Editing Credential Profiles

Prerequisites: To edit an existing credential profile details, you must be assigned the Configure Settings permission in Administrator Account.

When required, you can edit an existing credential profile by following the below steps:

  1. Sign in to Administration portal.

  2. Click Settings in the left navigation bar to open the Settings page.

  3. Click HID Approve Authentication Configuration on the Settings page, then you can see the list of HID Approve applications.

  4. From the list of HID Approve applications, choose the Default App or a SDK App for which you want to edit the credential profile.

    Expand the App and click on the arrow (>) of "Credential Profiles" tile to open the Credential Profiles view page.

  5. In the Credential Profiles view page, click EDIT to edit the credential profiles details.

  6. Edit Credential Profiles page opens and do the required changes for the below shown sections.

  7. After making the required changes, click SAVE to save the changes.

Editing Credential Protection

You can edit and configure the HID Approve credential protection policy with the use of application protection and device protection settings. Refer to Configuring Credential Protection Policy for details.

Configuring Service Renewal

Important: This service renewal configuration is applicable only for the Default App, not for the SDK App.

You can configure service renewal of HID Approve default app credential to facilitate a credential rollover in HID Approve based on a target credential expiry.

Service renewal will help facilitate a credential rollover in HID Approve based on a target credential expiry.

You can enable or disable the credential renewal in the HID Approve app with the use of a service renewal toggle switch.

  • Disable: By default, the key expiry duration for all the credentials is set to 10 years.

  • Enable: You can set the key expiry duration in yearly increments (choose 1 to 5 years from the drop-down).

Configuring Global Credential Validity

Important: This global credential validity configuration is applicable only for the SDK App, not for the Default App.

You can configure the global credential validity of HID Approve SDK App credential to set the timeframe during which a credential remains valid after its activation.

By default, the value configured in the global credential validity period should be applied to all the credentials associated with the respective device type.

Important: Some credentials in this profile have individual validity periods. By changing the global credential validity period will override the validity period of all the existing credentials.

Suspicious Activity and Blocked Authenticator Handling

Important: This user-reported suspicious activity and blocked authenticator handling configuration is applicable only for the SDK App, not for the Default App.

Authenticators may be blocked due to several reasons, such as failed login attempts, unanswered challenges, or suspicious activity (such as push notification fatigue attacks) and reported this suspicious activity through HID Approve SDK integrated applications.

You can manage blocked authentication requests and reset authentication through the HID Approve SDK configuration settings, such as the Block on Suspicious Activity or Audit Only on Suspicious Activity sections.

Authentication is blocked until either the automatic unblock period ends or an administrator manually unblocks it.

You can select either "Auto-Unblock" or "Manual-Unblock" from the unblock method drop-down.

  • Auto-Unblock: The blocked authenticator is automatically unblocked after the defined time period (cool-down period).

    Note: The default cool-down period is 15 minutes. However, you can change the default cool-down period based on the requirement.

  • Manual-Unblock: The blocked authenticator is unblocked after manual intervention. For instructions on how to manually unblock the authenticator, refer to Reporting User Suspicious Activity.

Suspicious activity is reported in audit logs for review, but the authentication is not blocked, and no action against the authenticator is necessary.

Note: If you have selected 'Audit Only on Suspicious Activity' and the authenticator is blocked due to unexpected reasons, it can only be unblocked through the manual unblocking method.

Editing Public Key Credentials

Important: For the Default App, you don’t have the privilege to edit the public key credentials.

Public Key Credentials provide optimal security as these credentials function by storing the user's public key on our service, while ensuring the private key never leaves the user's device.

You can edit the credential profile by clicking edit icon () for the below shown parameters as per your requirement.

Parameters of a public key credential profile:

Parameters Description
Name Name of the credential.
Description Description of the credential.
Type code

Type code of the credential. For example: CT_TDSV4, CT_PASAV4 etc.

You cannot edit the credential type code.
Key usage

Choose the key usage as "Authentication' or 'Signature' or 'Other'.
Custom key usage If you choosed Key usage as "Other", then a text field "Custom key usage" will be appeared to for your custom text . You can edit this custom text.

Key expiry duration (in days)

The duration or timeframe during which a credential remains valid after its activation.

For SDK app: By default, it will take the same value which is given in the global credential validity field. You can set the value as per your requirement.

After making the required changes, click SAVE to reflect the changes.

Editing Shared Key Credentials

Shared key credentials, suitable for offline authentication, generate easy-to-use codes like OTPs without needing server connectivity. Unlike public key credentials, they use a single key shared between user and service.

You can edit a credential profile by clicking edit icon () for the below shown parameters as per your requirement.

Parameters of a shared key credential profile:

Parameters Description
Name Name of the credential.
Description Description of the credential.
Type code Type code of the credential. For example: CT_TDSV4, CT_PASAV4 etc
Key usage + Mode

You cannot edit this Key usage + Mode.
Moving factor Choose "Event" or "Time" as Moving factor.
OTP length Defines the length of OTP value.
Challenge length

Defines the length of the challenge provided to a user to generate an OTP on the device (in the challenge response mode).

Key expiry duration (in days)

The duration or timeframe during which a credential remains valid after its activation.

For SDK app: By default, it will take the same value which is given in the global credential validity field. You can set the value as per your requirement.

After making the required changes, click SAVE to reflect the changes.

Removing Credential

Important: For the Default App, you don’t have the privilege to delete the shared key credentials.

If required, you can remove the public or shared key credential by clicking remove icon ().

"Remove Credential" confirmation dialog box appears, click OK to remove the credential from credential list.

Enabling or Disabling Shared Key Credential

For HID Approve default app, shared key credentials are shown at all times for synchronous OTP, Asynchronous Challenges/Response, and Asynchronous Signature.

You can enable or disable the shared key credentials which are present within the HID Approve App.

  • Enable: Enabling this credential will not affect existing devices until their service renewal. Changes will apply only to newly activated devices.

  • Disable: Disabling this credential will leave it active on existing devices until they undergo a service renewal. However, it will prevent this credential from being included in all future activations of HID Approve.