Configure Authentication Policies

An authentication policy is a template containing predefined parameters enforced during authentication, such as password lengths or constraints, OTP synchronization protocols, Push Notification Signature details...

Authentication policies can be one of three different types:

Username/Password (LOGIN or UP) policies define password rules (for example, password history) and password complexity rules (for example, password must contain numbers or special characters, etc.)
Security Questions/Memorable Data (SQ) policies are assigned a set of security questions to create a pool of applicable questions that can be displayed, selected, and used by the user population that are assigned that specific authentication policy
Device-based (DEVICE) policies are assigned a set of applicable credential types that are associated to user’s devices. For instance, an OTP device authentication policy could have a combination of OOB, OATH or ActivID SKI credentials.

Authentication policy parameters include attributes, validity, channel and gateway assignments and constraint settings.

You configure authentication policies using the ActivID Management Console.

Default Authentication Policies

ActivID AS System and Administrator Authentication Policies

Code	Name	Description	Adapter	Type
AT_MCOTP	Management Console OTP Login	OTP login for Management Console access	Credential Authentication adapter	DEVICE
AT_MCPKI	Management Console PKI login	PKI login for Management Console access	Credential Authentication adapter	DEVICE
AT_MCQA	Management Console Questions & Answers	Q&A login for Management Console access	4TRESS Memorable Data adapter	SQ
OP_ATCODE	Management Console Static Login	Static password login for Management Console access	4TRESS Username-Password adapter	LOGIN
PR_ATCODE	Prime User Login	Prime User login	4TRESS Username-Password adapter	LOGIN
AT_RFE	RADIUS FE login	Login for RADIUS Front End	4TRESS Username-Password adapter	LOGIN
AT_STPADM	Soft Token Portal Login	Static Login for Soft Token Portal to access the public API	4TRESS Username-Password adapter	LOGIN
AT_SYSPKI	System PKI Login	PKI login for systems accessing the public API	Credential Authentication adapter	DEVICE
AT_SYSLOG	System Static Login	Static password based login for systems accessing the public API	4TRESS Username-Password adapter	LOGIN

ADFS Authentication Policies

Code	Name	Description	Adapter	Type
AT_ADFSAPW	ADFS Agent Static Password	Static password login for ADFS Agent System User	4TRESS Username-Password adapter	LOGIN
AT_ADSOTP	ADFS Seos One Time Password	Seos One time password for ADFS users	Credential Authentication adapter	DEVICE

Customer Authentication Policies

Code	Name	Description	Adapter	Type
AT_CUSTDID	Customer DeviceID	DeviceID for customer authentication	Credential Authentication adapter	DEVICE
AT_CSTEPWD	Customer Emergency Password	Emergency password for customer authentication	4TRESS Username-Password adapter	LOGIN
AT_CUSTQA	Customer Emergency Questions & Answers	Emergency Q&A for customer authentication	4TRESS Memorable Data adapter	SQ
AT_CUSTMW	Customer memorable word	Memorable word for supplementary authentication	4TRESS Username-Password adapter	LOGIN
AT_CUSTOTP	Customer One Time Password	One time password login for customer authentication	Credential Authentication adapter	DEVICE
AT_CUSTSMS	Customer Out of Band authentication	Out of Band login for customer authentication	Credential Authentication adapter	DEVICE
AT_CUSTPIN	Customer PIN	Numeric PIN for customer authentication	4TRESS Username-Password adapter	LOGIN
AT_CUSTPKI	Customer PKI authentication	PKI based authentication for customers	Credential Authentication adapter	DEVICE
AT_CUSTSGN	Customer Signing	Signing for customer transaction authentication	Credential Authentication adapter	DEVICE
AT_CUSTPW	Customer Static Password	Static password login for customer authentication	4TRESS Username-Password adapter	LOGIN

Employee Authentication Policies

Code	Name	Description	Adapter	Type
AT_EMPDID	Employee DeviceID	DeviceID for employee authentication	Credential Authentication adapter	DEVICE
AT_EMPQA	Employee Emergency Questions & Answers	Emergency authentication for employees	4TRESS Memorable Data adapter	SQ
AT_EMPEPWD	Employee Emergency Static Password	Static password login for employee emergency authentication	4TRESS Username-Password adapter	LOGIN
AT_EMPOTP	Employee One Time Password	One time password login for employee authentication.e.g. remote access	Credential Authentication adapter	DEVICE
AT_EMPSMS	Employee Out of Band authentication	Out of Band authentication for employee	Credential Authentication adapter	DEVICE
AT_EMPPKI	Employee PKI authentication	PKI authentication for employee application login	Credential Authentication adapter	DEVICE
AT_EMPPWD	Employee Static Password	Static password login for employee authentication	4TRESS Username-Password adapter	LOGIN

EMV Authentication Policies

Code	Name	Description	Adapter	Type
AT_EMVAUTH	EMV authentication	EMV authentication	Credential Authentication adapter	DEVICE
AT_EMVTRNS	EMV transaction	EMV transaction	Credential Authentication adapter	DEVICE

FIDO Authentication Policies

Code	Name	Description	Adapter	Type
AT_FIDO	FIDO authentication	FIDO authentication	Credential Authentication adapter	DEVICE

Mobile-based Authentication Policies

Code	Name	Description	Adapter	Type
AT_SMK	Mobile application update	Authentication for Mobile Application information update on server	Transaction Signing Credential Authentication adapter	DEVICE
AT_TDS	Mobile push-based Action Validation	Authentication for Mobile push-based Action Validation	Transaction Signing Credential Authentication adapter	DEVICE
AT_PASA	Mobile push-based Logon Validation	Authentication for Mobile push-based Logon Validation	Transaction Signing Credential Authentication adapter	DEVICE
AT_TDSOOB	Mobile Registration authentication	Authentication for Mobile Registration	Credential Authentication adapter	DEVICE
AT_TXOOB	SMS Transaction OOB	SMS Transaction OOB	Transaction Signing Credential Authentication adapter	DEVICE

Other Authentication Policies

Code	Name	Description	Adapter	Type
AT_JWT	JWT Bearer auth	JWT bearer auth	Credential Authentication adapter	DEVICE
AT_LDAP	LDAP Fallback/Passthrough	ActivID LDAP Fallback/Passthrough	4TRESS LDAP Username-Password adapter	DEVICE
AT_PKI_MCH	PKI Certificate Matching	PKI Certificate Matching Authentication	PKI Certificate Matching Credential Authentication adapter	DEVICE

Create an Authentication Policy

Prerequisites: To create a new authentication policy, you must be assigned the Create authentication policy permission.

Note: It is recommended that you create a new authentication policy based on a default policy. Contact HID Global Professional Services for further information.

The predefined authentication policies comply with the following recommendations in the NIST SP 800-63B-3 guidelines concerning digital identity:

Minimum Length – 8 characters
Maximum Length – 100 characters
Restrictions:
- No constraints in the range of characters allowed.
- No requirement to mix different character types.
The default restrictions are designed to prevent the use of previous passwords, commonly chosen passwords that appeared in password leaks, a sequence of letters, and rejects passwords that contain the user name or the value of one UserAttribute.
Maximum Age – 1825 days
Lock Policy – Disabled for 900 seconds after five (5) consecutive authentication failures.

Log on to the ActivID Management Console as a Configuration Manager.
Select the Configuration tab and, under Policies, select Authentication and then Authentication Policies.

All existing authentication policies are listed in a paged table. The total number of authentication policies is given in the lower left corner.

Each row corresponds to an authentication policy. It provides the following information in the different columns:

Code – the unique code identifying the authentication policy
Name – the name of the authentication policy
Description – a description of the authentication policy
Adapter – the authentication policy adapter associated with the authentication policy
Class – the authentication policy class (type)

Launch the Authentication Policy Creation Wizard

Click Add.

Enter the main information for the Authentication policy and click Next:

Name – should be unique for ease of administration.
Code – a value is automatically generated but it can be changed. The code must be unique, a minimum of three characters, and a maximum of 10 characters. It cannot be changed once the authentication policy is created.
Description – (optional) content is free-format.

Proceed to Define the Attributes Settings.

Define the Attributes Settings

The Attributes are the general parameters of the policy.

From the Class drop-down list, select the required policy type – Login, Security Questions or Device.

From the Authentication Adapter drop-down list, select the required adapter A functional module that supports a specific authentication scheme. Authentication adapters are specific to Authentication classes. You select an authentication adapter during authentication policy configuration..

This is the software that provides the authentication service for the authentication policy. The adapter handles requests for authentication made through the authentication policy.

Class	Adapter
LOGIN	4TRESS Username-Password adapter
Security Questions	4TRESS Memorable Data adapter
DEVICE	4TRESS LDAP Username-Password adapter Credential Authentication adapter PKI Certificate Matching Credential Authentication adapter Transaction Signing Credential Authentication adapter

Important: You must select an adapter that is compatible with the authentication class and purpose. The available adapters depend on the selected authentication class.

From the Authentication Adapter Manager drop-down list, select the required manager.

This is the software that manages data storage and retrieval for an authentication record during its life cycle.

LDAP authenticator manager for the LDAP authentication with the Device authentication class
Device authenticator manager for the Device authentication class
UP authenticator manager for the Login authentication class
MD authenticator manager for the Memorable Data/Security Questions authentication class

Important: You must select an adapter manager that is compatible with the authentication class.

Click Next and Define the Validity Settings.

Define the Validity Settings

The Validity parameters are related to the validity of the authentication records created from this authentication policy.

Enter the required parameter values:

Parameter	Description
Valid days after creation	The default expiration period of an authentication record, as a number of days, starting from the date of creation of the authentication record. To apply the new expiration period to the new authentication records, edit this field for an existing authentication policy. The pre-edited expiration period continues to apply to existing authentication records set up under the authentication policy.
Valid days after update	The default expiration period of an authentication record when the password is changed, starting from the date the password is changed. For a Security Questions authentication policy, this value will be high, since Security Questions responses will not be expected to change over time.
Disable threshold	The maximum number of successive failed attempts by a user to log on using an incorrect password before the password is locked.
Default expiry threshold	The number of times a user can authenticate using a password before the password expires. It corresponds to the Maximum number of successful authentications allowed. If you do not want to use the expiration threshold functionality, then enter a value of -1.
Session inactivity time-out (ms)	Time (in milliseconds) after which an idle session is automatically terminated. The value should be lower than that set for the global Session Timeout parameter.
Session timeout (ms)	The maximum period, in milliseconds, that a user authenticated via this authentication policy can sustain their session before being prompted to re-authenticate by logging on again.
Disabled time reset(s)	Enter this value in seconds. This value enables the auto-unlock feature. If an authenticator is locked for any reason (for example, it reached the max authentication count), it’s possible to unlock the authenticator (if you have set this to a value other than zero). For example, if you configure the value to be 120 seconds (two minutes), then by setting Disabled Time Reset, it will automatically unlock the authenticator when the user tries to authenticate after two minutes.
Password reset format	Defines the format for the password reset file. For standard formatting, select None. When specifying ANSI X9.8 PIN encryption, the password must be numeric and be between 4 and 12 digits long. Note: This feature is not currently supported.
Change password after expiry	Enables an operator to log on with a password beyond the password’s expiration date. However, the user is requested to change the password immediately. The number entered in the field specifies the number of times the user can enter the existing expired password in an attempt to change it before being denied further access.

Click Next and Define the Assignments Settings.

Define the Assignments Settings

In the Assignments tab, define the policy’s channels The means through which users interact with an organization, system, or workspace where they perform operations. A channel defines the method of access for which a User Authentication method (or privilege) is valid. and delivery gateways.

Note: You can save this authentication policy without channels, but you cannot assign this authentication record policy to users until you have selected at least one channel.

Select one or more channels to which to link the new authentication policy by moving them to the Selected Channels list.

The Available Channels list specifies all the channels that currently exist in your system.

You can move the channels by dragging and dropping, or using the arrow buttons:

To move a single channel, select the required channel and click the forward arrow .
To move several channels simultaneously, use the Ctrl or Shift keys to select the required channels and click the forward arrow .
To move all the channels, click the forward-all arrow .

You can use the backward arrows to restore the selected channel(s) to the Available list.

Select one or more gateways to manage the delivery of Out-of-Band (OOB) messages and passwords by moving them to the Selected Delivery Gateways list.

The Available Delivery Gateway list specifies all the gateways that currently exist in your system.

Note:

There are no default gateways. You can configure gateways using the ActivID Management Console.
Delivery Gateways are only used for OOB authentication (such as SMS and Push-based validation).

You can move the gateways by dragging and dropping, or using the arrow buttons:

To move a single gateway, select the required gateway and click the forward arrow .
To move several gateways simultaneously, use the Ctrl or Shift keys to select the required gateways and click the forward arrow .
To move all the gateways, click the forward-all arrow .

You can use the backward arrows to restore the selected gateways(s) to the Available list.

Important:

The order for the selected delivery gateways is important!
You must configure the delivery gateways if the authentication policy is an OOB type.

Click Next and Define the Advanced Settings (Tiered Authentication).

Define the Advanced Settings (Tiered Authentication)

In the Advanced tab, set the Level of Assurance (LOA) service name and base authentication policy for tiered-authentication Authentication can be tiered into two types - primary and secondary authentication - and involves the use of more than one level of authentication to enable a user to access data and carry out particular actions. As the first authentication in a session is considered the Primary authentication, all subsequent authentications in the session are considered to be Secondary authentications..

The Level of Assurance (LoA) Level of Assurance (LoA) is the level of confidence in the claimed identity of a user during authentication See also ACR value (also known as the ACR Authentication context class reference (ACR) specifies the conditions required by a provider or relying party that define how a user authenticates to mitigate specific authentication risks See also LoA value) defines the level of assurance provided by the authentication process to the user's claim to the 'identity' they use to authenticate.

ActivID AS selects the optimal authentication methods available to the user in order to meet the level required by the application/service based on the values defined for the associated authentication policy.

Note: The Advanced settings are optional.

Enter the Level Of Assurance service name (that is, one of the integer values in the table below).

Identity authentication level service values can be configured with integer values 1, 2, 3 or 4.

The value can also be a chain of characters that correspond to the OpenID Connect acr claim, such as urn:openbanking:psd2:sca or urn:openbanking:psd2:ca that respectively represent the strong or normal PSD2 authentication method.

LoA can typically be defined for SAML transactions. Each assurance level describes the recipient’s degree of certainty that the user has presented an identifier that refers to their identity.

LoA values can be configured at Authentication Adapter level or Credential adapter level. However, if both are configured, then the authentication adapter LoA takes precedence.

In this context, an LoA Service value can be associated to an authentication policy.

LoA (Int)	Definition	LoA (String)
1	Little or no confidence in the asserted identity’s validity.	urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:1
2	Some confidence in the asserted identity’s validity.	urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:2
3	High confidence in the asserted identity’s validity.	urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:3
4	Very high confidence in the asserted identity’s validity.	urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:4

With this configuration, the service provider (SP) authentication process adapter will return (in the SAML assertion) the LoA string as a value for one of the SP attributes defined in the SP metadata. For further details on how to return values in SAML assertions, see Configure SAML Assertion Settings.

To set this authentication policy as the ‘child’ policy in a tiered-authentication deployment, from the drop-down list, select the Base authentication policy as the ‘parent’ policy.

This means the user will need to make a successful authentication with the authentication policy chosen as the base type (that is, a static password), before being prompted to authenticate using the ‘child’ authentication policy (that is, a One-Time Password). Both authentications need to succeed for the tiered-authentication to succeed.

If you are not configuring for tiered authentication, leave the setting as None.
Click Next and Define the Constraints.

Define the Constraints

In the Constraints tab, define the specific constraints parameters depending on the authentication policy class chosen in Attributes tab and click Save.

Constraints for Login policies

If you are creating a Login class authentication policy, define the following constraints (divided into three sections below)

Password Creation – the constraints enforced when a password is created.

Constraint	Options	Description
Characters range	No constraint	All characters allowed, including special characters.
	Only numeric	Only numbers allowed, no punctuation, no characters, and no spaces.
	Only alphabetic	Only letters allowed, no punctuation, no numbers, and no spaces.
	Numeric OR alphabetic	Combination of letters and numbers allowed, no punctuation, and no spaces.
	Numeric AND alphabetic	Must have a combination of letters and numbers, no punctuation, and no spaces.
With at least	One numeric character	Contain at least one numeric character.
	One lowercase character	Contain at least one lowercase character.
	One uppercase character	Contain at least one uppercase character.
	One special character	Contain at least one special character.
Minimum length	Numeric value	Minimum number of characters for the user name or password.
Maximum length	Numeric value	Maximum number of characters for the user name or password (For a user name, the default is 100 characters and can be up to 250 characters and 100 characters for a password.)
Minimum number of different characters	Numeric value	User name or password must contain at least the same number of different characters as the number specified in this field. For example, if 3 is specified as the number in this field, aa11 is not valid, while Aa11 could be valid. Make sure you understand the relationship between the Case-sensitive and Different characters constraints. In a string of lowercase characters, uppercase characters are “different”.
Forbidden values	Any previous password	Previous passwords are saved and compared against new password submissions.
	Contain username or is a user attribute	New password submissions are compared against user attribute values specified for that user. Note: User attribute values, such as surname and date of birth, are specified in relation to attribute types assigned to the user type to which a user belongs
	Black-listed word	Must not contain black-listed words. The passwords are compared against a black list containing commonly-used, expected, or compromised words. This list includes: Passwords obtained from security breaches Dictionary words (English) Passwords consisting of repetitive or sequential characters Context-specific words, such as the name (and derivatives) of the company or service
	Sequence of letters or numbers	Password must not consist of a series of numbers or letters (for example, 5678, abc).

Password Verification – the constraints enforced at when the password is verified.

Constraint	Description
Case-sensitive verification	Select if the password should be case-sensitive. Make sure you understand the relationship between the Case-sensitive and Different characters constraints. In a string of lowercase characters, uppercase characters are “different”.
Password seeding	Defines if partial passwords are allowed: No, prompt for full password Yes, use password seeding Both modes enabled (full password, seeded password) If you are creating a partial authentication policy, then you must select the set the Minimum Length constraint in the Password Creation section.
Number of seeds	Specifies the number of characters that can be requested for a partial password.

Constraint

Description

Case-sensitive verification

Select if the password should be case-sensitive.

Make sure you understand the relationship between the Case-sensitive and Different characters constraints. In a string of lowercase characters, uppercase characters are “different”.

Password seeding

Defines if partial passwords are allowed:

No, prompt for full password
Yes, use password seeding
Both modes enabled (full password, seeded password)

If you are creating a partial authentication policy, then you must select the set the Minimum Length constraint in the Password Creation section.

Number of seeds

Specifies the number of characters that can be requested for a partial password.

User Name Constraints – the constraints enforced when a user name is created.

Constraint	Options	Description
Characters range	No constraint	All characters allowed.
	Only numeric	Only numbers allowed, no punctuation, no characters, and no spaces.
	Only alphabetic	Only letters allowed, no punctuation, no numbers, and no spaces.
	Numeric OR alphabetic	Combination of letters and numbers allowed, no punctuation, and no spaces.
	Numeric AND alphabetic	Must have a combination of letters and numbers, no punctuation, and no spaces.
Minimum length	Numeric value	Minimum number of characters for the user name or password.
Maximum length	Numeric value	Maximum number of characters for the user name or password. (For a user name, the default is 100 characters and can be up to 250 characters and 100 characters for a password).
Minimum number of different characters	Numeric value	User name or password must contain at least the same number of different characters as the number specified in this field. For example, if 3 is specified as the number in this field, aa11 is not valid, while Aa11 could be valid. Make sure you understand the relationship between the Case-sensitive and Different characters constraints. In a string of lowercase characters, uppercase characters are “different”.

Constraints for Security Questions policies

If you are creating a Security Questions class authentication policy, define the following constraints:

You can define the prompts displayed to users during Security Question authentication by dragging and dropping, or using the arrow buttons:

To move a single prompt, select the required prompt and click the forward arrow .
To move several prompts simultaneously, use the Ctrl or Shift keys to select the required prompts and click the forward arrow .
To move all the prompts, click the forward-all arrow .

You can use the backward arrows to restore the selected prompt(s) to the Available list.

Constraint	Description
Prompts required for creation	The number of prompts that user must provide responses to in order to create the authentication record.
Prompts required for display	The number of prompts that the user has supplied responses for which will be randomly displayed in order for the user to authenticate. Note: This number must not exceed the number of Prompts required for creation.
Prompts required for authentication	The number of prompts that the user must give the correct responses to in order to authenticate. Note: This number must not exceed the number of Prompts required for creation.
Indicate failed prompts	Specifies if the response prompts that were answered incorrectly are identified.
Answer seeding	Defines if partial answers are allowed: No, prompt for full password Yes, use answer seeding Both modes enabled (full answer, seeded answer)
Number of seeds	Specifies the number of characters that can be requested for a partial Security Questions prompt. The number of seeds should not exceed the minimum length for any response in the group, as defined in the configuration of Security Questions prompts.

Constraints for Device policies

If you are creating a Device class authentication policy, define the following constraints:

You can define the credential types allowed for the Device authentication policy by dragging and dropping, or using the arrow buttons:

To move a single type, select the required type and click the forward arrow .
To move several types simultaneously, use the Ctrl or Shift keys to select the required types and click the forward arrow .
To move all the types , click the forward-all arrow .

You can use the backward arrows to restore the selected type(s) to the Available list.

Note: If you are creating a PKI Certificate Matching authentication policy, only one PKI Certificate Matching credential type is allowed in the Selected Credential Types list.

Constraint	Description
Challenge handling	Defines how the challenge is used during an asynchronous authentication. User-defined challenge – user defines both the challenge and response. It requires the user to enter the challenge, for example, an account number on the device. The device generates a response to the challenge, and the user submits both the challenge and response. Use this mode when employing challenge/response to sign a parameter of a transaction. The user-defined challenge should be used for transaction signature verification. It should not be used for authentication, because it’s prone to replay. Use last issued challenge – requires that the user to enter a challenge issued by ActivID AS on the device (for example, a challenge displayed on a customer Web site). The device generates a response to the challenge. The user submits the response to ActivID AS, which confirms that the challenge and response match. It should be used for authentication purposes. Both the challenge and response are generated upon challenge request. It does not require the user to resend the challenge again for authentication purposes because it has been stored in the database. Check against last issued challenge – requires that the user to enter a challenge issued by ActivID AS on the device (for example, a challenge displayed on a customer Web site). The device generates a response to the challenge. The response submitted by the user is sent to ActivID AS, by the application, along with the challenge initially issued by ActivID AS. ActivID AS checks first that the challenge sent matches the one initially issued, and if it matches, verifies the response. This is the only supported mode currently for PKI Direct user authentication. This behaves exactly the same way as Use last issued challenge mode, except that the application is required to submit the challenge with the response in the authentication call. This mode allows saving CPU cycles by only verifying responses when the challenge submitted matches the one initially sent.
Challenge disable threshold	The maximum number of challenges that can be issued for an authentication record of this policy without submission of a valid response. Once this threshold is crossed, the count must be reset before a challenge will be issued.
Challenge timeout period (s)	A timeout period (in seconds) for a challenge. If a response takes longer than this period, ActivID AS fails the authentication request.
Support only indirect authentication	Specifies whether only indirect authentication is supported or both direct and indirect authentication is supported.
Allowed by direct authentication policy	If a direct user uses this authentication policy to perform direct authentication, then only this user can authenticate indirect users. For example, if Customer one time password is selected, then only direct users who authenticate with customer OTP can authenticate the indirect users.

Note: The Save button is only available if the validation constraints for the parameters in the main section and in all tabs are met.

Edit an Authentication Policy

Prerequisites: To edit an authentication policy, you must be assigned the Update authentication policy permission.

Log on to the ActivID Management Console as a Configuration Manager.
Select the Configuration tab and, under Policies, select Authentication and then Authentication Policies.

Click the Code of the authentication policy that you want to edit.

Edit the settings as required in each tab.

All the tabs are accessible and all settings can be modified except the:

Code
Class

Click Save to apply your changes.

If you want to cancel the operation, click Back to List.

Note: When editing a Security Questions authentication policy, an additional tab called Security Question Group History is available in the edition screen.

This tab provides read-only information on the groups of security questions previously defined for the authentication policy.

Delete an Authentication Policy

Prerequisites: To delete an authentication policy, you must be assigned the Delete authentication policy permission.

Note:

You cannot delete the “Prime User Login” authentication policy or the “Management Console Static Login” authentication policy. A warning message will be displayed.
If there are authentication records of the selected policy defined in the system, then you cannot delete the authentication policy.

Log on to the ActivID Management Console as a Configuration Manager.
Select the Configuration tab and, under Policies, select Authentication and then Authentication Policies.

To delete one or more authentication policies, select the check boxes to the left of the policy names and click Delete.

Click Yes to delete the policies, or No to cancel the operation.