Configuring One Time Password (OTP) Device Types

This section describes the configuration of your OTP device type using HID Authentication Service-Administration portal.

A OTP device type is a template containing predefined parameters enforced during authentication. This settings allows you to configure a OTP device type using default OTP device types.

The OTP device type configuration includes Import, Soft PIN, and Advanced settings.

Code Name
DT_DSPCD ActivID Display Card OE
DT_AD_OT ActivID Display Card OT
DT_SMTCARD ActivID Java Cards
DT_JCARD Java Card OTP (No PIN Unlock)
DT_AD_AT ActivKey Display AI AT
DT_BTT_OE Blue Trust Token (OE)
DT_BTT_OT Blue Trust Token (OT)
DT_NANO_OA Crescendo Key OA
DT_NANO_OE Crescendo Key OE
DT_NANO_OT Crescendo Key OT
DT_DESKTOP Desktop Token
DT_DKTO_OA Desktop Token OA
DT_DKTO_OE Desktop Token OE
DT_DKTO_OT Desktop Token OT
DT_FXT_AI Flexi Token AI
DT_FXT_OA Flexi Token OA
DT_FXT_OE Flexi Token OE
DT_FXT_OT Flexi Token OT
DT_KEY_AT Keychain V2 AT
DT_KEY_OA Keychain V2 OA
DT_KEY_OE Keychain V2 OE
DT_KEY_OT Keychain V2 OT
DT_MIN_AE Mini Token (AE) - NO PIN
DT_MIN_AEP Mini Token (AE) + PIN
DT_MIN_AT Mini Token (AT) - NO PIN
DT_MIN_ATP Mini Token (AT) + PIN
DT_MIN_OE Mini Token (OE) - NO PIN
DT_MIN_OEP Mini Token (OE) + PIN
DT_MIN_OT Mini Token (OT) - NO PIN
DT_MIN_OTP Mini Token (OT) + PIN
DT_POCK_AT Pocket Token AT
DT_POCK_OA Pocket Token OA
DT_POCK_OE Pocket Token OE
DT_POCK_OT Pocket Token OT
DT_TK1V2 Token One V2
DT_T2_OA Token One V2 OA
DT_T2_OE Token One V2 OE
DT_T2_OT Token One V2 OT

Creating a OTP Device Type

Prerequisites: To add a new OTP device type, you must be assigned the Configure Settings role.
Note: It is recommended that you create a new OTP device type by cloning a default OTP device type. The process for cloning is to copy from a default OTP device type.

You can clone a default OTP device type in the following ways:

  1. Sign in to Administration Portal.

  2. Click Settings in the left navigation bar to open the Settings page.

  3. Click Device Types on the Settings page, then you can see list of device types.

  4. Click ADD DEVICE TYPE.

    Add Device Type pop-up window appears.

  5. Select a default OTP device type from the drop-down menu and click PROCEED.

    See Default OTP Device Types table for more information.

  6. Add Device Type: OTP Device page opens.

    Enter the main information for your device type:

    • Device type name – should be unique for ease of administration.

    • Device type description - a description for your OTP device type. Content is free-format

  7. Then proceed to Import settings.

Define Import Settings

This section describes the Import parameters.

Parameters Description
Manufacturer (Optional) The device type manufacturer. Content is free-format
Default credential type

When importing a device through the device import framework, this attribute sets what is the default credential type to create for the device, if none is specified in the import process.

Now proceed to Soft PIN settings.

Define Soft PIN settings

This section describes the Soft PIN parameters.

Parameters Description
Use soft PIN

Defines if a device can use a server soft PIN (a PIN that is managed and verified by HID Authentication Service, not by the device itself).

Click on the toggle button to change:

  • On – devices of this type can use a soft PIN.

  • Off – devices of this type cannot use a soft PIN.
Soft PIN Minimum length

Defines the minimum length of characters for the server soft PIN. Set the value according to the soft PIN policy of the device.
Soft PIN Maximum length Defines the maximum length of characters for the server soft PIN. Set the value according to the soft PIN policy of the device.
Soft PIN position

Defines how the user should enter the server soft PIN during authentication.

Options are:

  • Before (the user enters the soft PIN before entering the OTP generated by the Token).

  • After (the user enters the soft PIN after entering the OTP generated by the Token).

  • Before or After (the user can enter the soft PIN either before or after entering the OTP generated by the Token).

Now proceed to Advanced settings.

Define Advanced Settings

This section describes the Advanced parameters.

Parameters Description
Supported Authentication Methods

Determines the options displayed in the Device Type : OTP Device page. Select from the drop-down menu:

  • Synchronous (One-Time Password) – devices of this type support synchronous authentication.

  • Asynchronous (Challenge Response) – devices of this type support asynchronous authentication.

  • Both – devices of this type support synchronous and asynchronous authentication.
Synchronous Authentication Code Length

Maximum valid length of a synchronous OTP. This parameter is used to validate the submitted OTP.

Asynchronous Authentication Code Length Maximum valid length of an asynchronous OTP, generated in response to a challenge. This parameter is used to validate the submitted OTP.
Challenge Length

Applies to devices that support asynchronous authentication.

Defines the length of the challenge provided to a user to generate an OTP on the device (in the challenge response mode). This parameter is used to validate the submitted challenge.
Device Unlock

A device might be locked if the user enters the PIN incorrectly a specified number of times. This parameter determines whether the unlock option appears in the User Account page for devices of this type.

Click on the toggle button to change:

  • On – devices of this type can be unlocked by a server-generated response to a device-issued challenge.

  • Off – devices of this type cannot be unlocked.

Note: The specified number of times is set on the device.
Unlock Challenge Length

Length of the challenge provided to a user to unlock the device, when the user has locked it by incorrect entry of their PIN a specified number of times. This parameter is used to validate the submitted unlock challenge.

Synchronization Mode

Determines whether the resync option appears in the View Device page. Select from the drop-down list:

  • Only Automatic – devices of this type can be automatically resynchronized with host systems.

  • Only Manual – devices of this type can be resynchronized manually with host systems.

  • Support All – devices of this type can be resynchronized automatically and/or manually with host systems.

  • No Support – devices of this type cannot be resynchronized automatically and/or manually with host systems

    Note: For asynchronous authentication methods, only Counter synchronization modes might be available depending on the asynchronous method variant (OCRA Suite).
Base Synchronization Mode

Determines fields displayed in the View Device page. For devices that support synchronous authentication, this parameter defines the variables that are stored locally on the device and therefore might require resynchronization with the server.

Select from the drop-down list:

  • Counter – Devices of this type can be resynchronized with host systems using one (manually) or a range (automatically) of counter values.

  • Clock – Devices of this type can be resynchronized with host systems using one (manually) or a range (automatically) of clock values.

  • Both – Devices of this type can be resynchronized with host systems using one (manually) or a range (automatically) of counter and clock values.

  • Neither – Devices of this type cannot be resynchronized with host systems using one (manually) or a range (automatically) of counter and clock values.

Note:

  • For asynchronous authentication methods, only the manual synchronization mode might be available depending on the asynchronous method variant (OCRA Suite)

Counter Range

Maximum number of increments by which the host system will increment the counter it is holding for an individual device of this type to resynchronize with that device when attempting an automatic resynchronization.

The auto resync process will try to increment rather than decrement the counter value.

Time Offset Start (seconds)

Lower limit of the time window for which the host system will test its internal system clock values against the OTP received from a device of this type to try to resynchronize with that device.

Applicable only to device types supporting synchronous authentication and automatic resynchronization.

The default is -3600 seconds. This sets the start of the time period as 3600 seconds before the actual internal system clock time.

Time Offset End (seconds)

Upper limit of the time window for which the host system will test its internal system clock values against the OTP received from a device of this type to try to resynchronize with that device.

Applicable only to device types supporting synchronous authentication and automatic resynchronization.

The default is 3600 seconds. This sets the end of the time period as 3600 seconds after the actual internal system clock time.

Transaction signing

Defines if a device can be used to digitally sign transactions. Click on the toggle button to change:

  • On – devices of this type can be used for transaction signing.

  • Off – devices of this type cannot be used for transaction signing.

Viewing a Device Type

You can view device types by following the below steps:

  1. Sign in to Administration portal.

  2. Click Settings in the left navigation bar to open the Settings page.

  3. Click Device Types on the Settings page, then you can see list of OTP device types.

    All existing device types are listed in a paged table. The total number of device types is given in the lower left corner.

  4. From the list of device types, choose a OTP device type you want to view.

  5. Device Type: OTP Device page opens as shown below. You can view your device type code and all other created entries as shown below.

    Fields Description
    Device type code

    The unique code identifying the device type.
    Device type name

    The name of the device type.

    Device type description The description for the device type.

  6. You can also view other settings of your OTP device types by clicking on Import, Soft PIN, and Advanced tabs.

  7. Click RETURN to return to the list device types page.

    Note:

    If required,

Editing a Device Type

Prerequisites: To edit a device type, you must be assigned the Configure Settings role.

When required, you can edit the device type details by following the below steps:

  1. Sign in to Administration portal.

  2. Click Settings in the left navigation bar to open the Settings page.

  3. Click Device Types on the Settings page, then you can see list of device types.

  4. From the list of device types, choose a OTP device type you want to edit.

  5. Device Type: OTP Device page opens, Click EDIT.

    Note: For the default OTP device types, there will be no option to edit/delete.
    Note: You cannot edit Device Type Code as it is auto-generated.

  6. Make changes to all the applicable device type parameters, then click SAVE.

    Note: If you want to cancel the operation, click CANCEL.

Deleting a Device Type

Prerequisites: To delete a device type, you must be assigned the Configure Settings role.
Important:

  • You cannot delete the default OTP device type. For those default device types, it will show an error message.

  • You cannot delete device types which are assigned to users.

To delete a device type, follow the below steps:

  1. Sign in to Administration portal.

  2. Click Settings in the left navigation bar to open the Settings page.

  3. Click Device Types on the Settings page, then you can see list of device types.

  4. From the list of device types, choose a OTP device type you want to delete.

  5. Device Type: OTP Device page opens, Click DELETE.

    Note: For the default OTP device types, there will be no option to edit/delete.

  6. A Delete Device Type confirmation dialog box appears, click OK to confirm.

    Note: If you want to cancel the operation, click CANCEL.