Protection Policy
The protection policy defines the protection requirements for a provisioned object (Transaction Signing Key, Session Transport Key, or OTP Key).
The ProtectionPolicyType values are:
- Device – the object is protected against cloning (that is, it cannot be used outside the mobile device).
- Password – the object is also protected by an end-user password.
For further details, see:
ActivID AS push solution customization
ActivID Appliance push solution customization
HID Authentication Service push solution customization
PasswordPolicy
This policy defines the constraints on the password protecting the object:
- Minlength – Minimum password length
- Maxlength – Maximum password length
- Additional restrictions for alphanumeric format:
- Min Number of UpperCase letters
- Min Number of LowerCase letters
- Min Number of Alpha characters
- Min Number of Numeric characters
- Min Number of Non-Alphanumeric characters
- Maximum Number of UpperCase letters
- Maximum Number of LowerCase letters
- Maximum Number of Alpha characters
- Maximum Number of Numeric characters
- Maximum Number of Non-Alphanumeric characters
- History restriction parameters:
- maxHistory – number of unique new passwords that have to be associated with the key before an old password can be reused. 0 authorizes users to reuse current password when password is changed. This value is set by the server.
- minAge – period of time (in days) that a password must be used before the user can change it. It must be less than the maximum password age. 0 allow changes immediately. This value is set by the server.
- maxAge – period of time (in days) users can keep a password before they have to change it. 0 means password never expires. This value is set by the server.
Note: Password expiration (maxAge) is ignored when the SilentLockPolicy is configured for use. -
Caching parameters:
-
CacheEnabled - flag indicating if the password cache is enabled
-
CacheTimeout - period of time (in seconds) during which with password is stored in the cache (by default, 30 seconds)
-
When defining the rules of the password policy, make sure that there are no logical conflicts. For example, do not specify that the minimum number of numeric characters is 8, in combination a maximum password length of 6 characters.
When not set, the maximum values are equal to the maximum length defined for the password.
You can define an exclusive numeric (PIN) policy which is more user-friendly in mobile authentication deployments.
As an example, the following parameters can be used to set a numeric-only policy for a 6 to 10-character password length:
- MinLength = 6
- MaxLength = 10
- MinNumeric = 6
- MaxNumeric = 10
- maxUpperCase = 0
- maxLowerCase = 0
- maxAlpha = 0
- maxNonAlpha = 0
In the server configuration, this would be defined with the following key protection policy parameters:
UP=0;LOW=0;NUM=6;ALPHA=0;NALPHA=0;MUP=0;MLOW=0;MNUM=8;MALPHA=0;MNALPHA=0;MINLEN=6;MAXLEN=8
For further details, see:
ActivID AS Key Protection Policy Parameters
The SDK provides password caching support for the transaction signing operation (ITransaction.setStatus). When enabled, the signing password can be cached for the specified cache timeout period or until used.
To implement password caching in an integrating application when using a password policy:
-
Retrieve the protection policy information PasswordPolicy.isCacheEnabled.
If yes:
-
Use the IPasswordPolicy.verifyPassword method to validate the password and store it for the PasswordPolicy.CacheTimeout period (by default, 30 seconds).
-
To sign the transaction, use the ITransaction.setStatus method as usual but the signingPassword parameter can be omitted (it will retrieve the password value from cache).
Lock Policy
The following sections define the LockType type and parameters for the password and lock.
Type
- None – password never locks.
- Lock – password locks after maximum counter value is reached.
- Delay – an exponential delay is inserted between each failed authentication attempt.
- Silent - any password is accepted without providing indication of an incorrect password when offline (delegating control, auditing, and verification of cryptographic operations to the server-side).
Parameters
- initialDelay – initial delay value in seconds (in delayLock type).
- maxCounterValue – maximum counter value after which exponential delay is fixed in delayLock type, or maximum counter value after which no more authentication attempts are allowed in counterLock type.
For further details, see:
ActivID AS Key Protection Policy Parameters