ActivID Token Configuration Utility

The ActivID Token Configuration Utility (ATCU) tool is designed to guide you through the steps to define how you want your authentication devices to function.

It is provided in the Tools directory of the Device Initialization Tool’s installation directory (by default, C:\Program Files\HID Global\InitTool).

Note: You can launch the ActivID Token Configuration Utility by selecting ATCU in the Tools menu.

You can use this tool to generate device initialization profiles (.spl) that can be used by the Device Initialization Tool.

Important: The device initialization profiles generated by the ActivID Token Configuration Utility must be stored in the Device Initialization Tool’s Spl\ATCU directory and signed by the initialization tool. During the device initialization process, you select this directory to access the generated profiles. For further information, see Device Initialization Profiles and Policies.

The tables below list the policies included in all device profiles (as organized in the ActivID Token Configuration Utility).

Device Initialization Profile Policies:

PIN Policy

Policy	Parameter	Parameter Values	Description
PIN Policy	PIN Protection	No PIN The Personal Identification Number (PIN) code used to access a device’s services. Devices can only be used after a correct PIN is entered. Fixed Delay (0 to 127 seconds) Incremental Delay	The minimum time (in seconds) between two bad PIN entries to prevent brute force attacks.
PIN	Initial PIN (Fixed/random)	1254	Initial PIN Code value.
	Number of Wrong PIN Entries Allowed	1 to 15 Default is 6.	Maximum number of wrong PIN entries allowed before the device locks.
	PIN length (min/max)	0 to 8 Default is 4.	Minimum/Maximum PIN length allowed when PIN is updated.
	Weak PIN Control	Not selected (0) – no control Selected (1) – control activated (default)	Prevent the user from setting weak PIN codes (1234 2468 ...).
	Change PIN at first Use	Not selected (0) – no user prompt Selected (1) – user prompted (default)	Force the user to change the initial PIN at device startup.
	Change PIN after unlock	Not selected (0) – no user prompt Selected (1) – user prompted (default)	Force the user to change the PIN after unlocking their device.
	Use PIN in Blind Mode	Not selected (0) – PIN entered in clear mode Selected (1) – PIN entered in blind mode (default)	Use PIN in blind mode.
Lock Policy	Number of Unlock Attempts Allowed	1 to 15	Maximum unlock attempts allowed before the device resets.
	Lock after wrong PIN	Not selected (0) – Device is not locked. Selected (1) – Device is locked (default)	Allow the device to lock after unsuccessful PIN entries.
	Reset when locked	Not selected (0) – Device is not reset. Selected (1) – Device is reset (default)	Allow the device to erase its contents after the number of allowed wrong unlock attempts is reached.

Security Services

Policy	Parameter	Parameter Values	Description
User Authentication User authentication is the operation by which a device user authenticates to a server built with the Authentication SDK. To authenticate, the user: ->Authenticates to the server (or application) by providing a One-Time Password (OTP) generated by his/her device. ->The server validates that this OTP is coming from the device assigned to the alleged user, which proves the identity of the connected user. (AI)	User Authentication type	Async – Asynchronous Authentication The process in which a device generates a One-Time Password based on two (2) variables: a challenge (sent by the server to the end-user and input into the device), and a secret key (Triple DES) – the One-Time Password is considered a response to the challenge. Sync – Synchronous Authentication Process in which a device generates a One-Time Password based on three (3) variables: a time clock, an event counter (incremented for each authentication), and a secret key (Triple DES, which is derived for each authentication). In synchronous authentication, the One-Time Password is valid only once; it is accepted by the server only during a specific time window; it can never be replayed. Dual – Dual Mode Profile mode that allows choosing to use either the Synchronous or Challenge/Response user authentication mode for One-Time Password (OTP) generation based on your organization’s security policy. Only available with the Mode V2 menu. (both Asynchronous/Synchronous)	Defines the Authentication service.
	Granularity Window (in seconds)	1 to 32 Default is 8 seconds.	Synchronous mode only.
	Challenge length (min/max)	4 to 8	Asynchronous mode only.
	Response Length	6 to 8 Default is 8.	Response One-Time Password generated in response to a challenge. See asynchronous authentication. code length.
	Counter Increment	ENABLE DISABLE	Enable diversification of the authentication key.
Signature (AI)	Signature Certification type	Asynchronous Certification (default) Synchronous Certification	Signature service type.
	Granularity Window (in seconds)	1 to 32 Default is 8 seconds.	Synchronous mode only.
	Response length	6 to 8 Default is 8.	Response code length.
	Message	Label	Label of the data field.
	Length min	0 to 10	Value minimum length.
	Length max	1 to 10	Value maximum length.
	Maximum number of fields	1 to 5	Number of fields to define.
User Authentication (OATH)	User Authentication type	HOTP – HOTP Event Authentication (default) TOTP – HOTP Time Authentication OCRA – Challenge/Response The process in which a device generates a One-Time Password based on two (2) variables: a challenge (sent by the server to the end-user and input into the device), and a secret key (Triple DES) – the One-Time Password is considered a response to the challenge. OCRA Authentication OCRA_Event – Challenge/Response OCRA Event Authentication OCRA_Time – Challenge/Response OCRA Time Authentication	Authentication service type.
	Key Length (in bytes)	20, 32, or 40 Default is 20.	Only 20 bytes is supported by ActivID Appliance/Authentication Server.
	Validity Windows (in seconds)	1 to 255 Default is 30.	Time Stamping (only for Time Authentication).
	Truncation Offset	0 to 15 16 – dynamic truncation (default)	Truncation Offset of the MAC.
	Response length	6 to 8 Default is 6.	Response code length.
	Qformat	Alpha Num	Only for OCRA.
	Add Checksum	Boolean	Not supported by ActivID Appliance/Authentication Server.
	Startup No Delay	Not selected (0) Selected (1)	Only supported for Mini Token.
	Counter Display	Not selected (0) – Counter is not displayed (default) Selected (1) – Counter is displayed	Only for Event-based authentication.
	Challenge Length Max	8	Challenge Random number generated by the ActivKernel API for authentication of a user in the asynchronous (challenge/response) mode. maximum length, use only for OCRA.
Signature (OATH)	Signature Type	OCRA Signature (QA32) OCRA Time Signature (QA32) OCRA Event Signature (QA32)	Define Signature service.
	Key Length	20, 32 or 40 Default is 20.
	Validity Windows (in seconds)	1 to 255 Default is 30.	Time Stamping (only for Time Authentication).
	Truncation Offset	0 to 15 16 – dynamic truncation (default)	Truncation Offset of the MAC.
	Response length	6 to 8 Default is 6.	Response code length.
	Add Checksum	Boolean	Add Checksum.
	Startup No Delay	Not selected (0) Selected (1)	Startup No Delay.
	Counter Display	Not selected (0) – Counter is not displayed (default) Selected (1) – Counter is displayed	Counter Display.
	Message	Label	Label of the data field.
	Length min	0 to 10 Default is 1.	Value minimum length.
	Length max	1 to 10 Default is 8.	Value maximum length.
	Maximum number of fields	1 to 5	Number of fields to define.

Token Behavior

Policy	Parameter	Parameter Values	Description
Menu Mode	Menu	Standard Mode (V2) – Historical mode for Token One Application Mode (v3) – Use key 1 , 2 , 3 to access authentication or signature service
Application Mode	Application	Application 1	Authentication or signature service defined in Security Services associated with key 1.
		Application 2	Authentication or signature service defined in Security Services associated with key 2.
		Application 3	Authentication or signature service defined in Security Services associated with key 3.
Misc Parameters	Power Timeout	0 to 127 Default is 30.	Power Timeout in seconds.
	Lock Menu	Not selected (0) – menu is not locked (default) Selected (1) – Menu is locked	Menu is locked.
	Switch Off on Enter	Not selected (0) – device is not switched off on Enter Selected (1) – Device is switched off on Enter (default)	Switch off device on Enter.
Token Messages		All messages are limited to 10 characters.
	View Clock	VIEW CLOCK
	Change Battery	CHANGE BAT
	New PIN	NEW PIN
	Confirm PIN	CONFIRM
	Enter PIN	ENTER PIN
	Last PIN Try	LAST TRY
	Change PIN	CHANGE PIN
	View Authentication Counter	VIEW COUNT
	Locked	LOCKED
	Ok	COMPLETE
	Not Ok	ERROR
	Enter Key	INIT
	View Serial Number	VIEW SN
	Manual Init	INIT KEYS
	Wait	WAIT
	Host Auth	HOST AUTH
	Certification	CERTIFICAT
	Sec Mod AS	SEC MOD AS
	Challenge	CHALLENGE
	Select App	SELECT APP

Accessibility

Policy	Parameter	Parameter Values	Description
Speech	Speech Behavior	One Two	Set Speech Behavior (only for Desktop Token).
Font	Custom Font Name	Font name	Set a specific font (for all tokens except Mini Token and Flexi Token).

Device

Policy	Parameter	Parameter Values	Description
Select Device	Device List	Token One Pocket Token Keychain Token Desktop Token Flexi Token Mini Token	The list of available devices as determined by the previously selected parameters in PIN POLICY, SECURITY SERVICES and TOKEN BEHAVIOR.

The ATCU tool is compatible with the following browsers:

Mozilla^® Firefox^®
Google^® Chrome^®
Microsoft^® Edge^® Chromium version