Fields used in the Authentication Journey
The below mentioned fields are used to create an authentication journey.
| Field | Description |
|---|---|
| Authentication policy |
An authentication policy is a template containing predefined parameters enforced during authentication, such as password lengths or constraints, OTP synchronization protocols, and push notification signature details etc. Choose an existing authentication policy from the drop-down list. For example: User Static Password, Standard One Time Password, HID Approve Push Authentication, and FIDO Token etc. |
| Number of attempts |
Maximum number of times the user can attempt to authenticate before the login session is restarted. For example: 1, 2, 3, and 4 etc. |
| Expiration warning threshold (optional) |
The validity period of the authenticator. Enter the threshold value (in seconds) to display a warning message for authenticator expiration. For example: 36000 seconds |
| ACR value (optional) |
The ACR value defines the level of assurance provided by the authentication process to the user's claim to the 'identity' they use to authenticate. It specifies the conditions required by a provider or relying party that define how a user authenticates to mitigate specific authentication risks. For example, if you define the same authentication method as both a first and second authentication factor, you can set a higher level of assurance (i.e, the value can be 1, 2, and 3 etc) when it is used as a second authentication factor. |
| Trigger on (optional) |
Choose the first factor required to authenticate from the Trigger on drop-down list so that the second factor occurs. The Trigger on drop-down displays the list of authentication factors that were configured from the first step. It supports for both single selection and multi-selection of authentication factors. For example: In the first step, you have configured "Static Password" and "Push Authentication". In the second step, consider you want "One-Time Password" as the authentication method. You can use Trigger on drop-down to apply a criteria for One-Time Password authentication, where in One-Time Password can be accessed only through Static Password or/and Push Authentication.
|
| User verification |
Define if the user is required to verify their physical presence (such as providing the PIN, biometric credential or touching the FIDO authenticator). Possible values are:
|
|
Service provider hostname (optional) |
The hostname of your application that is integrated with HID. For example: myapp.example.com |
| Device binding (optional) |
The user can assign their physical device to the authenticator. Defines if the user must have a "pending" device of the specified device type to be able to enroll their device. Possible values are:
If you set this to "Required", you must create and assign a FIDO authenticator for the user before they can enroll their device. If absent or undefined, the value is considered to be "Not Required". |
| Resident key (optional) |
Defines if a cryptographic key, which is stored on the security key, can be used for passwordless login. Possible values are:
If the request is denied by the FIDO authenticator, enrollment will fail. |
|
Attestation verification (optional) |
Defines if the user's FIDO authenticator is required to provide an attestation statement for verification at enrollment. Possible values are:
|
| Enrollment validation (optional) |
Defines if the enrollment should be validated by a successful authentication using the newly enrolled authenticator. |
| Enable enrollment protection (optional) |
Defines the protection factor applied for the enrollment action. |
