Authentication Policies in the HID Authentication Service

Each authentication policy is characterized by a level of protection scaling from 1 to 4. The highest protection level is at 4.

The following sections provide examples of the main authentication policies by category.

You can manage (create, read, update and delete) authentication polices using the Policy/Authenticator endpoint.

For Client IDs

	Code	Level of Protection	Default validity	Auto disabled	Inactivity session time out	Session time out	Constraints
System Password Policy	AT_SYSLOG	1	1825 days	After 5 wrong attempts	5 minutes	1 hour	Minimum length - 8 characters Maximum length - 100 characters Minimum number of different characters - 5 Forbidden values: Any previous password Containing username or is a user attribute Black-listed word Sequence of letters or numbers

Code

Level of Protection

Default validity

Auto disabled

Inactivity session time out

Session time out

Constraints

System Password Policy

AT_SYSLOG

1825 days

After 5 wrong attempts

5 minutes

1 hour

Forbidden values:
- Any previous password
- Containing username or is a user attribute
- Black-listed word
- Sequence of letters or numbers

	Code	Level of Protection	Default validity	Auto disabled	Inactivity session time out	Session time out	Constraints
Standard Password Policy	AT_STDPWD	1 Level Of Assurance service name - urn:hidaaas:policy:at_stdpwd	1825 days	After 8 wrong attempts	10 minutes	1 hour	Minimum length - 8 characters Forbidden values: Any previous password Containing username or is a user attribute Black-listed word Sequence of letters or numbers
Restricted Password Policy	AT_RESPWD	1	1825 days	After 3 wrong attempts	10 minutes	24 hours	Minimum length - 8 characters Only alphanumeric characters One numeric character minimum One lower case minimum One uppercase minimum Forbidden values: Any previous password Containing username or is a user attribute Black-listed word Sequence of letters or numbers

	Code	Level of Protection	Default validity	Auto disabled after	Inactivity session time out	Session time out	Constraints
JWT Bearer auth	AT_JWT	2	365 days	100 wrong attempts	1 hour	24 hours	No challenge constraints
Out of Band SMS OTP authentication	AT_OOBSMS	1-3*	1825 days	8 wrong attempts	1 hour	24 hours	No challenge constraints
Out of Band email OTP authentication	AT_OOBEML	1-3*	1825 days	8 wrong attempts	1 hour	24 hours	No challenge constraints
One-time password login for user authentication	AT_OTP	1-4*	1825 days	8 wrong attempts	1 hour	24 hours	No challenge constraints
SMS Transaction OOB	AT_TXOOB	1-3*	180 days	100 wrong attempts	6 minutes	6 minutes	Challenge timeout - 180 seconds
Mobile Registration authentication	AT_TDSOOB	1	1825 days	8 wrong attempts	1 hour	24 hours	No challenge constraints
Authentication for Mobile push-based Action Validation	AT_TDS	2-4*	1825 days	8 wrong attempts	1 hour	24 hours	Challenge timeout - 3600 seconds
Authentication for Mobile push-based Logon Validation	AT_PASA	2-4*	1825 days	8 wrong attempts	1 hour	24 hours	Challenge timeout - 3600 seconds

* The policies are best used for second factor authentication.