Managing OTP Device Authentication

As a Help Desk operator, you can assign and manage OTP Secure passwords that can be used only once. Each OTP is valid for only one authentication, and as such, the passwords cannot be recorded and replayed again to gain access. Synchronous authentication devices implement a system of OTPs by creating a sequence of passwords that are synchronized in some manner with host systems. devices in the user's Details page.

When you assign a device to a user, you also create an OTP device authentication record that binds the device to the user. Each user can have one or more Device authentication records. A device that is not assigned to a user through an OTP Device authentication record is called an “unbound” device.

Note: Users can be registered for both OTP authentication and SMS authentication. The SMS authentication can be used when the token is not available (that is, lost or forgotten).

When you create a Device authentication record, you must identify the device. You can specify the serial number (in full or with wild cards), start date, expiration date, and issue number as search criteria. If your criteria are not unique, ActivID AS presents a list of all devices meeting the search criteria.

The following data is required to create a Device authentication record for a user:

  • Valid From/To – The duration for which the authentication record will be valid for use.

    • Use dd/mm/yyyy format. The default From value is the current date.

  • Maximum number of successful authentications allowed – The maximum number of times a user can authenticate to ActivID AS using this authentication record.

    • Default value derived is from the Default expiry threshold field specified for the authentication policy. Select Never expire if you do not want to use the expiration threshold functionality.

  • Status – Status of the authentication record (Enabled or Disabled)

    • If set to “Disabled,” the user will not be able to authenticate using this authentication record.

  • Device Serial Number – Optional search criteria: serial number of the device you are binding to the user by creating the authentication record. Wild cards are allowed.

  • Device Type – Code of the device type to which the device is linked in the authentication server. If the device details you enter do not uniquely identify a single device type, then ActivID AS returns a list of device types from which to select.

  • Optionally, you can also define a Device Friendly Name to identify your device.

When you create an authentication record, the authentication policy you select governs the composition of the authentication record. For example, the authentication policy sets the maximum period for which the user can remain authenticated to ActivID AS (without using any ActivID AS functionality) before the user is automatically required to re-authenticate.

Deleting an OTP Device authentication record dissociates the device from the user (that is, deletes the binding between the authenticator and the user). The device then can be used again by binding it to a different user.

Details of devices are imported. To support successive renewals, in addition to the serial number, device details can include a start date, an expiration date, and an issue number. The serial number of the device (for example, a smart card) should remain constant, but the start date, the expiration date, and the issue number can be updated for each renewal.

Topics in this section: