Authentication Policies in the HID Authentication Service
Each authentication policy is characterized by a level of protection scaling from 1 to 4. The highest protection level is at 4.
The following sections provide examples of the main authentication policies by category.
You can manage (create, read, update and delete) authentication polices using the Policy/Authenticator endpoint.
For Client IDs
Password-Based Policies
|
Code | Level of Protection | Default validity | Auto disabled | Inactivity session time out | Session time out | Constraints |
---|---|---|---|---|---|---|---|
System Password Policy |
AT_SYSLOG |
1 |
1825 days |
After 5 wrong attempts |
5 minutes |
1 hour |
|
For End Users and Organization Administrators
Password-Based Policies
|
Code | Level of Protection | Default validity | Auto disabled | Inactivity session time out | Session time out | Constraints |
---|---|---|---|---|---|---|---|
Standard Password Policy |
AT_STDPWD |
1 Level Of Assurance service name - urn:hidaaas:policy:at_stdpwd |
1825 days |
After 8 wrong attempts |
10 minutes |
1 hour |
|
Restricted Password Policy |
AT_RESPWD |
1 |
1825 days |
After 3 wrong attempts |
10 minutes |
24 hours |
|
Others
|
Code | Level of Protection | Default validity | Auto disabled after | Inactivity session time out | Session time out | Constraints |
---|---|---|---|---|---|---|---|
JWT Bearer auth |
AT_JWT |
2 |
365 days |
100 wrong attempts |
1 hour |
24 hours |
No challenge constraints |
Out of Band SMS OTP authentication |
AT_OOBSMS |
1-3* |
1825 days |
8 wrong attempts |
1 hour |
24 hours |
No challenge constraints |
Out of Band email OTP authentication |
AT_OOBEML |
1-3* |
1825 days |
8 wrong attempts |
1 hour |
24 hours |
No challenge constraints |
One-time password login for user authentication |
AT_OTP |
1-4* |
1825 days |
8 wrong attempts |
1 hour |
24 hours |
No challenge constraints |
SMS Transaction OOB |
AT_TXOOB |
1-3* |
180 days |
100 wrong attempts |
6 minutes |
6 minutes |
Challenge timeout - 180 seconds |
Mobile Registration authentication |
AT_TDSOOB |
1 |
1825 days |
8 wrong attempts |
1 hour |
24 hours |
No challenge constraints |
Authentication for Mobile push-based Action Validation |
AT_TDS |
2-4* |
1825 days |
8 wrong attempts |
1 hour |
24 hours |
Challenge timeout - 3600 seconds |
Authentication for Mobile push-based Logon Validation |
AT_PASA |
2-4* |
1825 days |
8 wrong attempts |
1 hour |
24 hours |
Challenge timeout - 3600 seconds |
* The policies are best used for second factor authentication.