Configuring OTP Authentication Policies

A One Time Password (OTP) authentication policy is a template containing predefined parameters enforced during authentication to comply with internal security policies.

OTP authentication policies have several setting parameters that includes Policy Constraints and Authentication Validity.

To learn more about OTP authentication policies, see Authentication Policies in the HID Authentication Service.

Creating New OTP Authentication Policy

Prerequisites: To add a new OTP authentication policy, you must be assigned the Configure Settings permission.

To create a new OTP authentication policy, follow the steps below:

  1. Sign in to Administration portal.

  2. Click Settings icon in the left navigation bar to open the Settings page.

  3. Click Authentication Polices on the Settings page, then you can see list of authentication policies.

  4. Click ADD POLICY, then Add Policy pop-up window appears.

  5. From the drop-down menu, choose a standard OTP authentication policy to replicate for the newly created authentication policy, and then click PROCEED.

    See Authentication Policies in the HID Authentication Service for more information.

  6. Authentication Policy Details page opens.

    Edit the main information for your OTP Authentication policy based on your requirement:

    • Policy name – should be unique for ease of administration.

    • Policy description - a description for your OTP authentication policy. Content is free-format

  7. Then proceed to define Policy Constraints and Authentication Validity settings.

Define Policy Constraints Settings

This section describes the Policy Constraints tab parameters, which are related to number of challenges, types of challenges and its validity for this OTP authentication policy.

Parameters Description
Challenge timeout

The validity of the challenge after which the authentication will not be possible.

The timeout period (in seconds) for the OTP request.

After timeout, the transaction will no longer be retrieved by the app, or if it has already been retrieved, the approval/decline operation will fail.

If you do not want expiration of the challenge timeout period, then disable the toggle switch.
Threshold for maximum number of challenges

The maximum number of challenges (OTP requests) that can be issued for validation without submission of a valid response from the enabled device.

Once this threshold is crossed, the count must be reset before a challenge (OTP request) will be issued.

If you do not want threshold, then disable the toggle switch.
Challenge type

Defines how challenge is used during an asynchronous authentication.

Below are the types of challenges:

  • User-defined: Client sends challenge and response, challenge generated by the client.

  • Use last issued: Client sends only response, challenge generated on server.

  • Check against last issued: Client sends challenge and response, challenge generated on server.

Define Authentication Validity Settings

This section describes the Authentication Validity tab parameters, which are related to the validity of the authentication records created for this OTP authentication policy.

Parameters Description
Valid days after creation

The expiration period of an authentication record, as a number of days, starting from the date of creation of the authentication record.

To apply the new expiration period to the new authentication records, edit this field.
Valid days after update

The expiration period of an authentication record when the authenticator is changed, starting from the date the authenticator is changed.
Session invalidity timeout (sec)

Time (in seconds) after which an idle session is automatically terminated. The value should be lower than that set for the global Session Timeout parameter.
Session timeout (sec)

The maximum period (in seconds) that a user authenticated via this authentication policy can sustain their session before being prompted to re-authenticate by logging on again.
Disabled time reset (sec)

This value enables the auto-unblock feature. If an authenticator is blocked for any reason (for example, it reached the maximum authentication count), it’s possible to unblock the authenticator (if you have set this to a value other than -1).

For example, if you configure the value to be 120 seconds (two minutes), then by setting Disabled time reset, it will automatically unblock the authenticator when the user tries to authenticate after two minutes.
Authenticator expiration

If enabled, then you can define the maximum number of times a user can authenticate successfully using an authenticator before it expires.

It corresponds to the maximum number of successful authentications allowed.
Disable authenticator after failed attempts

The maximum number of successive failed attempts by a user to log on using an incorrect authenticator before the authenticator is disabled.

Click SAVE to save the settings. After saving, the newly created OTP authentication policy is added into the authentication policies list.

Viewing OTP Authentication Policy

You can view a OTP authentication policy details by following the below steps:

  1. Sign in to Administration portal.

  2. Click Settings in the left navigation bar to open the Settings page.

  3. Click Authentication Polices on the Settings page, then you can see list of Authentication policies.

  4. From the list of authentication policies, choose and click on the row of a OTP authentication policy you want to view.

    (or) you can also click on "View Authentication Policy" shown in the action menu () of a OTP authentication policy.

  5. Authentication Policy Details page opens and details are as shown below.

    Fields Description
    Policy name

    The name of the OTP authentication policy.

    Policy description The description for the OTP authentication policy.
    Policy ID

    An identifier or code for the OTP authentication policy.

  6. You can also view the parameters of Policy Constraints and Authentication Validity settings.

  7. Click RETURN to return to the list of authentication policies page.

    Note:

    If required,

Editing OTP Authentication Policy

Prerequisites: To edit a OTP authentication policy, you must be assigned the Configure Settings permission.

When required, you can edit a OTP authentication policy by following the below steps:

  1. Sign in to Administration portal.

  2. Click Settings in the left navigation bar to open the Settings page.

  3. Click Authentication Polices on the Settings page, then you can see list of authentication policies.

  4. From the list of authentication policies, choose a OTP authentication policy you want to edit.

    Click on "Edit Authentication Policy" shown in the action menu () or click EDIT on the view page of that policy.

  5. Authentication Policy Details page opens, do the required changes for policy name, policy description and parameters of Policy Constraints and Authentication Validity tabs.

  6. Click SAVE to update the changes.

Deleting OTP Authentication Policy

Prerequisites: To delete a OTP authentication policy, you must be assigned the Configure Settings permission.
Important: You cannot delete policies which are assigned to users or devices.

To delete a OTP authentication policy, follow the below steps:

  1. Sign in to Administration portal.

  2. Click Settings in the left navigation bar to open the Settings page.

  3. Click Authentication Polices on the Settings page, then you can see list of Authentication policies.

  4. From the list of authentication policies, choose a OTP authentication policy you want to delete.

    Click on "Delete Authentication Policy" shown in the action menu () or click DELETE on the view page of that policy.

  5. A Delete Policy confirmation dialog box appears, click OK to confirm the deletion.