobile operates using best cryptographic practices recommended by HID Global.

default

RESYNCH

Defines the credential that will be selected when the device resynchronization function is invoked.

CT_TDSOE (do not modify)

AUTHMETHOD

Provisioning method to authenticate the device at the start of provisioning.

It uses a password (computed by the device) on client-side, which must match the password generated on the server (based on a pre-shared secret).

GEN|PROMPTPASS|SENDPASS (do not modify)

KDFLEN

Defines the length used to compute pss (pre-shared secret).

10 (do not modify)

KDKCHARSET

Defines the char set used to compute pss (pre-shared secret).

Possible values are:

• ALPHA – Only uppercase or numeric characters.
• ASCII – the ASCII "94" char set (ASCII printable characters from 0 to 126).

ALPHA (do not modify)

PUSH_NOTIF

Indicates if push-based notifications should be sent to the mobile device (in the context of push-based action or logon operation validation).

Possible values are:

• Y – push notifications are sent
• N – push notifications will not be pushed to the mobile device

Setting PUSH_NOTIF to N allows using the push-based solution without configuring delivery gateways. Instead, “getPending requests” on the mobile device allows retrieving the operations to be validated.

Y

Signature Algorithm

Crypto algorithm for approval message signature by the HID Approve application.

SHA256WithRSA (do not modify)

Algorithms restriction (comma delimited, blank means all)

Type of crypto algorithm supported for signature.

RSA (do not modify)

OTP length

One-Time Password (random) that is a part of the encrypted approval message sent to the device.

Allows ActivID AS to verify the device’s identity.

8 (do not modify)

Encryption Algorithm

Algorithm used for encryption.

A256CBC-HS512 (do not modify)

Default Approval Status

The approval status to be sent to the device.

Any string items are separated by |.

Used as default if the Bank Application does not specify a value when the transaction is created (calling API indirectDeliverChallenge).

accept|deny|report (do not modify)

Key parameters

See Credential Type Adapter Key Parameters.

Key validity period (days)

The number of days for which the credential is valid.

Keys protection policy

See Key Protection Policy Parameters.

OCRASuite with counter

Only used for OATH OCRA

N/A

OCRASuite with timestamp

Only used for OATH OCRA

N/A

OTP Key parameters

See OTP Key Parameters (Secure Code).

Key validity period (days)

The number of days for which the credential is valid.

365

Keys protection policy

See Key Protection Policy Parameters.

OCRASuite with counter

Only used for OATH OCRA Event mode authentication.

OCRA-1:HOTP-SHA1-8:QN08

OCRASuite with timestamp

Only used for OATH OCRA Time mode authentication.

OCRA-1:HOTP-SHA1-8:QN08-T30S

OTP Key parameters

See OTP Key Parameters (Secure Code).

Key validity period (days)

The number of days for which the credential is valid.

365

Keys protection policy

See Key Protection Policy Parameters.

OCRASuite with counter

Only used for OATH OCRA Event mode challenge response authentication.

OCRA-1:HOTP-SHA1-8:C-QA48

OCRASuite with timestamp

Only used for OATH OCRA Time mode challenge response authentication.

OCRA-1:HOTP-SHA1-8:QA48-T30S

OTP Key parameters

See OTP Key Parameters (Secure Code).

Key validity period (days)

The number of days for which the credential is valid.

365

Keys protection policy

See Key Protection Policy Parameters.

LABEL

Name for this key on HID Approve application.

For OTP:

• OATH_event for Event mode
• OATH_time for Time mode

For Challenge/Response:

• OATH_OCRA_event_CR for Event mode
• OATH_OCRA_time_CR for Time mode

For Signature:

• OATH_OCRA_event_SIGN for Event mode
• OATH_OCRA_time_SIGN for Time mode

SUPPORTEDALGS

Define the key usage attached to this key on the HID Approve application.

For OTP:

• hotp for Event mode
• totp for Time mode

For Challenge/Response and Signature:

• ocra

KEYUSAGE

Define the key usage attached to this key on HID Approve application.

otp (do not modify)

TYPE

Key Algorithm to be associated to the derived key. Default is 'OCT' which is used for symmetric keys.

OCT (do not modify)

RESYNCWIN

Resynchronization windows.

20 (do not modify)

OTPLEN

OTP length to be generated.

For OTP – 6

ADDCHECKSUM

OATH Check sum flag parameter.

0 (do not modify)

OFFSET

OATH offset parameter.

16 (do not modify)

TIMESTEP

OATH time step parameter in seconds.

30 (do not modify)

STARTTIME

OATH start time parameter

0 (do not modify)

CLIENTOCRASUITE

OCRA algo client suite.

SERVEROCRASUITE

OCRA algo server suite.

* used during the challenge-response exchanges between the server and the HID Approve application.

For Challenge/Response:

• OCRA-1:HOTP-SHA1-8:C-QN08 for Event mode
• OCRA-1:HOTP-SHA1-8:C-QN08-T30S for Time mode

For Signature:

• OCRA-1:HOTP-SHA1-8:C-QA48 for Event mode
• OCRA-1:HOTP-SHA1-8:C-QA48-T30S for Time mode

SHA1-y

y = OTP length to be generated

8

QA0x

x= Challenge length

8

LABEL

Name for this key on the HID Approve application.

pushkey

KEYUSAGE

Define the key usage attached to this key on the HID Approve application.

authentication

TYPE

Type of this key.

RSA

ALGO

Crypto algorithm for signature.

RSA2048

SUITE

Crypto suite algorithm for signature.

PKIv1

POPALGOID

Crypto algo used on proof of possession of the private key.

1.2.840.113549.1.1.10

LABEL

Name for this key on HID Approve application.

signkey

KEYUSAGE

Defines the key usage attached to this key on the HID Approve application.

signature

TYPE

Type of this key.

RSA

ALGO

Crypto algorithm for signature.

RSA2048

SUITE

Crypto suite algorithm for signature.

PKIv1

POPALGOID

Crypto algo used on proof of possession of the private key.

1.2.840.113549.1.1.10

LABEL

Name for this key on the HID Approve application.

Sessionkey

KEYUSAGE

Defines the key usage attached to this key on the HID Approve application.

transactionprotection

ECCCURVE

ECC curve used during establishment of the session transport key.

P-256

ENCMETHOD

Crypto algorithm used to communicate securely with the device using the transport session generated during registration.

A256CBC-HS512

retry

(Optional parameter) Defines the number of times that HID Approve mobile will try to retrieve the operation validation or logon information from ActivID AS authentication server.

In HA mode, increase this value in case of network latency to allow mobile HID Approve to wait for operation data to be replicated between HA nodes and avoiding failures when retrieving operation data.

2

delay

(Optional parameter) Defines the delay (in seconds) that HID Approve mobile will wait between retries to retrieve the operation validation or logon information.

3

TYPE

Protection type

Available for Device Type (and Credential Type also if using HID Approve SDK):

• device – protected by mobile device protection, (that is, no extra protection implementation).
• password – password protection.
• devicelockorpassword – protected by mobile screenlock security method if it exists at time of registration, else protected by a password.

• biometricorpassword – protected by biometric credential (fingerprint/face) if it is enabled/available, else protected by a password.

Available for Credential Type:

• container – ensures that the credential will use the protection policy defined in the Device Type Container keys protection policy.

HISTMAX

History Maximum Password

This security setting determines the number of unique new passwords that have to be associated with the key before an old password can be reused.

0 authorizes users to reuse current password when password is changed.

Default is 1.

HISTMINAGE

History Minimum age

This security setting determines the period of time (in days) that a password must be used before the user can change it. It must be less than the maximum password age.

0 allows changes immediately.

Default is 1 day.

HISTMAXAGE

History Maximum age

This determines how long users can keep a password before they have to change it.

0 means the password never expires.

Default is 180 days.

LOCKTYPE

Password lock policy

• Delay – an exponential delay is inserted between each failed authentication attempt. This means the user must wait a short period before they can try again.

  This waiting time increases for each failed attempt until number of attempts reaches the COUNTER parameter value.

• Nolock – password never locks.
• Lock – password locks when number of attempts reaches COUNTER parameter value.

• SILENT – password validation is delegated to server-side controls and eventually blocking access on many consecutive failures by augmenting the failed authentication counter. To use this LockType, you need to create an additional Mobile Operation Protection Key Credential Type.

  Note: Password expiration (HISTMAXAGE) and password caching (CACHE_ENABLED) are automatically disabled when the SILENT LockType is configured for use.

DELAY

When LOCKTYPE is set to Delay, defines the number of times the waiting time is multiplied after an incorrect authentication attempt

The DELAY parameter corresponds to the initial delay in seconds.

The resulting wait is calculated by doubling the initial delay for each failed attempt - wait = DELAY x 2^(attempts-1)

By default, after the fourth failed attempt, the delay will be 16 seconds (where 2 x 2^3).

If you increase the DELAY value to 4, this delay will be 32 seconds (where 4 x 2^3).

Numeric value – default is 2 times

COUNTER

Defines the maximum number of incorrect authentication attempts allowed before the credential locks

Numeric value – default is 6 attempts

The counter is reset to 0 on the next successful authentication

UP

Minimum number of upper case characters

Numeric value – default is 1

LOW

Minimum number of lower case characters

Numeric value – default is 0

NUM

Minimum number of numeric characters

Numeric value – default is 0

ALPHA

Minimum number of alpha characters

Numeric value – default is 1

NALPHA

Minimum number of special characters

Numeric value – default is 1

MUP

Maximum number of upper case characters

Numeric value – default is 8

MLOW

Maximum number of lower case characters

Numeric value – default is 8

MNUM

Maximum number of numeric characters

Numeric value – default is 8

MALPHA

Maximum number of alpha characters

Numeric value – default is 8

MNALPHA

Maximum number of special characters

Numeric value – default is 8

MINLEN

Minimum password length

Numeric value – default is 6

MAXLEN

Maximum password length

Numeric value – default is 8

CACHE_ENABLED

Password caching Mode, when password caching is enabled, password is prompted before displaying the push transaction content and it is cached during a set time to allow the user to approve/decline the transaction without re-entering the password

• False – 0
• True – 1 (default value)

CACHE_TIMEOUT

Duration in seconds during which the password is kept in cache.

Numeric value – default is 30

Maximum allowed is 300 seconds.