Configure a Secure Code

Use a Time-based Secure Code

To allow resynchronization between the user’s device, ActivID AS and HID Approve, it is recommended to use time-based OATH credentials. Setting the correct time on the user’s device will ensure successful authentication.

By default, Secure Code, Challenge Response, and Signature credentials are time-based.

If your domain was created for ActivID AS v8.4 or earlier and they are not the default settings, update the configuration using the following procedure:

To use a Time-based Secure Code instead of an Event-based code:

  1. Log on to the ActivID Management Console as a Configuration Manager.

  2. Select the Configuration tab.

  3. Under Polices, expand Authentication and click Device Types.

  4. Select the Mobile push based Validation (DT_TDSV4) Device type.

  5. Select the Device Adapter tab.

  6. Edit the Container Profile field by replacing the existing KEY2 value (CT_TDSOE) with CT_TDSOT.

Similarly, to use challenge/response and signature (OCRA), you need to replace the values for KEY3 and KEY4 with the Time-based credential types, CT_TDSOATCR and CT_TDSOATSIGN, respectively.

Note: For further details, see Device Type Common Parameters.

Edit the Length of the Secure Code

To edit the length of the Secure Code that will be generated by the mobile device:

  1. Log on to the ActivID Management Console as a Configuration Manager.

  2. Select the Configuration tab.

  3. Under Polices, expand Authentication and click Credential Types.

  4. Select either the Mobile OATH event based Credential (CT_TDSOE) or Mobile OATH time based Credential (CT_TDSOT).

  5. Edit the OTP key parameters field by replacing the value for OTPLEN with the required value, (for example, set OTPLEN=8 for a length of 8).

Note: For further details, see OTP Key Parameters (Secure Code).

The process is slightly different for challenge/response and signature (OCRA):

  1. Log on to the ActivID Management Console as a Configuration Manager.

  2. Select the Configuration tab.

  3. Under Polices, expand Authentication and click Credential Types.

  4. Select the required credential type and edit the corresponding OCRASuite field by replacing the value of OCRA-1:HOTP-SHA1-8:C-Qxxx with the new value, (for example, OCRA-1:HOTP-SHA1-6:C-Qxxx to set a length of 6).

    Credential Type ORCASuite Field

    Mobile OATH OCRA event based Credential C/R (CT_TDSOAECR)

    OCRASuite with counter

    Mobile OATH OCRA event based Credential SIGN (CT_TDSOAESIGN)

    OCRASuite with counter (plain signature mode)

    Mobile OATH OCRA time based Credential C/R (CT_TDSOATCR)

    OCRASuite with timestamp

    Mobile OATH OCRA time based Credential SIGN (CT_TDSOATSIGN)

    OCRASuite with counter (plain signature mode)

  5. Edit the OTP key parameters field by replacing the value of …OCRA-1:HOTP-SHA1-8:C-QN08 with the same value you set for the OCRASuite field above.

  6. Click Save.