Configuring Security Settings

The Security Settings tab enables you to:

Configure authentication methods for users to log on to the ActivID CMS User Portal.
Customize the PIN/Initial Password Display.
Configure the Security Questions settings, when this authentication method is used to log on to ActivID CMS User Portal.
Select the method to verify a user’s identity in the Help Desk.

The following sections explain the authentication settings that are configurable from the Security Settings page.

ActivID CMS User Portal Authentication Methods

The authentication methods to the portal vary, depending on the service requested by users in the ActivID CMS User Portal. The following table describes the different authentication methods that can be set for logging on to the ActivID CMS User Portal for different services.

ActivID CMS User Portal Authentication Methods
Service Required by Users in ActivID CMS User Portal	Corresponding Authentication Method
Device initialization (initial issuance)	Initial password⁽¹⁾or LDAP password⁽²⁾or security questions
Device initialization (replacement issuance)	Initial password or LDAP password or security questions
Device unlock (self online unlock)	LDAP password or security questions
Device unlock (assisted online unlock)	Emergency password The emergency password temporarily replaces an OTP (one-time password) where a user has either forgotten or lost his or her device. or LDAP password or security questions
Device incident notification (device not available)	LDAP password or security questions
PIN reset	LDAP password or security questions
Change PIN / change answers to security questions	Smart card (Physical and VSC)
Device update	Smart card (Physical and VSC)
Device re-issuance	Smart card (Physical and VSC)
Download escrowed certificates⁽³⁾	Smart card (Physical and VSC)
Issuance of mobile credentials (mobile app certificates)	Smart card (Physical and VSC)

⁽¹⁾ The initial password is defined by the ActivID CMS operator during the device binding and is communicated to the user, along with the device to be personalized.
⁽²⁾ The LDAP Lightweight Directory Access Protocol password is the user’s primary directory password.
⁽³⁾ Only supported for Microsoft CA and OpenTrust PKI certificates.

About Security Questions Authentication Method

Security questions require the user to answer personal questions. If security questions are configured as the authentication method to log on to the ActivID CMS User Portal, then an ActivID CMS operator must define these security questions.

The first time a user connects to the ActivID CMS User Portal, the user is prompted to provide personal answers to the security questions. Authentication on the User Portal at first connection is done using one of the authentication methods described in ActivID CMS User Portal Authentication Methods, excluding security questions.

The ActivID CMS User Portal enables users to update the answers to their security questions. For more information, refer to the ActivID CMS User online documentation.

Security questions can be locked, and their answers can be reset in either of two cases:

When a user enters wrong answers too many times, the security questions authentication method can be locked.
When an ActivID CMS Help Desk operator resets answers to security questions, users are forced to re-initialize their answers.

In both cases, users are prompted to re-initialize the answers to security questions the next time they connect to the ActivID CMS User Portal.

About the Device Authentication Method

When a user connects to ActivID CMS User Portal with a functional device to update the device, change the PIN, or change answers to security questions, the user authenticates to the portal by entering the device PIN code.

This authentication method consists of the PIN code verification and a PKI-based authentication called FIPS-196. The FIPS-196-based authentication is enforced by the ActivID CMS server and relies on a PKI key pair and digital certificate stored on the device.

Note:
About FIPS-196 Protected Services
These include the following services:

Device re-issuance
Change of security questions and answers.
Issuing credentials (mobile app certificates) on mobile devices.

Therefore, the device must contain a digital certificate that is managed by ActivID CMS, and a private key associated with this certificate, which is protected by the PIN code. If no ActivID CMS-managed certificate is found on the device, then the FIPS-196-based authentication cannot be performed, and the FIPS-196-protected services will not be available.

If the device contains more than one ActivID CMS-managed digital certificate and PKI key pair, then the ActivID CMS server automatically chooses the most appropriate certificate based on an internal selection algorithm.

Configuring Security Settings

Select the Configuration tab.
Click Security Settings. The Security Settings page appears:
From the Smart card initial PIN display mode and the Initial password display mode drop-down lists, select the appropriate display mode. The options available are Displayed, Disguised, or Not displayed.
To configure security questions for logging on to ActivID CMS User Portal, select Yes for the Configure Security Questions authentication method option.

If you select No, then the Security Questions fields are unavailable. Skip the rest of these sub-steps.
- Enter the first question in the Question field, and then click Add. You can add as many questions as needed. The questions are shown in the Defined Security Questions box.
- From the Number of questions set for each user drop-down list, select the number of questions to ask users when they enroll/use their device for the first time. The maximum number is determined by the number of questions listed in the Defined Security Questions box.
- From the Number of questions asked at user authentication drop-down list, select the number of questions users must answer when they are authenticating. The maximum number of questions is determined by the number of questions listed in the Defined Security Questions box.
- From the Minimum number of correct answers required for user authentication drop-down list, select the minimum number of correct answers required for successful authentication. You must select at least 1.
- From the Maximum number of incorrect questions/answers authentication attempts drop-down list, select the maximum number of wrong attempts to reach the minimum number of correct answers. The maximum number of wrong attempts cannot exceed 20.
When a user reaches the maximum number of incorrect answers, access to the ActivID CMS User Portal is blocked, and an ActivID CMS operator must reset the user’s answers to security questions.
In the User Portal Security section of the page, to configure self-enrollment of a device, under Authentication method when smart card is blank and bound, select one of the following options:
- Initial issuance—Select either Initial Password, LDAP Password or Security Questions.
- Replacement—Select either Initial Password, LDAP Password or Security Questions
To configure unlocking of a device online with the assistance of a Help Desk operator, under Authentication method when smart card PIN is locked, select one of the following options:
- Self online unlock—Select either LDAP Password or Security Questions.
- Assisted online unlock—Select either Emergency Password The emergency password temporarily replaces an OTP (one-time password) where a user has either forgotten or lost his or her device., LDAP Password, or Security Questions

Important:
About the Emergency Password:
This authentication method is available only for Assisted online unlock. If you select this option, then an ActivID CMS operator will have to generate an emergency password and communicate it to the user when unlock is required.

To configure declaration of a device incident when the device is locked or not available, for the Authentication method when smart card is physically locked and Authentication method when smart card is not available options, select either LDAP Lightweight Directory Access Protocol Password or Security Questions.
From the Maximum number of consecutive incorrect Initial Password attempts drop-down list, select the maximum number (up to 20) of password retry attempts.

When a user reaches the maximum number of incorrect password attempts, access to the ActivID CMS User Portal is blocked. An ActivID CMS operator will have to re-generate a new initial or emergency password.
In the Remote Issuance Security section of the page, for the Authentication method for remote issuance option, select either Initial Password or LDAP Password.

Note: Remote issuance is only available for mobile smart cards, and support for mobile smart cards has been deprecated starting with ActivID CMS 5.4.

From the Maximum number of consecutive incorrect Initial Password attempts drop-down list, select the maximum number (up to 20) of password retry attempts.

When a user reaches the maximum number of incorrect password attempts, access to the mobile smart card is blocked. An ActivID CMS operator will have to re-generate a new initial password.
From the Maximum number of uses of the Initial Password drop-down list, select the maximum number of times (up to 20) the initial password can be used.
In the Help Desk Security section, for the Method used to verify identity of user option, select either None or Security Questions.
Click Set.

Updating a Security Question

Select the Configuration tab, and then click Security Settings.
In the Security Questions section of the page:
- In the Defined Security Questions field, select the question you want to change.
- In the Question field, make your changes to the question and then click Update. The updated question is added to the Defined Security Questions box.
Click Set.

Deleting a Security Question

Select the Configuration tab, and then click Security Settings.
In the Security Questions section of the page, in the Defined Security Questions field, select the question you want to delete.
Click Delete.
Click Set.