Configuring Password Authentication Policies

A password authentication policy is a template containing predefined parameters enforced during authentication, such as password lengths or constraints.

Password authentication policy have several parameters that includes Password Configuration Settings and Advanced Settings.

To learn more about default password authentication policies, see Authentication Policies in the HID Authentication Service.

Creating New Password Authentication Policy

Prerequisites: To add a new password authentication policy, you must be assigned the Configure Settings permission.

Note:

It is recommended that you create a new password authentication policy based on a default policy.

The predefined authentication policies comply with the following recommendations in the NIST SP 800-63B-3 guidelines concerning digital identity:

Minimum Length – 8 characters
Maximum Length – 128 characters
Note: After cloning the authentication policy, the administrator will be able to configure password of minimum and maximum length constraints from 1 to 128 characters.
Restrictions:
- No constraints in the range of characters allowed.
- No requirement to mix different character types.
- Must not be a previous password.
- Must not be include user attributes.
- Must not be contain black-listed words.
- Must not be a sequence.
Validity of password (after creation/update) – 1825 days.

To create a new password authentication policy, follow the below steps:

Sign in to Administration portal.
Click Settings icon in the left navigation bar to open the Settings page.
Click Authentication Polices on the Settings page, then you can see list of Authentication policies.
Click ADD POLICY.

Add Policy pop-up window appears.
Select a default password authentication policy from the drop-down menu and click PROCEED.

See Authentication Policies in the HID Authentication Service for more information.
Add Authentication Policy : Password page opens.

Enter the main information for your Password Authentication policy:
- Policy name – should be unique for ease of administration.
- Policy description - a description for your password authentication policy. Content is free-format
Then proceed to Password Configuration settings.

Define Password Configuration Settings

This section describes the Password Configuration parameters.

Parameters	Constraints	Description
Minimum length	Numeric value	Minimum number of characters for the user name or password.
Maximum length	Numeric value	Maximum number of characters for the user name or password.
Minimum number of different characters	Numeric value	User name or password must contain at least the same number of different characters as the number specified in this field. For example, if 3 is specified as the number in this field, aa11 is not valid, while Aa11 could be valid. Make sure you understand the relationship between the Case-sensitive and Different characters constraints. In a string of lowercase characters, uppercase characters are “different”.
Characters range	No constraint	All characters allowed, including special characters.
	Only numeric	Only numbers allowed, no punctuation, no characters, and no spaces.
	Only alphabetic	Only letters allowed, no punctuation, no numbers, and no spaces
	Numeric OR alphabetic	Contain only numeric, or only letters, or combination of numbers and letters allowed, no punctuation, and no spaces.
	Numeric AND alphabetic	Must have a combination of letters and numbers, no punctuation, and no spaces.
Case-sensitive verification	-	Enable if the password should be case-sensitive. Make sure you understand the relationship between the Case-sensitive and Different characters constraints. In a string of lowercase characters, uppercase characters are “different”.
Change password after expiry	Numeric value	Enables an operator to log on with a password beyond the password’s expiration date. However, the user is requested to change the password immediately. The number entered in the field specifies the number of times the user can enter the existing expired password in an attempt to change it before being denied further access.
With at least	One numeric character	Contain at least one numeric character.
	One lowercase character	Contain at least one lowercase character.
	One uppercase character	Contain at least one uppercase character.
	One special character	Contain at least one special character.
Forbidden values	Any previous password	Previous passwords are saved and compared against new password submissions.
	Contain username or is a user attribute	New password submissions are compared against user attribute values specified for that user.
	Black-listed word	Must not contain black-listed words. The passwords are compared against a black list containing commonly-used, expected, or compromised words. This list includes: Passwords obtained from security breaches. Dictionary words (English). Passwords consisting of repetitive or sequential characters. Context-specific words, such as the name (and derivatives) of the company or service.
	Not in sequence	Password must not consist of a series of numbers or letters (for example, 5678, abc).

Note: While you are changing the parameters, you can preview it to see what changes look like in the password guidelines through Password Guidelines Preview pane on the right side of the screen.

Now proceed to Advanced settings.

Define Advanced Settings

This section describes the Advanced parameters.

Parameters	Description
Valid days after creation	The expiration period of an authentication record, as a number of days, starting from the date of creation of the authentication record. To apply the new expiration period to the new authentication records, edit this field.
Valid days after update	The expiration period of an authentication record when the password is changed, starting from the date the password is changed.
Disable threshold	The maximum number of successive failed attempts by a user to log on using an incorrect password before the password is locked.
Default expiry threshold	The number of times a user can authenticate using a password before the password expires. It corresponds to the maximum number of successful authentications allowed. If you do not want to use the expiration threshold functionality, then enter a value of -1.
Session timeout (sec)	Time (in seconds) after which an idle session is automatically terminated. The value should be lower than that set for the global Session Timeout parameter.
Session valid period (sec)	The maximum period (in seconds) that a user authenticated via this authentication policy can sustain their session before being prompted to re-authenticate by logging on again.
Disabled time reset (sec)	This value enables the auto-unblock feature. If an password is blocked for any reason (for example, it reached the maximum authentication count), it’s possible to unblock the password (if you have set this to a value other than -1). For example, if you configure the value to be 120 seconds (two minutes), then by setting Disabled time reset, it will automatically unblock the password when the user tries to authenticate after two minutes.

Viewing Password Authentication Policy

You can view password authentication policies by following the below steps:

Sign in to Administration portal.
Click Settings in the left navigation bar to open the Settings page.
Click Authentication Polices on the Settings page, then you can see list of Authentication policies.

All existing authentication policies are listed in a paged table. The total number of authentication policies is given in the lower left corner.
In authentication policies list, choose a password authentication policy you want to view.

View Authentication Policy: Password page opens and details are as shown below.

Fields	Description
Policy name	The name of the password authentication policy.
Policy description	The description for the password authentication policy.

You can also view other settings of your password authentication policy by clicking on Password Configuration and Advanced.
Click RETURN to return to the list of authentication policies page.
Note:
If required,
- Click EDIT to edit a password authentication policy. Refer to Editing Password Authentication Policy.
- Click DELETE to delete a password authentication policy. Refer to Deleting Password Authentication Policy.

Editing Password Authentication Policy

Prerequisites: To edit a password authentication policy, you must be assigned the Configure Settings permission.

Important: You cannot edit the default password authentication policies. For those default policies, EDIT or DELETE button will not be present.

When required, you can edit the password authentication policy details by following the below steps:

Sign in to Administration portal.
Click Settings in the left navigation bar to open the Settings page.
Click Authentication Polices on the Settings page, then you can see list of Authentication policies.
In authentication policies list, choose a password authentication policy you want to edit.
View Authentication Policy: Password page opens, Click EDIT.
Make changes to all the applicable authentication policy parameters, then click SAVE.
To cancel the operation, click CANCEL.

Deleting Password Authentication Policy

Prerequisites: To delete a password authentication policy, you must be assigned the Configure Settings permission.

Important:

You cannot delete the default password authentication policies. For those default policies, EDIT or DELETE button will not be present.
You cannot delete policies which are assigned to users.

To delete a password authentication policy, follow the below steps:

Sign in to Administration portal.
Click Settings in the left navigation bar to open the Settings page.
Click Authentication Polices on the Settings page, then you can see list of Authentication policies.
In authentication policies list, choose a password authentication policy you want to delete.
View Authentication Policy: Password page opens, Click DELETE.
A Delete Policy confirmation dialog box appears, click OK to confirm.