Configuring Credential Protection Policy

Credential protection is the way the user is verified via local authentication on their device. This additional security feature helps to protect your HID Approve service registered on your mobile device based on the protection type you set.

You can configure the HID Approve key protection policy with the use of Application Protection and Device Protection settings. These settings are an initial point for defining your own security policy for credential protection to avoid attacks or password compromises.

Prerequisites: To configure a credential protection policy, you must be assigned the Configure Settings permission in Administrator Account.

To configure the credential protection policy, follow the steps below:

  1. Sign in to Administration portal.

  2. Click Settings in the left navigation bar to open the Settings page.

  3. Click HID Approve Authentication Configuration on the Settings page, then you can see the list of HID Approve applications.

  4. From the list of HID Approve applications, choose the Default App or SDK App for which you want to configure the credential protection policy.

    Expand the App and click on the arrow (>) of "Credential Profiles" tile to open the View Credential Profiles page.

  5. Click on EDIT and select a protection type to edit and configure the credential protection policy based on your requirement.

    The protection types and its parameters are defined below:

    Usage of the credentials is protected by password or PIN.

    The following table gives information about parameters listed for Application Enforced:

    Parameters Sub-parameters Description

    Password Lifecycle Constraints

    		 Minimum age

    This security setting determines the period of time (in days) that a password must be used before the user can change it. It must be less than the maximum password age.

    0 allows changes immediately.
    Maximum age

    This determines how long users can keep a password before they must change it.

    0 means the password never expires.

    Password history

    This security setting determines the number of unique new passwords that must be associated with the key before an old password can be reused.

    0 authorizes users to reuse current password when password is changed.

    Lock Policy Method
    • Delay – A throttling mechanism in which the user must wait for a short time before attempting another try to prevent a potential attacker from guessing the password.

      Each time an incorrect password is provided, waiting time for next attempts is multiplied by Delay parameter value, until number of attempts reaches counter parameter value.

    • Lock – password locks when number of attempts reaches counter parameter value.

    • No Lock – password never locks.

    • Silent – password validation is delegated to server-side controls and eventually blocking access on many consecutive failures by augmenting the failed authentication counter.
    Maximum wrong attempts Maximum number of wrong attempts for the password.
    Delay interval (seconds)

    After a failed attempt, this setting forces the user to wait for a short period of time before attempting to authenticate again.

    This setting is ONLY applicable when the Delay method is chosen.

    For e.g. If the Delay interval is set to 2 and Maximum wrong attempts is set to 6, and if a user try to authenticate with the consecutive wrong passwords, seconds delayed (number of seconds the user has to wait) in between every attempt is calculated as per the table given below:

    Attempt(s) Seconds Delayed
    1 2 x 2^0 = 2
    2 2 x 2^1 = 4
    3 2 x 2^2 = 8
    4 2 x 2^3 = 16
    5 2 x 2^4 = 32
    6 or more 2 x 2^5 = 64

    When the user finally enters valid password, the exponential delay is enforced before user can view the OTP or Push Notification. At the next try when the user enters a valid password, the delay is reset to initial one.
    Password Length Minimum Minimum number of characters for the password.
    Maximum Maximum number of characters for the password.
    Special Characters Minimum Minimum number of special characters for the password.
    Maximum Maximum number of special characters for the password.
    Uppercase Characters Minimum Minimum number of uppercase characters for the password.
    Maximum Maximum number of uppercase characters for the password.
    Lowercase Characters Minimum Minimum number of lowercase characters for the password.
    Maximum Maximum number of lowercase characters for the password.
    Numeric Characters Minimum Minimum number of numeric characters for the password.
    Maximum Maximum number of numeric characters for the password.
    Alpha Characters Minimum Minimum number of alphabetic characters for the password.
    Maximum Maximum number of alphabetic characters for the password.
    Enable biometric authentication -

    Allows end users to use their device's biometric features as a substitute for entering a PIN or password.

    Although managing a PIN or password is still necessary, this setting facilitates the use of biometric authentication for added convenience.
    Prevent sequential PIN/Password -

    Enable or disable the toggle button to set the security policy.

    When enabled, sequential characters (for example: 1234 or abcd etc.) are not allowed for PIN or password.

    Protected by mobile device protection. There is no extra protection implementation.

    Usage of the credentials does not require an explicit authentication of the user.

  6. Click SAVE to save the changes.