Configuring Security Settings

1. Select the Configuration tab.

2. Click Security Settings. The Security Settings page appears:

   

3. From the Smart card initial PIN display mode and the Initial password display mode drop-down lists, select the appropriate display mode. The options available are Displayed, Disguised, or Not displayed.

4. To configure security questions for logging on to ActivID CMS User Portal, select Yes for the Configure Security Questions authentication method option.

   If you select No, then the Security Questions fields are unavailable. Skip the rest of these sub-steps.

   • Enter the first question in the Question field, and then click Add. You can add as many questions as needed. The questions are shown in the Defined Security Questions box.

   • From the Number of questions set for each user drop-down list, select the number of questions to ask users when they enroll/use their device for the first time. The maximum number is determined by the number of questions listed in the Defined Security Questions box.

   • From the Number of questions asked at user authentication drop-down list, select the number of questions users must answer when they are authenticating. The maximum number of questions is determined by the number of questions listed in the Defined Security Questions box.

   • From the Minimum number of correct answers required for user authentication drop-down list, select the minimum number of correct answers required for successful authentication. You must select at least 1.

   • From the Maximum number of incorrect questions/answers authentication attempts drop-down list, select the maximum number of wrong attempts to reach the minimum number of correct answers. The maximum number of wrong attempts cannot exceed 20.

   When a user reaches the maximum number of incorrect answers, access to the ActivID CMS User Portal is blocked, and an ActivID CMS operator must reset the user’s answers to security questions.

   

5. In the User Portal Security section of the page, to configure self-enrollment of a device, under Authentication method when smart card is blank and bound, select one of the following options:

   • Initial issuance—Select either Initial Password, LDAP Password, or Security Questions.

   • Replacement—Select either Initial Password, LDAP Password, or Security Questions.

6. To configure unlocking of a device online with the assistance of a Help Desk operator, under Authentication method when smart card PIN is locked, select one of the following options:

   • Self online unlock—Select either LDAP Password or Security Questions.

   • Assisted online unlock—Select either Emergency Password The emergency password temporarily replaces an OTP (one-time password) where a user has either forgotten or lost his or her device., LDAP Password, or Security Questions
Important:
About the Emergency Password:
This authentication method is available only for Assisted online unlock. If you select this option, then an ActivID CMS operator will have to generate an emergency password and communicate it to the user when unlock is required.

7. To configure declaration of a device incident when the device is locked or not available, for the Authentication method when smart card is physically locked and Authentication method when smart card is not available options, select either LDAP Lightweight Directory Access Protocol Password or Security Questions.

8. From the Maximum number of consecutive incorrect Initial Password attempts drop-down list, select the maximum number (up to 20) of password retry attempts.

   When a user reaches the maximum number of incorrect password attempts, access to the ActivID CMS User Portal is blocked. An ActivID CMS operator will have to re-generate a new initial or emergency password.

9. In the Remote Issuance Security section of the page, for the Authentication method for remote issuance option, select either Initial Password or LDAP Password.

Note: Remote issuance is only available for mobile smart cards, and support for mobile smart cards has been deprecated starting with ActivID CMS 5.4.

10. From the Maximum number of consecutive incorrect Initial Password attempts drop-down list, select the maximum number (up to 20) of password retry attempts.

    When a user reaches the maximum number of incorrect password attempts, access to the mobile smart card is blocked. An ActivID CMS operator will have to re-generate a new initial password.

11. From the Maximum number of uses of the Initial Password drop-down list, select the maximum number of times (up to 20) the initial password can be used.

12. In the Help Desk Security section, for the Method used to verify identity of user option, select either None or Security Questions.

13. Click Set.