IDENTIKEY Appliance

Product Guide

3.18
 Disclaimer of Warranties and Limitations of Liabilities

Legal Notices
Copyright © 2008–2019 OneSpan North America, Inc. All rights reserved.

Trademarks
OneSpan™, DIGIPASS ® and CRONTO® are registered or unregistered trademarks of OneSpan North America Inc.,
OneSpan NV and/or OneSpan International GmbH (collectively "OneSpan") in the U.S. and other countries.

OneSpan reserves all rights to the trademarks, service marks and logos of OneSpan and its subsidiaries.

All other trademarks or trade names are the property of their respective owners.

Intellectual Property
OneSpan Software, documents and related materials (“Materials”) contain proprietary and confidential information.
All title, rights and interest in OneSpan Software and Materials, updates and upgrades thereof, including software
rights, copyrights, patent rights, industrial design rights, trade secret rights, sui generis database rights, and all other
intellectual and industrial property rights, vest exclusively in OneSpan or its licensors. No OneSpan Software or Mater-
ials may be downloaded, copied, transferred, disclosed, reproduced, redistributed, or transmitted in any form or by
any means, electronic, mechanical or otherwise, for any commercial or production purpose, except as otherwise
marked or when expressly permitted by OneSpan in writing.

Disclaimer
OneSpan accepts no liability for the accuracy, completeness, or timeliness of content, or for the reliability of links to
and content of external or third party websites.

OneSpan shall have no liability under any circumstances for any loss, damage, or expense incurred by you, your com-
pany, or any third party arising from the use or inability to use OneSpan Software or Materials, or any third party mater-
ial made available or downloadable. OneSpan will not be liable in relation to any loss/damage caused by
modification of these Legal Notices or content.

Reservation
OneSpan reserves the right to modify these Notices and the content at any time. OneSpan likewise reserves the right
to withdraw or revoke consent or otherwise prohibit use of the OneSpan Software or Materials if such use does not
conform to the terms of any written agreement between OneSpan and you, or other applicable terms that OneSpan
publishes from time to time.

Contact us
Visit our website: https://www.onespan.com
Resource center: https://www.onespan.com/resource-center
Technical support and knowledge base: https://www.onespan.com/support

If there is no solution in the knowledge base, contact the company that supplied you with the OneSpan product.

Date last modified: 7/24/2019

 Table of Contents

Table of Contents

1. Introduction 15

1.1. IDENTIKEY Appliance Documentation Set 15

2. Overview of the OneSpan Authentication Solution 16

2.1. OneSpan Authentication Solution 16

2.2. OneSpan Global Integrated Solution 17

2.3. What is a DIGIPASS authenticator? 19

2.4. DIGIPASS Authenticator Types 20

2.5. DIGIPASS Licensing and Activation 27

2.6. Server-Side 30

2.7. IDENTIKEY Appliance in a RADIUS environment 33

2.8. IDENTIKEY Appliance in a Web Environment 38

2.9. IDENTIKEY Appliance With DIGIPASS Authentication for Windows Logon 42

2.10. IDENTIKEY Appliance in a Wireless Environment 42

2.11. EMV-CAP 42

2.12. Static Password Management 42

2.13. License Types 43

2.14. VASCO Customer Portal 45

2.15. PCI-DSS compliance 46

3. User Authentication Process 47

3.1. IDENTIKEY Appliance Authentication Process 47

3.2. Logging in with a DIGIPASS 47

3.3. Identifying the Component Record 48

3.4. Identifying a Policy 49

3.5. Looking Up and Checking the DIGIPASS User Account 50

3.6. Local Authentication 57

IDENTIKEY Appliance 3.18 – Product Guide iii

 Table of Contents

3.7. Back-End Authentication 71

3.8. User Attributes 78

3.9. Host Codes 79

3.10. Supported RADIUS Protocols 79

3.11. Limitations of RADIUS Support in IDENTIKEY Appliance 80

4. Signature Validation 82

4.1. Signature Validation Process 82

4.2. Electronic Signature Application Types 84

4.3. Signature Verification Process 85

4.4. Policy Settings Relevant to Signature Validation 86

5. Software DIGIPASS Provisioning 88

5.1. Provisioning Overview 88

5.2. Registration Process for Software DIGIPASS 91

5.3. Software DIGIPASS Activation Process 94

5.4. Provisioning Scenarios 95

6. DIGIPASS Authentication for Windows Logon 113

6.1. Additional References 113

6.2. Online Authentication 113

6.3. Offline Authentication 114

6.4. Dynamic Component Registration (DCR) 117

6.5. Password Randomization 117

6.6. Password Synchronization Manager 118

6.7. IDENTIKEY Appliance Retrieval and Failover 119

6.8. IDENTIKEY Appliance SSL Certificate 119

7. EMV-CAP 120

7.1. Hardware Security Module 120

IDENTIKEY Appliance 3.18 – Product Guide iv

 Table of Contents

7.2. EMV-CAP Scenario 120

7.3. Licensing 120

7.4. Unsupported Standard IDENTIKEY Appliance Features 121

7.5. Primary Account Number (PAN) 121

7.6. EMV-CAP modes 121

8. Hardware Security Module 122

8.1. Supported Hardware Security Modules 122

8.2. Licensing and Configuration 122

8.3. Unsupported Standard IDENTIKEY Appliance Features and Limitations 122

8.4. Load Balancing and Failover 123

8.5. Cryptographic Keys 123

9. Administration 126

9.1. Default Administrative Users 126

9.2. Creating a New System Administrator 126

9.3. Configuration Tool 127

9.4. Administration Web Interface 127

9.5. Rescue Tool 128

10. Installation Configuration 130

10.1. First Time Setup 130

10.2. Configuration Wizard 131

10.3. License Configuration Wizard 131

10.4. IDENTIKEY Authentication Server Setup Wizard 131

10.5. Manual Configurations 132

10.6. Migration to IDENTIKEY Appliance / IDENTIKEY Virtual Appliance from IDENTIKEY Authentication Server 132

11. Licensing 133

11.1. First Time Licensing 133

IDENTIKEY Appliance 3.18 – Product Guide v

 Table of Contents

11.2. Re-Licensing 134

12. Secure Network Management Protocol (SNMP) 137

12.1. Supported SNMP Versions 137

12.2. SNMP Usage in IDENTIKEY Appliance 137

13. Performance Monitoring 138

13.1. Filters 138

13.2. Plugins 140

14. Health Check 141

14. System Monitoring, Notifications, and OS Traps 142

14.1. Events to be Monitored and Data Sources 142

14.2. Filters 143

14.3. Targets 143

15. IDENTIKEY Appliance Administration Web Interface: User Dashboard 146

15.1. Working with the User Dashboard 146

15.2. View Audit Message Page 150

15.3. Generating Reports via the Reports Tab 151

16. Updating 152

16.1. Updating Process 152

16.2. Updating Infrastructure 152

17. Backup and Restore 153

17.1. Backup 153

17.2. Backup Encryption 154

17.3. Backup Restore 154

18. RAID 156

18.1. RAID Maintenance 156

19. System Logging 157

IDENTIKEY Appliance 3.18 – Product Guide vi

 Table of Contents

19.1. Logging Infrastructure 158

19.2. Managing Log Files 158

19.3. Remote Syslog 159

19.4. Log Levels 159

20. Auditing 161

20.1. Audit Settings 161

20.2. Managing Audit Files 162

20.3. Exporting Auditing Information 163

20.4. Secure Auditing 163

21. Tracing 165

21.1. Types of Trace Files 165

21.2. Trace File Options 165

21.3. Managing Trace Files 166

22. Statistics 167

22.1. System Information Available 167

22.2. Statistics Filtering 167

23. Message Delivery Component 168

24. Remote Support 170

24.1. Support Procedure 170

24.2. Remote Support 170

25. LDAP User Synchronization 171

25.1. LDAP Synchronization Profiles 171

25.2. Identifying Synchronized Users 172

25.3. Creating and Updating User Accounts 173

25.4. Deleting User Accounts 175

25.5. Synchronization Frequency 175

IDENTIKEY Appliance 3.18 – Product Guide vii

 Table of Contents

25.6. LDAP Synchronization Access Rights 175

25.7. Multiple Synchronization Profiles 175

25.8. Managing Source and Destination Hierarchies 176

25.9. Tracing and Audit Information 178

26. Replication 179

26.1. What Is Replicated? 179

26.2. Common Replications 179

26.3. Replication Wizard 181

26.4. Replication and Firewalls 182

26.5. Replication Process 182

26.6. Replication Monitoring 185

26.7. Replication Status 185

27. DIGIPASS User Accounts 187

27.1. Creating DIGIPASS User Accounts 187

27.2. User Account Settings 189

27.3. User Attributes 189

27.4. Searching for User Accounts 191

27.5. DIGIPASS User Account Static Password 191

27.6. Password Strength 192

27.7. Administration Privileges 195

27.8. DIGIPASS User Account Auto-Unlock 196

28. DIGIPASS 197

28.1. DIGIPASS Client PIN 197

28.2. Importing DIGIPASS 198

28.3. Assigning DIGIPASS to Users 198

28.4. DIGIPASS Record Functions 200

IDENTIKEY Appliance 3.18 – Product Guide viii

 Table of Contents

28.5. DIGIPASS Reports 202

28.6. DIGIPASS Programming 202

28.7. DIGIPASS Record Settings 203

28.8. DIGIPASS Assignment Options 205

28.9. Cost 206

28.10. Security 206

28.11. Convenience 206

28.12. Gateway and account 206

28.13. Limiting Usage of Virtual Mobile Authenticator 207

28.14. Backup Virtual Mobile Authenticator Usage Guidelines 207

28.15. Resetting Virtual Mobile Authenticator 208

28.16. Virtual Mobile Authenticator Login Options 208

29. Task Scheduling 209

29.1. How Does Task Scheduling Work? 209

29.2. Managing Scheduled Tasks 210

29.3. Task Scheduling Options 211

30. Client Components 212

30.1. Standard Component Properties 212

30.2. Client Component Types 213

30.3. Client Component Licensing 215

31. Server Components 216

31.1. Automatic Server Component Creation 216

31.2. Licenses 216

32. Policies 218

32.1. Policy Properties 218

32.2. Policies 219

IDENTIKEY Appliance 3.18 – Product Guide ix

 Table of Contents

32.3. Pre-Loaded Policies 221

33. Reporting 228

33.1. Reporting Features and Settings 228

34. Wireless RADIUS 233

34.1. Wireless RADIUS Terminology Used 233

34.2. Wireless Network Encryption 233

34.3. Fast Reconnect 233

34.4. Multiple Roaming Zones 235

35. Organization 237

35.1. Domains and Organizational Units 237

35.2. Master Domain and Practical Uses 238

35.3. Moving DIGIPASS User Accounts and DIGIPASS 239

35.4. DIGIPASS Records Location 241

35.5. Typical DIGIPASS Location Models for ODBC 241

36. Rescue Tool 245

36.1. Accessing the Rescue Tool 245

36.2. Functions 245

37. Support Procedure 248

38. Appendix: IDENTIKEY Virtual Appliance OS Hardening - Guidelines 249

38.1. Securing the Virtual Machine Host 249

38.2. Password Guidelines 250

IDENTIKEY Appliance 3.18 – Product Guide x

 Table of Contents

Illustration Index

Image 1: OneSpan Authentication Solution 16

Image 2: OneSpan Global Integrated Solution 18

Image 3: DIGIPASS 260 21

Image 4: DIGIPASS 270 XPress 21

Image 5: DIGIPASS 301 Comfort Voice 21

Image 6: DIGIPASS 560 21

Image 7: DIGIPASS 760 22

Image 8: DIGIPASS GO 215 22

Image 9: DIGIPASS 785 22

Image 10: DIGIPASS GO 3 23

Image 11: DIGIPASS GO 6 23

Image 12: DIGIPASS GO 7 23

Image 13: DIGIPASS GO 100 23

Image 14: DIGIPASS 810 23

Image 15: DIGIPASS 855 23

Image 16: DIGIPASS 875R 24

Image 17: DIGIPASS Nano 26

Image 18: DIGIPASS 110 26

Image 19: IDENTIKEY Appliance Architecture 31

Image 20: Stand-alone: RADIUS Attributes from DIGIPASS user account 34

Image 21: Stand-alone: No RADIUS Attributes Required 34

Image 22: IDENTIKEY Appliance with Wireless RADIUS 35

Image 23: IDENTIKEY Appliance with RADIUS Server Acting as a Proxy 36

Image 24: RADIUS Server as Back-End Server (Users Log In with OTP Only) 37

Image 25: RADIUS Server as Back-End Server (Users Log In with Both Password and OTP) 38

Image 26: IDENTIKEY Appliance in an IIS Web Environment (OTP-Only) 40

Image 27: IDENTIKEY Appliance in an IIS Web Environment (OTP+Password Login) 41

Image 28: Connection Between the IDENTIKEY Appliance and VASCO Customer Portal 45

IDENTIKEY Appliance 3.18 – Product Guide xi

 Table of Contents

Image 29: User ID and Domain Resolution 51

Image 30: Dynamic User Registration (Process) 56

Image 31: Server PIN States and Actions 62

Image 32: Multiple DIGIPASS Assignments 68

Image 33: Back-End Authentication for NetIQ eDirectory 77

Image 34: Steps of Provisioning 89

Image 35: Software DIGIPASS Registration Process 91

Image 36: Software DIGIPASS Activation Process 94

Image 37: DIGIPASS for Mobile Offline Activation Process 97

Image 38: DIGIPASS for Mobile Online Activation Process 99

Image 39: DIGIPASS for Web Scenario 1 Process 104

Image 40: DIGIPASS for Web Scenario 2 Process 106

Image 41: DIGIPASS for Web Scenario 3 Process 108

Image 42: DIGIPASS 110 Scenario 1 110

Image 43: DIGIPASS 110 Scenario 2 112

Image 44: DIGIPASS Authentication for Windows Logon Online Authentication 114

Image 45: DIGIPASS Authentication for Windows Logon Offline Authentication 115

Image 46: DIGIPASS 810 120

Image 47: SafeNet Cryptographic Keys Allocated by Token Name and Slot ID 125

Image 48: Adding Filter in Performance Monitoring 139

Image 49: Data Transmission from the Syslog Utitilty to the Live Log Viewer and Remote Syslog 158

Image 50: Live Log Viewer 159

Image 51: Live Audit Viewer 162

Image 52: Virtual Mobile Authenticator Process Using IDENTIKEY Appliance MDC 169

Image 53: User Attributes in Administration Web Interface 172

Image 54: LDAP Synchronization to Create or Update an IDENTIKEY Appliance User Account 174

Image 55: Synchronization Including LDAP Children 178

Image 56: Synchronization to Mirror LDAP Server Structure 178

Image 57: Replication Between Primary and Backup IDENTIKEY Appliance 180

IDENTIKEY Appliance 3.18 – Product Guide xii

 Table of Contents

Image 58: Replication Between Primary, Backup, and Disaster Recovery IDENTIKEY Appliance 181

Image 59: Writing to Replication Queue 183

Image 60: Sending Replication Queue Entry 184

Image 61: 'System' Tab in the Administration Web Interface 185

Image 62: Replication Status Screen in the Administration Web Interface 186

Image 63: RADIUS Attributes Overview 190

Image 64: Custom User Attributes Overview 191

Image 65: Policy Inheritance Example 220

Image 66: Wireless RADIUS Components 233

Image 67: Fast reconnect Overview 234

Image 68: Fast Reconnect Authentication Process 234

Image 69: Roaming Wireless Fast Reconnection 235

Image 70: Roaming Wireless Fast Reconnection – Roaming Zones 236

Image 71: Domains and Organizational Units 237

Image 72: User ID and Domain Resolution 239

Image 73: Possibilities for Moving User Accounts and DIGIPASS (OU = Organizational Unit) 240

Image 74: DIGIPASS Record Locations – Domain Root 242

Image 75: DIGIPASS Record Location – Parent Organizational Unit 243

Image 76: DIGIPASS Record Locations – Individual Organizational Units 244

Image 77: Rescue Tool Start Menu 246

Image 78: Rescue Tool Network Menu 247

IDENTIKEY Appliance 3.18 – Product Guide xiii

 Table of Contents

Table Index

Table 1: Login methods 48

Table 2: Server Settings Regulating Server PINs 60

Table 3: OTP Authentication for Scenarios Involving Multiple and Single DIGIPASS Applications 69

Table 4: Supported User Name Formats for Microsoft Active Directory 75

Table 5: Supported User Logon Format for NetIQ eDirectory 76

Table 6: Provisioning Scenarios 96

Table 7: Supported EMV-CAP modes in IDENTIKEY Authentication Server 121

Table 8: Default Administrative User Credentials 126

Table 9: Target requirements 144

Table 10: Dashboard Used Clients - Displayed Fields 147

Table 11: Report Definition Criteria 151

Table 12: Log Levels 159

Table 13: Audit Message Types 162

Table 14: Options for defining synchronization structures 176

Table 15: Time-and event-based modes of DIGIPASS Application 202

Table 16: Backup Virtual Mobile Authenticator Policy/ DIGIPASS Settings 205

Table 17: DIGIPASS Options 206

Table 18: Backup Virtual Mobile Authenticator Sample Guidelines 208

Table 19: Pre-Loaded Policies 222

IDENTIKEY Appliance 3.18 – Product Guide xiv

 1. Introduction

1. Introduction
IDENTIKEY Appliance Product Guide is part of the documentation set about IDENTIKEY Appliance. It is intended for
technical experts interested in learning about the IDENTIKEY Appliance. It describes the structure of the product,
the concepts underpinning authentication and how IDENTIKEY Appliance can support authentication within your IT
infrastructure.

If not stated otherwise, the information in this guide also applies to IDENTIKEY Virtual Appliance.

Warning
Components or features described in this document may need to be configured to meet the standards of the Gen-
eral Data Protection Regulation (GDPR). If your organization is collecting or in any capacity processing data on cit-
izens of a European Union country, your organization is subject to the GDPR. For more information on this subject
matter, refer to the IDENTIKEY Appliance General Data Protection Regulation Compliance Guide.

1.1. IDENTIKEY Appliance Documentation Set

The following IDENTIKEY Appliance guides are available:

n IDENTIKEY Appliance Administrator Guide. Explains the steps needed for administration tasks, including
monitoring and troubleshooting.
n IDENTIKEY Appliance Administrator Reference. Provides field explanations and other organized reference
material for technical experts using IDENTIKEY Appliance intended for reference only.
n IDENTIKEY Appliance Installation and Maintenance Guide. Explains the steps required to connect the
IDENTIKEY Appliance to your network, first-time configuration and maintenance procedures, such as
updating and re-licensing.
n IDENTIKEY Appliance Product Guide. Describes the structure of the product, the concepts underpinning
authentication and how IDENTIKEY Appliance can support authentication within an existing infrastructure.
n IDENTIKEY Appliance General Data Protection Regulation Compliance Guide: provides general information
about the EU General Data Protection Regulation (GDPR), its implications on IDENTIKEY Appliance and
provides instructions to achieve GDPR compliance where additional adaptations or procedures are
required.
n IDENTIKEY Authentication Server SDK Programmer Guide. Provides in-depth information required for devel-
opment work using the SDK. This document is relevant to SOAP Authentication, electronic signatures and
provisioning using the IDENTIKEY Appliance.
n Documents about DIGIPASS Authentication for Windows Logon. Provide information about the concepts,
installation and configuration, setup, and procedures to test DIGIPASS Authentication for Windows Logon.
n Two Password Synchronization Manager guides for installation and usage information.
n Filter guides for each available filter for installation and usage information.

Access to the IDENTIKEY Appliance documentation is provided via the IDENTIKEY Appliance Configuration Tool.
Manuals for IDENTIKEY Appliance add-ons are provided on the CD-ROM delivered with the appliance.

IDENTIKEY Appliance 3.18 – Product Guide 15

 2. Overview of the OneSpan Authentication Solution

2. Overview of the OneSpan Authentication Solution

2.1. OneSpan Authentication Solution

DIGIPASS devices provide the client component of the OneSpan authentication solution, issued by the application
service provider (ASP) to end users (the DIGIPASS holders), to support:

n One-time password (OTP), to authenticate end users to the ASP, to protect access to services and
resources
n Host codes, to authenticate the ASP to end users
n Electronic signatures, to protect the integrity and authenticity of financial transactions or other security-crit-
ical communications (not currently available with the IDENTIKEY Appliance)

The DIGIPASS client component uses a variety of cryptographic algorithms to calculate one-time passwords, host
codes and electronic signatures. DIGIPASS devices generate one-time passwords and electronic signatures using a
unique 'secret value'. Most DIGIPASS devices are pre-programmed with this unique secret value (making each
OTP/signature unique to each DIGIPASS devices), while other DIGIPASS devices – specifically, smart card readers –
use a secret value from another valid source, i.e. a smart card.

VACMAN Controller is the server-side component of the OneSpan authentication solution, installed on the com-
puter or back-end system of the ASP. This VACMAN Controller software can be installed as an appliance, a server
component, a middleware component, or an application programming interface (API). Electronic signatures and
one-time passwords generated by the DIGIPASS client devices are verified by the VACMAN Controller software.

Image 1: OneSpan Authentication Solution

IDENTIKEY Appliance 3.18 – Product Guide 16

 2. Overview of the OneSpan Authentication Solution

Application service providers assign DIGIPASS client devices to holders, based on the serial number of the DIGIPASS
and the holder’s ID. Each DIGIPASS device is delivered in a controlled way to the holder, together with a manual
and (optionally) the PIN. To use the DIGIPASS, the holder needs to be in possession of the DIGIPASS, to know the
PIN to access applications run by the , and to have a connection to the VACMAN Controller software.

The VACMAN Controller software knows which secret is loaded in each DIGIPASS. These secrets are transported ini-
tially in an encrypted way to the ASP and then stored in a database run together with the VACMAN Controller soft-
ware. In this process the DIGIPASS serial number is used as reference for the secrets.

2.2. OneSpan Global Integrated Solution

IDENTIKEY Appliance can be integrated within an organization's existing security infrastructure (see Image 2:
OneSpan Global Integrated Solution). The services supported by the IDENTIKEY Appliance are explained below.

IDENTIKEY Appliance 3.18 – Product Guide 17

 2. Overview of the OneSpan Authentication Solution

Image 2: OneSpan Global Integrated Solution

SDK-based web applications supported by the IDENTIKEY Appliance using the SOAP protocol include:

IDENTIKEY Appliance 3.18 – Product Guide 18

 2. Overview of the OneSpan Authentication Solution

n Authentication (see 3.1. IDENTIKEY Appliance Authentication Process)

n Electronic Signature
n Software DIGIPASS Provisioning (see 5. Software DIGIPASS Provisioning)
n Administration (see 9. Administration)

Remote clients for authentication supported by the IDENTIKEY Appliance include:

n RADIUS clients (RADIUS protocol)

n Filter: Citrix Web Interface (SEAL protocol);
n DIGIPASS Authentication Modules (SOAP protocol); DIGIPASS Authentication for Windows Logon (SOAP pro-
tocol) provides strong authentication when logging on to Microsoft Windows (see 6. DIGIPASS Authentic-
ation for Windows Logon)

For more information about client components, see 30. Client Components.

Password Synchronization Manager (PSM) synchronizes password changes from Windows user accounts to the
IDENTIKEY Appliance (see 2.12. Static Password Management).

LDAP user synchronization supports automatic creation and updating of user accounts on the IDENTIKEY Appliance
from records stored on an LDAP servers such as NetIQ eDirectory and Microsoft Active Directory (see 25.
LDAP User Synchronization).

back-end authentication is supported by the IDENTIKEY Appliance for RADIUS servers and LDAP servers, e.g. NetIQ
eDirectory, Microsoft Active Directory, IBM Security Directory Server Access Manager (see 3.7. Back-End Authentic-
ation.

The Message Delivery Component is necessary to support Virtual Mobile Authenticator authentication (see 23.
Message Delivery Component).

The VASCO Customer Portal handles licensing, updating and remote support for the IDENTIKEY Appliance (see
2.14. VASCO Customer Portal).

Note
Data Migration Tool is available for converting records from other OneSpan products to the IDENTIKEY Appliance.
For more information contact your IDENTIKEY Appliance supplier (see 37. Support Procedure).

2.3. What is a DIGIPASS authenticator?

A DIGIPASS authenticator is a device for providing one-time passwords (OTPs) and Electronic Signatures to a user.

An organization can provide its users with DIGIPASS authenticators to ensure that the users log in to secure sys-
tems via strong authentication. The DIGIPASS authenticator provides the OTPs and the DIGIPASS users can use
these OTPs instead of or in addition to a static password for the login. With devices that support this functionality,
authentication transactions can be performed via the Secure Channel feature of IDENTIKEY Authentication Server
and DIGIPASS authenticators. For more information about Secure Channel, see 2.5.5. Secure Channel Feature.

IDENTIKEY Appliance 3.18 – Product Guide 19

 2. Overview of the OneSpan Authentication Solution

In addition, a DIGIPASS authenticator can also be used to sign transaction data. Here, the user manually enters key
details of the transaction into the DIGIPASS authenticator . The user then enters that signature into a transaction
confirmation page to confirm that the transaction is authorized.

Virtual Mobile Authenticator is a mechanism where an OTP is generated by the server and sent to the user's mobile
phone or email account. In this case, a physical DIGIPASS device is not needed.

A software DIGIPASS authenticator may be installed as a DIGIPASS Application onto an existing non-OneSpan plat-
form (such as a computer, smartphone, or other mobile device). It can be used to generate an OTP or a signature
in the same way as a physical DIGIPASS authenticator.

2.4. DIGIPASS Authenticator Types

Each DIGIPASS authenticator is programmed with at least one DIGIPASS Application and a unique secret . The
DIGIPASS Application uses this unique secret when generating a one-time password (OTP) or an Electronic Sig-
nature.

Each type of DIGIPASS Application generates OTPs or signatures from different data, and in slightly different ways:

Response-Only
Creates an OTP based on the current date and time or on the number of uses (i.e. events).

Challenge/Response
Creates an OTP (also referred to as a response) based on a numerical challenge given on a login page. This
challenge may be either of two things:

n Custom-created for the specific DIGIPASS authenticator

n A randomly-created challenge

The OTP may also be based on the date and time.

Signature
Electronic Signature DIGIPASS Applications are typically used in online banking. The DIGIPASS authenticator
creates a unique code – i.e. an Electronic Signature – based on a number of transaction data fields entered
plus (optionally) the date and time or events.

Multi-Mode
A Multi-Mode DIGIPASS authenticator can be used on all of the above modes. This setting is used mainly for
DIGIPASS for Web (see 2.4.2.1. Software DIGIPASS Types).

IDENTIKEY Appliance 3.18 – Product Guide 20

 2. Overview of the OneSpan Authentication Solution

2.4.1. Hardware DIGIPASS Authenticator

A hardware DIGIPASS authenticator is a device specifically designed to create OTPs and digital signatures. Each
hardware DIGIPASS authenticator can be used for the following and digital signature methods:

n Response-Only
n Challenge/Response
n Signature

2.4.1.1. E-Signature DIGIPASS Authenticator

DIGIPASS authenticator devices of this type are typically capable of supporting more than one DIGIPASS Application;
some of these authenticators can be programmed so that a PIN must be entered before they generate a one-time
password (OTP) or an Electronic Signature.

Image 3: DIGIPASS 260 Image 4: DIGIPASS 270 XPress

Image 5: DIGIPASS 301 Comfort Voice Image 6: DIGIPASS 560

DIGIPASS 760 protects online banking services by allowing the bank to establish a secure optical communication
channel with the client. The device uses a unique visual challenge contained in a graphical cryptogram, a color QR

IDENTIKEY Appliance 3.18 – Product Guide 21

 2. Overview of the OneSpan Authentication Solution

code, consisting of a matrix of colored dots. The user scans the color QR code with the device's built-in camera to
generate the signatures for activations and transactions.

Image 7: DIGIPASS 760

DIGIPASS GO 215 and DIGIPASS 785 protect online banking services by allowing the bank to establish a secure com-
munication channel with the client using Bluetooth low energy (BLE).

Image 8: DIGIPASS GO 215 Image 9: DIGIPASS 785

2.4.1.2. Single-Button DIGIPASS Authenticator

This is the simplest type of a DIGIPASS authenticator. A DIGIPASS authenticator without a keypad has a triggering
mechanism – typically an action, e.g. pressing a button. That action triggers the generation of a one-time pass-
word (OTP). Single-button DIGIPASS authenticator devices only have one DIGIPASS Application, which is always
Response-Only.

IDENTIKEY Appliance 3.18 – Product Guide 22

 2. Overview of the OneSpan Authentication Solution

Image 10: DIGIPASS GO 3 Image 11: DIGIPASS GO 6

Image 12: DIGIPASS GO 7 Image 13: DIGIPASS GO 100

2.4.1.3. DIGIPASS Card Readers

DIGIPASS card readers provide two-factor authentication based on smart card technology in a similar way to other
hardware DIGIPASS authenticator devices. The smart card itself provides the 'secret' used to generate a one-time
password (OTP) and Electronic Signature.

IDENTIKEY Appliance supports EMV-CAP compliant smart cards and card readers (see 7. EMV-CAP).

Image 14: DIGIPASS 810 Image 15: DIGIPASS 855

IDENTIKEY Appliance 3.18 – Product Guide 23

 2. Overview of the OneSpan Authentication Solution

Image 16: DIGIPASS 875R

2.4.2. Software DIGIPASS Authenticator

Software DIGIPASS authenticators are software versions of DIGIPASS that provide authentication and signature func-
tions for mobile devices and web browsers. They generate a one-time password or Electronic Signature for you in
the same way as a hardware DIGIPASS.

A software DIGIPASS authenticator may be installed as a DIGIPASS Application onto an existing non-OneSpan plat-
form (such as a computer, smartphone, or other mobile device). This effectively makes the device emulate a hard-
ware DIGIPASS. The user then accesses the installed DIGIPASS Application to obtain a one-time password (OTP) or
Electronic Signature. For more information about hardware DIGIPASS, refer to 2.4.1. Hardware
DIGIPASS authenticator. To be ready for use, each software DIGIPASS requires:

n Software installed on the client device

n A unique activation code

Once installed on a host device, software DIGIPASS will need to be activated via an activation code. Once activ-
ated, the device can then be used to generate one-time passwords and Electronic Signatures. Software delivery
and activation of the software DIGIPASS authenticator takes place in the course of the provisioning process - refer
to Chapter 5. Software DIGIPASS Provisioning for more information on this.

A software DIGIPASS authenticator typically supports the following DIGIPASS Application types:

n Response-Only

n Challenge/Response

n Signature

The distribution of a software DIGIPASS authenticator is controlled by IDENTIKEY Appliance using provisioning scen-
arios (see 5. Software DIGIPASS Provisioning).

IDENTIKEY Appliance 3.18 – Product Guide 24

 2. Overview of the OneSpan Authentication Solution

2.4.2.1. Software DIGIPASS Types

The following software DIGIPASS types are supported by the Provisioning function in IDENTIKEY Authentication
Server:

DIGIPASS for Mobile

DIGIPASS for Mobile is an application for Android and iOS mobile devices , Windows Phone and BlackBerry.
You can use it to generate a one-time password or Electronic Signature on demand.

DIGIPASS App
DIGIPASS App is a two-factor authenticator for OTP generation. The OTP the DIGIPASS App displays can be
used as back-up authentication mode when the push–notifcation-based authentication does not succeed.

The DIGIPASS App is activated with a color QR code, and can be protected either with fingerprint recognition or
a PIN code, depending on the available mobile device functionalities. DIGIPASS App can contain multiple
DIGIPASS instances and can be installed on several mobile devices, allowing the use of multiple devices for
the login process. For more detailed information, refer to the DIGIPASS App Getting Started Guide.

The DIGIPASS App is used for push–notification-based authentication. For more information on this, refer to
2.5.6. Push Notification via the DIGIPASS App and 3.6.2.6. Push–Notification-Based Authentication Process.
For detailed information on the Push Notification feature, required components, and the setup with IDENTIKEY
Authentication Server and its components , refer to the Push Notification Getting Started Guide.

DIGIPASS for APPS

The DIGIPASS for Application Perimeter Protection SDK ( DIGIPASS for APPS) is a software development kit
(SDK) to natively integrate application security, two-factor authentication, and electronic signatures into
mobile applications. It consists of a library of dedicated APIs to strengthen mobile application security and
facilitate mobile transactions across multiple user devices. DIGIPASS for APPS supports Android, iOS, Windows
Phone, and BlackBerry. For detailed information, refer to the documentation suite in the DIGIPASS for APPS
product delivery package.

DIGIPASS for Web

DIGIPASS for Web is a Java applet that runs on an internet browser using cookies for data storage. For this
applet to work, cookies must be enabled on your internet browser. DIGIPASS for Web will also generate aone-
time password or Electronic Signature on demand. DIGIPASS for Web supports the Multi-Mode DIGIPASS Applic-
ation type.

Hybrid DIGIPASS: DIGIPASS 110 and DIGIPASS 760

DIGIPASS 110 and DIGIPASS 760 are hybrid devices, composed of a hardware and a software component.

IDENTIKEY Appliance 3.18 – Product Guide 25

 2. Overview of the OneSpan Authentication Solution

2.4.2.2. DIGIPASS Nano

The DIGIPASS Nano consists of a thin film that users can place on top of any SIM card, turning the phone into a
mobile security device capable of generating an OTP or Electronic Signature.

Image 17: DIGIPASS Nano

2.4.2.3. DIGIPASS 110

DIGIPASS 110 is a hybrid DIGIPASS authenticator combining the security of a hardware device with the portability of
a software DIGIPASS authenticator. This authenticator consists of a secure USB stick used with a Java applet on
the user's computer. It contains the cryptographic information used to generate a one-time password (OTP) for the
user on demand.

The distribution of the Java applet used with DIGIPASS 110 is handled by IDENTIKEY Appliance using provisioning
scenarios similar to software DIGIPASS authenticators (see 5. Software DIGIPASS Provisioning).

Image 18: DIGIPASS 110

2.4.2.4. Virtual Mobile Authenticator

Virtual Mobile Authenticator can be used instead of a hardware DIGIPASS authenticator, or as a backup mechanism
when users lose their hardware DIGIPASS authenticator.

Using Virtual Mobile Authenticator means that a user may receive a one-time password (OTP) via:

n Email
n SMS (over a mobile phone)
n Voice message (over a landline or mobile phone)

There are two forms of Virtual Mobile Authenticator available:

IDENTIKEY Appliance 3.18 – Product Guide 26

 2. Overview of the OneSpan Authentication Solution

n Primary Virtual Mobile Authenticator. Treated by IDENTIKEY Appliance almost identically to hardware and
software DIGIPASS authenticator – a record of each Primary Virtual Mobile Authenticator must be imported
into the data store, and may then be assigned to a user automatically or manually. Users will typically log
in with their user ID and static password, have an OTP sent to their phone or email account, and then enter
the received OTP in the second stage of their login.
n Backup Virtual Mobile Authenticator. This feature allows users to request an OTP sent to their phone or
email account if they do not have their usual DIGIPASS authenticator at hand. It may be limited by number
of uses or days of use, e.g. users may be limited to 2 days usage, after which they will again need to use
their usual DIGIPASS authenticator to log in.

2.5. DIGIPASS Licensing and Activation

2.5.1. Standard Licensing and Activation

The standard licensing model applies to models of the DIGIPASS authenticator that are pre-provisioned ex factory,
and software DIGIPASS using standard one-step activation.

The standard activation process involves generating an activation code and sending it to a software DIGIPASS sep-
arately or as part of the full activation data.

2.5.2. DIGIPASS Multi-Device Licensing and Activation

As of version 3.7, IDENTIKEY Authentication Server supports a new model for licensing and activating a
DIGIPASS authenticator: Multi-Device Licensing and Multi-Device Activation.

This new licensing and activation model applies to the following models of the DIGIPASS authenticator:

n E-signature DIGIPASS: DIGIPASS 760

n Software DIGIPASS: DIGIPASS for Mobile and DIGIPASS for APPS

Note
The new functionalities introduced in the context of Multi-Device Licensing, Multi-Device Activation, and the
Secure Channel feature are aimed at the banking security market only. This implies that certain of these func-
tionalities will not be available for typical enterprise security deployments.

Warning
The Multi-Device Licensing and Multi-Device Activation functionality using the Secure Channel feature requires a
SOAP provisioning and / or SOAP signature license!

With the Multi-Device Licensing model and its one-to-one relationship between a user account and a DIGIPASS
serial number license, a user account can optionally be bound to several DIGIPASS instances. Multi-Device Activ-
ation, which is an activation process in two steps, guarantees that only the intended end user can perform the
device activation.

IDENTIKEY Appliance 3.18 – Product Guide 27

 2. Overview of the OneSpan Authentication Solution

2.5.3. Multi-Device Licensing

With the Multi-Device Licensing model, each DIGIPASS serial number corresponds to a unique DIGIPASS license;
consequently, for each DIGIPASS device compliant with the Multi-Device Licensing model, the corresponding .dpx
file contains one DIGIPASS master activation application for each DIGIPASS license. These DIGIPASS instances are
represented in IDENTIKEY Authentication Server as DIGIPASS with a single DIGIPASS master activation application.

One DIGIPASS license allows to instantiate several DIGIPASS instances bound to the same DIGIPASS license.
DIGIPASS instances are not different from DIGIPASS activated in the standard process with regard to the rep-
resentation of DIGIPASS applications. IDENTIKEY Authentication Server creates the DIGIPASS instance(s) for a par-
ticular license during the Multi-Device Activation process.

The number of instances that can be activated for each DIGIPASS license is limited to a predefined threshold which
is configured by OneSpan at the time of order. A maximum number of 99 instances can be configured, and each
DIGIPASS instance can have from 1 to 8 DIGIPASS authentication or e-signature application(s). These DIGIPASS
instances are represented in IDENTIKEY Authentication Server as DIGIPASS with the same base serial number as
the bound DIGIPASS license, appended with the instance sequence number.

2.5.4. Multi-Device Activation

In the Multi-Device Activation process, two separate activation messages are used for activating the device(s). This
serves to guarantee that only the intended end user, and not an adversary who has intercepted one of the mes-
sages, can perform the activation. Multi-Device Activation is a different process from the standard software
DIGIPASS activation and requires DIGIPASS devices and .dpx files compliant with the Multi-Device Licensing model.
When a compliant DIGIPASS device is activated, settings and secrets are written into the device.

2.5.4.1. Master activation applications and activation messages

The Multi-Device Activation process uses the master activation application which contains an individual master
activation key for each DIGIPASS license. Every DIGIPASS license must be linked to a single user account. Two sep-
arate activation messages are used in the activation process; the first activation message (Activation Message 1)
allows activating a DIGIPASS license in the device, the second activation message (Activation Message 2) allows
activating a DIGIPASS instance of a license in the device.

Note
Both activation messages should be delivered to the end user via authentic channels. For instance, Activation
Message 1 should be delivered via a secure letter or e-mail and Activation Message 2 should be delivered via the
online banking application.

Activation Message 1 may be used several times to allow activation of multiple DIGIPASS instances (of one
DIGIPASS license) on multiple DIGIPASS devices, if necessary. The validity period for Activation Message 1 is con-
figurable in your IDENTIKEY Authentication Server policy. On the other hand, Activation Message 2 can be used for
effective activation for one DIGIPASS instance only.

IDENTIKEY Appliance 3.18 – Product Guide 28

 2. Overview of the OneSpan Authentication Solution

Note
Each DIGIPASS license will be used several times for activation of several DIGIPASS instances (in several DIGIPASS
devices) for one user account; however, only one license will be consumed for the activation of the different
DIGIPASS instances for one user account.

2.5.4.2. DIGIPASS instance sequence number

With each activation of a new DIGIPASS instance, IDENTIKEY Authentication Server will generate new DIGIPASS
applications. A sequence number will be incremented for each new DIGIPASS instance issued from the same
license. The number of instances which can be issued from a license will be limited to a pre-defined threshold
between 1 and 99 (configured by OneSpan at the time of order). The different DIGIPASS instances of one user
share the base serial number (the serial number of the DIGIPASS license), but will be appended with a unique
sequence number for the DIGIPASS instance. The keys of the DIGIPASS instance applications will be different for
each instance.

2.5.5. Secure Channel Feature

Secure Channel is an optional feature applicable to DIGIPASS devices compliant with the Multi-Device Activation
process (in the context of Multi-Device Licensing). The optional use of the secure channel feature after activation
of a DIGIPASS instance allows protecting the messages that are exchanged between the server- and the client-
side.

Note
The secure channel will be usable only if the Secure Channel feature has been ordered from and configured by
OneSpan at the time of order.

The Secure Channel feature applies a new protocol that uses payload keys to protect the confidentiality and
authenticity of the message's payload. A single master payload key is shared among all DIGIPASS instances linked
to a certain DIGIPASS license, enabling the end user to transparently use multiple DIGIPASS devices to answer the
transaction request message.

The Secure Channel feature requires the mandatory provisioning of a payload key represented on the server-side
by a payload key BLOB. In this case, first a payload key will have to be generated once for each DIGIPASS license.
The different DIGIPASS instances activated from one DIGIPASS license must share the same payload key. After the
activation, the payload key will protect the request and deactivation messages for exchange between the server
and the client devices that have been activated using a particular DIGIPASS license (for a particular user account).

The parameters used to generate the request body for Secure Channel messages can be configured via the Secure
Channel tab in the policy properties page of the Administration Web Interface.

If the Secure Channel feature has not been ordered, IDENTIKEY Authentication Server will not generate and pro-
vision any payload key.

IDENTIKEY Appliance 3.18 – Product Guide 29

 2. Overview of the OneSpan Authentication Solution

2.5.6. Push Notification via the DIGIPASS App

IDENTIKEY Authentication Server supports authentications via Push Notification - this authentication method uses a
push mode to enable the DIGIPASS App on a mobile device to authenticate the user. Refer to 3.6.2.6. Push–Noti-
fication-Based Authentication Process for an overview of the push–notification-based authentication process. For
detailed information on the DIGIPASS App, refer to the DIGIPASS App and DIGIPASS for Mobile product documents;
for detailed information on the Push Notification feature and required components, refer to the Push Notification
Getting Started Guide , which is part of the IDENTIKEY Authentication Server documentation suite. For detailed
information how to activate the DIGIPASS App and the required steps to upgrade the DIGIPASS App to enable Push
Notification, refer to the OneSpan User Websites Administrator Guide.

2.6. Server-Side

2.6.1. What is IDENTIKEY Authentication Server?

IDENTIKEY Authentication Server supports the deployment, use and administration of OneSpan DIGIPASS tech-
nology. It is designed to be easily usable with online applications and has a web-based Administration interface.

IDENTIKEY Authentication Server in the IDENTIKEY Appliance supports:

n DIGIPASS one-time password authentication

n DIGIPASS electronic signatures
n DIGIPASS software provisioning
n Administration and reporting
n Auditing
n Customized reporting
n Authentication management through a web based interface

2.6.2. What is the IDENTIKEY Appliance?

IDENTIKEY Appliance secures internal and remote access to network applications, and remote access to applic-
ations offered online. It is a stand-alone appliance providing an authentication solution based on IDENTIKEY
Authentication Server. Together with DIGIPASS technology providing the client-side component, the solution deliv-
ers strong two-factor authentication.

IDENTIKEY Appliance is a simple and cost-effective solution, which can easily be integrated into existing IT infra-
structures to support authentication in small to medium sized enterprises. The product integrates new usability fea-
tures described as a Configuration Tool together with the IDENTIKEY Authentication Server software, including:

n simple installation and maintenance

n remote support from OneSpan experts
n manual updating

IDENTIKEY Appliance 3.18 – Product Guide 30

 2. Overview of the OneSpan Authentication Solution

n simple licensing
n backup and restore functionality
n real time feedback on system status with statistics

2.6.2.1. Structure of IDENTIKEY Appliance

Image 19: IDENTIKEY Appliance Architecture

IDENTIKEY Appliance comprises:

n IDENTIKEY Authentication Server (see 2.6.1. What is IDENTIKEY Authentication Server?)

n Configuration Tool (see 2.6.2. What is the IDENTIKEY Appliance?)
n an internal database
n three user interfaces (see 9. Administration)
n IDENTIKEY Appliance Configuration Tool for system administrators, for installation and main-
tenance

IDENTIKEY Appliance 3.18 – Product Guide 31

 2. Overview of the OneSpan Authentication Solution

n IDENTIKEY Appliance Administration Web Interface, for system administrators to manage the daily
use of the system
n IDENTIKEY Appliance Rescue Tool, intended for administrators to manage some limited settings

IDENTIKEY Appliance supports client applications including:

n DIGIPASS Authentication for Windows Logon (SOAP)

n SOAP Authentication
n RADIUS Authentication
n IIS Authentication
n DIGIPASS Software Provisioning (SOAP)
n Electronic Signature Validation (SOAP)

Additionally the IDENTIKEY Appliance can call on back-end authentication with RADIUS or LDAP (for example
Microsoft Active Directory or NetIQ eDirectory).

2.6.2.2. Communication Protocols

Communication protocols include:

n RADIUS
n SOAP
n SEAL

RADIUS
The RADIUS protocol can support three services (RADIUS AAA):

n RADIUS Authentication is supported by IDENTIKEY Appliance (see 3.10. Supported RADIUS Protocols.
n RADIUS Accounting is supported by the IDENTIKEY Appliance. With a RADIUS back-end server, Accounting
requests are forwarded to the back-end server and handled by proxy. Without back-end authentication,
audit messages are generated.
n RADIUS Authorization handles requests for an authentication client to use a particular service. In the
RADIUS protocol, 'attributes' are used for authorization and configuration of the remote access session in
many cases. IDENTIKEY Appliance can return authorization attributes from the DIGIPASS user account, or
these attributes may be retrieved from a separate RADIUS server (i.e. a RADIUS back-end server).

An existing RADIUS server may be used as a Back-End System to allow dynamic creation of DIGIPASS user
accounts and verification of static passwords, or to retrieve RADIUS attributes for a user (see 3.8. User
Attributes).

SOAP
SOAP over HTTPS versions 1.1 and 1.2 are supported. Document Literal binding is used. A variety of SOAP cli-
ent SDKs have been tested.

SEAL
The SEAL protocol is a proprietary OneSpan protocol used by IIS module.

IDENTIKEY Appliance 3.18 – Product Guide 32

 2. Overview of the OneSpan Authentication Solution

2.6.3. What is the IDENTIKEY Virtual Appliance?

IDENTIKEY Virtual Appliance is a virtualized version of the physical IDENTIKEY Appliance supporting the most pop-
ular hypervisor products. It delivers the same security features and functionality as the standalone hardware
IDENTIKEY Appliance offering the benefits of virtualization, e.g. cost savings and rapid development and pro-
visioning.

2.7. IDENTIKEY Appliance in a RADIUS environment

IDENTIKEY Appliance can be used in a RADIUS environment in a number of ways, depending on your company's
requirements.

In the RADIUS protocol, attributes are used for authorization and configuration of the remote access session in
many cases. IDENTIKEY Appliance can return authorization attributes from the DIGIPASS user account; altern-
atively, a separate RADIUS server can provide these attributes instead.

In many cases, a RADIUS Client may be a dial-up Network Access Server (NAS), firewall/VPN appliance, Wireless
Access Point, or another device that uses the RADIUS protocol for user authentication. Some software applications
can also use RADIUS for authentication, and can therefore also act as RADIUS Clients.

Supported password protocols

The scenarios described in the following sections can be implemented with these supported password protocols:

n PAP
n CHAP
n MSCHAP
n MSCHAP2

Warning
When integrating IDENTIKEY Appliance into a RADIUS environment to provide authentication services, DIGIPASS
deployment should be done in accordance with only the following described scenarios. Deviating from these
advised scenarios may result in security vulnerabilities (e.g. brute force attacks).

2.7.1. Stand-Alone: RADIUS Attributes from DIGIPASS User Account

In this scenario, IDENTIKEY Appliance retrieves RADIUS attributes from the DIGIPASS user account and returns them
with an Accept message to the RADIUS client.

This scenario can be implemented with the following supported password protocols:

n PAP
n CHAP

IDENTIKEY Appliance 3.18 – Product Guide 33

 2. Overview of the OneSpan Authentication Solution

n MSCHAP
n MSCHAP2

Image 20: Stand-alone: RADIUS Attributes from DIGIPASS user account

2.7.2. Stand-alone: No RADIUS Attributes Required

This scenario is identical to 2.7.1. Stand-Alone: RADIUS Attributes from DIGIPASS User Account, except that it does
not use RADIUS attributes to authenticate users.

Image 21: Stand-alone: No RADIUS Attributes Required

IDENTIKEY Appliance 3.18 – Product Guide 34

 2. Overview of the OneSpan Authentication Solution

2.7.3. Wireless RADIUS

Using this method, the user only enters their OTP (and PIN, when required). IDENTIKEY Appliance has to learn the
static password for the user; as such, when the user gives the correct OTP, IDENTIKEY Appliance can send the
static password to the RADIUS server.

The Wireless RADIUS method can be used if one of the supported protocols is used. For a list of supported
RADIUS protocols, refer to 3.10. Supported RADIUS Protocols.

Image 22: IDENTIKEY Appliance with Wireless RADIUS

2.7.4. Proxy Target: RADIUS Server Acts as Proxy

In this scenario, a RADIUS server acts as a proxy for authentication, effectively delegating the authentication pro-
cess to IDENTIKEY Appliance. The RADIUS server provides the authorization attributes after IDENTIKEY Appliance
has accepted the user credentials.

A RADIUS server can forward authentication to IDENTIKEY Appliance if:

n The RADIUS server supports the proxying of authentication while returning attributes itself
n The RADIUS server can forward authentication request using one of the supported password protocols (as
listed in Supported password protocols).

IDENTIKEY Appliance 3.18 – Product Guide 35

 2. Overview of the OneSpan Authentication Solution

n The RADIUS server supports an access-challenge response from IDENTIKEY Appliance, if required. The
access-challenge mechanism is used for challenge/response and Virtual Mobile Authenticator, although it
is still possible to use Virtual Mobile Authenticator without that mechanism.

If the RADIUS server is capable, this scenario allows IDENTIKEY Appliance to operate in an environment that uses
certificate-based EAP protocols such as PEAP and EAP-TTLS. To make this work, the RADIUS server decrypts the
user credentials into a simpler protocol before forwarding the request to IDENTIKEY Appliance.

Image 23: IDENTIKEY Appliance with RADIUS Server Acting as a Proxy

2.7.5. Intermediary: RADIUS Server as Back-End Server

After validating the one-time password, IDENTIKEY Appliance forwards requests to a RADIUS server in order to
retrieve authorization attributes. It is necessary to provide a static password to the RADIUS server to achieve this.
There are two methods of implementing this scenario:

Login via OTP only

Using this method, the user only enters their OTP (and PIN, when required). IDENTIKEY Appliance has to learn
the static password for the user; this allows IDENTIKEY Appliance to send the static password to the
RADIUS server when the user provides the correct OTP.

IDENTIKEY Appliance 3.18 – Product Guide 36

 2. Overview of the OneSpan Authentication Solution

Image 24: RADIUS Server as Back-End Server (Users Log In with OTP Only)

This method can be used if:

n One of the supported password protocols is used (as listed in Supported password protocols).
n The static passwords can be 'learnt' by IDENTIKEY Appliance.

If the password protocol PAP is used, IDENTIKEY Appliance has the ability to learn the static passwords auto-
matically. The user then has to perform at least one login with their static password; if the RADIUS server
accepts the password, IDENTIKEY Appliance can learn it.

However, if one of the other password protocols is used, this process is not possible. In that case, there are a
few other ways in which the passwords can be learnt, through administrative data entry or using the OneSpan
User Websites.

Login via Password and OTP

Using this method, the user enters a static password and one-time password at each login. IDENTIKEY Appli-
ance validates the OTP; if the OTP is valid, it forwards the static password to the RADIUS server.

IDENTIKEY Appliance 3.18 – Product Guide 37

 2. Overview of the OneSpan Authentication Solution

Image 25: RADIUS Server as Back-End Server (Users Log In with Both Password and OTP)

This method can be used if the PAP password protocol is used. This is because IDENTIKEY Appliance uses
both CHAP and MSCHAP to hash the password and OTP together inseparably.

2.8. IDENTIKEY Appliance in a Web Environment

SOAP and SEAL can be used in a web environment. SOAP is available with IDENTIKEY Appliance,the SDK and the
DIGIPASS Authentication Modules such as DIGIPASS Authentication for Citrix StoreFront or DIGIPASS Authentication
for IIS Basic. SEAL supports the Citrix Web Interface.

2.8.1. SOAP Integration

IDENTIKEY Appliance has a SOAP module that can be used to integrate IDENTIKEY Appliance with web applications.
The IDENTIKEY Appliance SOAP Interface allows the following IDENTIKEY Appliance functions to be integrated into
web applications:

n User Authentication
n Signature Validation
n Software DIGIPASS Provisioning
n Administration
n Reporting

IDENTIKEY Appliance 3.18 – Product Guide 38

 2. Overview of the OneSpan Authentication Solution

2.8.2. DIGIPASS Authentication for IIS Basic

DIGIPASS Authentication for IIS Basic is an add-on designed for use with Microsoft Internet Information Services
(IIS). It can be configured to intercept authentication requests and redirect them to IDENTIKEY Appliance. DIGIPASS
Authentication for IIS Basic verifies the credentials with IDENTIKEY Appliance first.

Normally, this means verifying the one-time password. If the OTP is valid, then IDENTIKEY Appliance passes the
static password back to IIS as if the user had entered it, and the normal website authentication process completes
the login.

To enable verification via IDENTIKEY Appliance, it is necessary to provide a static password (typically the Windows
password) to IIS. There are two methods of implementing this:

Log in with OTP only

Using this method, the user only enters their OTP (and PIN, when required). IDENTIKEY Appliance has to learn
the static password for the user, so that when the user gives the correct OTP, it can give the static password
back to IIS.

IDENTIKEY Appliance 3.18 – Product Guide 39

 2. Overview of the OneSpan Authentication Solution

Image 26: IDENTIKEY Appliance in an IIS Web Environment (OTP-Only)

IDENTIKEY Appliance can automatically learn the static Windows passwords. The user has to perform at least
one login with their static password – if this password is validated by Windows, IDENTIKEY Appliance can
learn it.

The same process can also be used if the static passwords are held in a RADIUS server. However, the
IDENTIKEY Appliance license must have RADIUS support activated for this to be enabled.

This process is not possible if the static passwords are not Windows or RADIUS passwords. Such passwords
will need to be manually entered.

Log in with Password and OTP

Using this method, the user enters their static password and OTP at each login. IDENTIKEY Appliance validates
the OTP; if valid, IDENTIKEY Appliance returns only the static password to IIS.

IDENTIKEY Appliance 3.18 – Product Guide 40

 2. Overview of the OneSpan Authentication Solution

Image 27: IDENTIKEY Appliance in an IIS Web Environment (OTP+Password Login)

This method may be necessary when the static passwords are not Windows passwords, e.g. NetIQ eDirectory
passwords. It also may be suitable if you do not want IDENTIKEY Appliance to store your users' Windows pass-
words.

Note
IDENTIKEY Appliance strongly encrypts Windows passwords whenever it is configured to store them.

Warning
If your organization is impacted by the General Data Protection Regulation (GDPR), note that to be GDPR-
compliant, the respective DIGIPASS Authentication Modules must have use SSL enabled in the DIGIPASS
Authentication Configuration Center.

If tracing or diagnostic log files are used, ensure to configure log file rotation.

IDENTIKEY Appliance 3.18 – Product Guide 41

 2. Overview of the OneSpan Authentication Solution

2.9. IDENTIKEY Appliance With DIGIPASS Authentication for Windows Logon

DIGIPASS Authentication for Windows Logon provides strong authentication when logging on to Windows client
computers.

DIGIPASS Authentication for Windows Logon comprises:

n Client software which is installed on the Windows client

n Server-side functionality within the IDENTIKEY Appliance
n Password randomization (optional)

For more information, see 6. DIGIPASS Authentication for Windows Logon.

2.10. IDENTIKEY Appliance in a Wireless Environment

IDENTIKEY Appliance supports authentication over a wireless connection, using the RADIUS protocol (see Chapter
34. Wireless RADIUS).

2.11. EMV-CAP

IDENTIKEY Appliance supports three EMV-CAP compliant DIGIPASS applications, or modes (see Chapter 7. EMV-
CAP).

2.12. Static Password Management

Static passwords can be managed in the following ways:

n If you are using LDAP-based Microsoft Active Directory back-end authentication and want to prevent the
use of static passwords entirely, the password randomization feature can be used (see Section 6.5. Pass-
word Randomization). Password randomization replaces the user's static password with a randomized
password, unknown to the user. This forces use of the DIGIPASS OTP for future authentication.
n If you have certain applications that do not allow integrating one-time password authentication, so that
password randomization is not possible (as users would no longer know their static passwords),
IDENTIKEY Appliance needs to learn and update the static password.

There are two methods for this:

n Manually by setting up LDAP back-end authentication, users can enter their static password and
DIGIPASS OTP on first logon, and whenever the static password is changed. From the length of
the entry for logon, IDENTIKEY Appliance recognizes when a password needs to be stored or
updated.
n Automatically using Password Synchronization Manager.

IDENTIKEY Appliance 3.18 – Product Guide 42

 2. Overview of the OneSpan Authentication Solution

2.12.1. Password Synchronization Manager

Password Synchronization Manager (PSM) synchronizes password changes from Windows user accounts to the
IDENTIKEY Appliance. Password Synchronization Manager is installed on the domain controller and allows changes
to the Windows password to be automatically updated on the IDENTIKEY Appliance. The new Windows password
is reflected as the static password on the IDENTIKEY Appliance. When the Windows password is changed, it is
updated on the domain controller. Password Synchronization Manager checks if the IDENTIKEY Appliance is avail-
able before sending the new password so that the database can be updated.

For more information refer to the Password Synchronization Manager guides (see Section 1.1. IDENTIKEY Appli-
ance Documentation Set).

2.13. License Types

A license is necessary to enable the IDENTIKEY Appliance server module and certain client-side components.

Two levels of licensing are possible:

n Evaluation license, which lasts for a finite length of time and allows you to evaluate the product.
n Commercial license, which is the full operating license.

For more information about licensing, see 11. Licensing.

2.13.1. IDENTIKEY Appliance Server Licensing

IDENTIKEY Appliance requires a license key for each component. The license key comes as part of the license, and
is stored in the record in the data store. It is tied to the location (IP address) where the is installed—IDENTIKEY
Appliance listens on this IP address for requests, e.g. authentication requests.

IDENTIKEY Appliance will not authenticate a user without a valid license key, except to permit administration and
reporting.

The following items need to be enabled in the license key for the service to be available:

n RADIUS
n SOAP
n Authentication Scenario
n Electronic Signature Validation Scenario
n DIGIPASS Authentication for Windows Logon
n EMV-CAP
n HSM

Note
The license can be viewed in the Administration Web Interface, in the server component record (see 31. Server

IDENTIKEY Appliance 3.18 – Product Guide 43

 2. Overview of the OneSpan Authentication Solution

Components).

SEAL service does not require a server license and is activated by default.

2.13.2. Component Licenses

Some client components—such as the DIGIPASS Authentication Modules or DIGIPASS Authentication for Windows
Logon—require a license key to be loaded into their client component record. IDENTIKEY Appliance, to which they
connect, will otherwise reject all authentication requests from them.

SOAP and RADIUS Clients

SOAP and RADIUS functionality must be enabled in the IDENTIKEY Appliance license for these clients to be
operative.

DIGIPASS Authentication for Windows Logon

There are two pre-defined client components for DIGIPASS Authentication for Windows Logon. Whether a cli-
ent component license is required, depends on the client component used.

n DIGIPASS Authentication for Windows Logon is a pre-defined SOAP-based client component used for
DIGIPASS Authentication for Windows Logon 2.x. Client component records of this type require a valid cli-
ent component license.

A client component record of this type with location default is automatically created during installation. If
the client component used to serve an authentication request by a DIGIPASS Authentication for Windows
Logon client does not have a client component license, IDENTIKEY Appliance falls back on the client com-
ponent record with the default location. If the default client component record has no valid license loaded
either, the authentication request is rejected.

n Identikey Windows Logon Client is a pre- defined SEAL- based client component used for DIGIPASS
Authentication for Windows Logon 1.x. Client component records of this type do not require a client com-
ponent license. However, the SEAL and Windows Logon options must be enabled in the IDENTIKEY Appli-
ance license.

OneSpan User Websites

IDENTIKEY User Websites is a pre-defined SOAP-based client component used for OneSpan User Websites cli-
ents. Unlike other SOAP clients it does require a valid license key in the client component record. However, it
does not require SOAP authentication to be enabled in the IDENTIKEY Appliance license.

DIGIPASS Gateway
DIGIPASS Gateway is a pre-defined SOAP-based client component used for DIGIPASS Gateway clients in the
context of Push Notification. Unlike other SOAP clients it does require a valid license key in the client com-
ponent record. However, it does not require SOAP authentication to be enabled in the IDENTIKEY Appliance

IDENTIKEY Appliance 3.18 – Product Guide 44

 2. Overview of the OneSpan Authentication Solution

license.

For more information about client component licensing, see 30. Client Components.

2.13.3. Commercial Licensing

With the purchase of a commercial license, the licensing process requires the maintenance reference, serial num-
ber, IP address and other appliance-specific data to be registered on the VASCO Customer Portal. This information
identifies the appliance to OneSpan for the issue of a license file, which can be uploaded to make the fully oper-
ational. licensing is supported through the Licensing wizard (see Chapter 11. Licensing).

Once the is licensed, full functionality is available permanently.

2.13.4. Evaluation Licensing

Server licenses and client component licenses can be evaluation licenses.

With an evaluation license, the licensing process does not require a maintenance reference or serial number. The
IP address and other information need to be registered on the VASCO Customer Portal. A license file is issued,
which can be uploaded to make the IDENTIKEY Appliance fully operational. Licensing is supported through the
Licensing Wizard (see Chapter 11. Licensing).

Full functionality is available with an evaluation license for 45 days. After 45 days, the IDENTIKEY Appliance ser-
vices are made unavailable, although the Configuration Tool and the Administration Web Interface are accessible
for configuration and management.

2.14. VASCO Customer Portal

Image 28: Connection Between the IDENTIKEY Appliance and VASCO Customer Portal

The VASCO Customer Portal server handles:

n Licensing. This does not require direct connection to the IDENTIKEY Appliance. Licensing is supported
through the Licensing Wizard (see Chapter 11. Licensing).

IDENTIKEY Appliance 3.18 – Product Guide 45

 2. Overview of the OneSpan Authentication Solution

n Updating. This can be online, i.e. with a direct connection to the VASCO Customer Portal, or offline, i.e.
without a connection (see Chapter 16. Updating).
n Remote support. This requires a direct connection or use of a proxy server (see Section 24.2. Remote Sup-
port).

For a direct connection between the IDENTIKEY Appliance and the VASCO Customer Portal, settings on your organ-
ization's firewall needs to be adjusted (see Image 28: Connection Between the IDENTIKEY Appliance and
VASCO Customer Portal). For more information about the firewall ports used by IDENTIKEY Appliance refer to the
IDENTIKEY Appliance Administrator Reference.

The IDENTIKEY Appliance must be able to resolve the VASCO Customer Portal address (https://cp.onespan.com/) to
an IP address, i.e. the DNS server settings must be properly configured (see Chapter 10. Installation Con-
figuration).

2.15. PCI-DSS compliance

IDENTIKEY Appliance contains features which support the following PCI-DSS compliance requirements:

n Cryptographic Key Rotations

n Performance Monitoring
n PAN number not available/displayed in the clear
n Enhanced security for replicated data – SEAL over SSL
n OWASP testing
n Unused user account check
n Report to show inactive DIGIPASS
n Password management – imposing high strength passwords for administrator passwords
n Secure Auditing

IDENTIKEY Appliance 3.18 – Product Guide 46

 3. User Authentication Process

3. User Authentication Process

3.1. IDENTIKEY Appliance Authentication Process

IDENTIKEY Appliance authenticates logins via two methods:

n Local authentication: IDENTIKEY Appliance uses information from its own data store
n Back-end authentication: IDENTIKEY Appliance consults a back-end system to verify login information

The exact authentication process used by IDENTIKEY Appliance will vary depending on the applicable policy and
the DIGIPASS user account.

The following process overview describes how IDENTIKEY Appliance authenticates DIGIPASS users:

1. Verify that a client component record for the client application sending the authentication request exists in
the data store (see 3.3. Identifying the Component Record).
2. Determine which policy applies for the client component record (see 3.4. Identifying a Policy).
3. Perform several user checks (see 3.5. Looking Up and Checking the DIGIPASS User Account):
n Windows username/domain resolution (if used)
n Existence of a DIGIPASS user account
n Status of DIGIPASS user account (disabled, locked, expired, possible unlock)
4. Local authentication: If local authentication is used, authentication can occur in two ways (see 3.6. Local
Authentication):
n With a DIGIPASS authenticator: Verify a one-time password (OTP), Challenge/Response, or Virtual
Mobile Authenticator login.
n Without a DIGIPASS authenticator: Verify a static password.
5. back-end authentication: Check the provided password with another back-end system (see 3.7. Back-
End Authentication).
6. (OPTIONAL) If a Challenge/Response or Virtual Mobile Authenticator login is needed, provide a challenge or
OTP.
7. Audit and return the authentication result.

During the last step of the authentication process, IDENTIKEY Appliance may perform relevant database updates,
e.g. DIGIPASS user account lock.

3.2. Logging in with a DIGIPASS

The following table illustrates the typical login process for the three basic login methods supported by IDENTIKEY
Appliance.

IDENTIKEY Appliance 3.18 – Product Guide 47

 3. User Authentication Process

Table 1: Login methods

Response-Only Challenge/Response Virtual Mobile Authenticator
1. User enters user ID and one- 1. User enters user ID and pass- 1. User enters user ID and password/keyword.
time password. word/keyword. 2. User clicks OK to request a Virtual Mobile
2. User clicks OK to attempt a 2. User clicks OK to request a Authenticator login.
login. challenge/response login. 3. Authentication Server verifies if user is
3. Authentication Server 3. Authentication Server gen- allowed to use Virtual Mobile Authenticator.
authenticates user. erates a challenge. 4. Authentication Server generates an OTP and
4. User enters the challenge into sends it to the user.
DIGIPASS. 5. User receives the OTP (i.e. via SMS).
5. DIGIPASS generates an 6. User enters the password/keyword and
OTP from the supplied chal- OTP into the login window.
lenge. 7. User clicks OK to attempt a login.
6. User enters the OTP into the 8. Authentication Server authenticates user.
login window.
7. User clicks on OK to attempt a
login.
8. Authentication Server authen-
ticates user.

3.3. Identifying the Component Record

IDENTIKEY Appliance identifies a component requesting authentication by using:

Component Type
A name provided by the SOAP application, or a fixed name such as RADIUS Client, Citrix Web Interface ,
Outlook Web Access or Administration Program.

Location
The source IP address of the request.

Note
A client component with an IP address range (IPv4 CIDR notation) as component location will be used to handle
requests from any client within that IP address range. If two (or more) matching client components with over-
lapping IP address ranges are found, the client component with the smaller IP address range (more specific)
takes precedence and will be used to serve the request.

The processes for looking up and verifying a component varies according to the type of component, as outlined in
3.3.1. RADIUS Client Component Check and 3.3.2. DIGIPASS Authentication Module Component Check.

IDENTIKEY Appliance 3.18 – Product Guide 48

 3. User Authentication Process

3.3.1. RADIUS Client Component Check

For a RADIUS client, the following component checks are made:

Component Record exists

A component record for the RADIUS client must exist, otherwise the request is discarded without responding:

n Type = RADIUS Client

n Location = the source IP address of the request OR, if there is no RADIUS client at the specified location,
Location = default

Shared Secret is set

The component record must have a shared secret value set, otherwise the request is discarded without
responding.

Any RADIUS client which does not have an explicit component record will be handled using the default RADIUS cli-
ent component if it exists.

3.3.2. DIGIPASS Authentication Module Component Check

For a DIGIPASS Authentication Module component, IDENTIKEY Appliance checks whether a component record
for the DIGIPASS Authentication Module exists; if not, the request is discarded without responding:

n Type = one of the DIGIPASS Authentication Module component types

n Location = the source IP address of the request

For more information about client components, see 30. Client Components

3.4. Identifying a Policy

Policies specify various settings that affect all request handling processes. Each request is handled according to a
policy, which is identified by the applicable client record. For more information, see 32. Policies.

Note
Policies can also be assigned to server components. However, this feature is not relevant for the authentication
process.

For a full listing of possible policy settings and the preloaded policies available with the IDENTIKEY Appliance, refer
to the IDENTIKEY Appliance Administrator Reference.

IDENTIKEY Appliance 3.18 – Product Guide 49

 3. User Authentication Process

3.5. Looking Up and Checking the DIGIPASS User Account

IDENTIKEY Appliance performs a number of checks before proceeding to local authentication.

3.5.1. User ID and Domain Resolution

In the IDENTIKEY Appliance, DIGIPASS user accounts are identified using a user ID and a domain.

1. If entry fields for the user ID and domain are separate, name resolution ends and authentication con-
tinues. Otherwise simple name resolution continues in step 2.
2. If login uses a similar format to UPN: user@domain, simple name resolution continues to step 3. Other-
wise, default domain processing proceeds in step 5.
3. The IDENTIKEY Appliance searches for a domain record with the name given after the @ sign. If the domain
record is found, name resolution continues to step 4. Otherwise, default domain processing proceeds in
step 5.
4. The user ID and domain parts are separated out, name resolution ends and authentication continues.
5. If the Default Domain field has been configured for the policy, name resolution continues in step 6. Other-
wise, domain processing continues in step 7.
6. The user ID is used as entered, with the default domain from the policy. Domain resolution ends and
authentication continues.
7. The Master Domain is used, domain resolution ends and authentication continues. For more information
about the Master Domain, refer to Section 35.2. Master Domain and Practical Uses.

IDENTIKEY Appliance 3.18 – Product Guide 50

 3. User Authentication Process

Image 29: User ID and Domain Resolution

3.5.2. Windows Group Check

IDENTIKEY Appliance can use specific Windows Groups for authentication when all users are Windows accounts.
This Windows Group Check feature is optional, and might be useful in the following scenarios:

n DIGIPASS is deployed in stages. Users are not required to log in using a DIGIPASS until they are put into a
Windows group. Users can be placed into the group in manageable stages.
n Two-factor authentication is needed only for access to sensitive data, and access is granted to a specific
group of users (eg. administrators). This group of users will require DIGIPASS, and will be authenticated by
IDENTIKEY Appliance. Other users will be authenticated by another authentication method.
n Most users will have DIGIPASS and be permitted to log in to the system, but some users should not be
authenticated under any circumstances.

IDENTIKEY Appliance 3.18 – Product Guide 51

 3. User Authentication Process

n Authentication is needed for the live Audit Viewer connection to IDENTIKEY Appliance (i.e. when using Act-
ive Directory as the data store). The Group Check can be used to limit which users are allowed to connect,
for example, to the Domain Admins group.

Nested Groups
IDENTIKEY Appliance supports nested groups for Windows Group Check in the context of Active Directory. For more
information on nested groups, refer to the Microsoft documentation.

Warning
Enabling Nested Groups may cause performance issues in IDENTIKEY Authentication Server, due to:

n Too many groups in one domain

n Active Directory not optimally configured. Refer to the Microsoft documentation for more information.

When Windows Group Check is active, users who are in one of the defined groups go through the full authen-
tication process. However, there are a few Group Check Modes that control the outcome for users who are not in
one of the groups. The Group Check Mode is defined in the policy.

One or more Windows Groups must be defined in the Windows Group List in the relevant policy. The list items can
be searched and edited , groups can be added and removed as required. Group membership is checked within the
user's own domain only; these groups must exist in each domain where there are users who need to be included
in a group.

Note
When Windows Group Check is used, the login will fail if the group check fails. This will occur for a user who is
unknown to Windows.

The following Group Check modes are available:

3.5.2.1. 'Pass Back' Mode

The policy property sheet defines this mode as Pass requests for users not in listed groups back to host system. In
this mode,IDENTIKEY Appliance will not handle authentication for users who are not in one of the listed/defined
groups; instead, these users are handled by the host system (eg. IIS).

In effect, this means that such users do not need DIGIPASS user accounts, and they do not need to use a DIGIPASS
to log on. As soon as the group check indicates that the user is not to be handled, IDENTIKEY Appliance stops
authentication processing stops and returns a not handled result.

Pass back mode is suitable for staged deployment of DIGIPASS, and for cases where only certain users need strong
(DIGIPASS) authentication.

3.5.2.2. Reject mode

The policy property sheet defines this mode as Reject requests for users not in listed groups. In this mode,
IDENTIKEY Appliance rejects authentication immediately for users who are not in one of the defined / listed groups.

This mode is suitable for restricting which users are permitted to log in.

IDENTIKEY Appliance 3.18 – Product Guide 52

 3. User Authentication Process

3.5.2.3. Back-end mode

The policy property sheet defines this mode as Use only Back-End Authentication for users not in listed groups.
This mode can be used if back-end authentication is set up. For more information, refer to 3.7. Back-End
Authentication.

In this mode, IDENTIKEY Appliance will only use back-end authentication for users who are not in any defined/l-
isted groups.

Example
If RADIUS back-end authentication is used, the job of authenticating users not in the defined/listed groups is del-
egated to the RADIUS server. No lookup will be carried out for the DIGIPASS user account, and no further local
authentication will be carried out.

back-end authentication will be used for the out-of-group users, even if the policy setting for back-end authen-
tication is set to None. With such a policy setting, the in-group users would be authenticated only by local authen-
tication, while the out-of-group users would be authenticated only by back-end authentication. However, it is
necessary to define the Back-End Protocol Policy setting.

This mode is suitable for staged deployment of DIGIPASS, and for cases where only certain users need strong
(DIGIPASS) authentication.

3.5.3. Look up a DIGIPASS User Account

IDENTIKEY Appliance verifies that a DIGIPASS user account for the user attempting to log in exists in the data store.
The user ID and domain resolution performed earlier determines the search criteria to look up the DIGIPASS user
account.

If a DIGIPASS user account is found, the account status is verified (see 3.5.5. Verify DIGIPASS User Account Status).

If no DIGIPASS user account is found, then policy settings will determine whether IDENTIKEY Appliance continues
processing the authentication request or rejects it:

n If local authentication is required, a DIGIPASS user account must exist. It is only possible to proceed if the
Dynamic User Registration feature is enabled (see 3.5.4. Dynamic User Registration).
n If local authentication is not required, authentication processing can proceed without a DIGIPASS user
account.

If the Local Authentication Policy setting is None, local authentication is not required. If it is set to DIGIPASS/Pass-
word during Grace Period, DIGIPASS or Password, or Digipass Only, local authentication is required.

For more information about local authentication settings, see 3.6. Local Authentication.

IDENTIKEY Appliance 3.18 – Product Guide 53

 3. User Authentication Process

3.5.4. Dynamic User Registration

Dynamic User Registration (DUR) allows to create a DIGIPASS user account automatically when the user credentials
are validated using back-end authentication. The correct static password is sufficient to permit a DIGIPASS user
account to be created. DUR saves the administrative work of manually creating or importing DIGIPASS user
accounts.

DUR is typically used in conjunction with the following features:

n Auto-Assignment, where IDENTIKEY Appliance will select a random DIGIPASS authenticator and assign it to
the new DIGIPASS user account as it is created, or
n Self-Assignment, which will allow the new user to assign a DIGIPASS to their account as part of their login
process.

Note
When maker–checker authorization is enabled, assigning a DIGIPASS authenticator requires the approval of a
checker administrator. In that case, Auto-Assignment is not available.

For more information about DIGIPASS assignment features, see 28.3. Assigning DIGIPASS to Users.

In order to control the creation of new accounts, DUR can be used with the following features:

n Windows Name Resolution (mandatory for Active Directory)- this will prevent more than one DIGIPASS user
account being created for the same Windows user account, when they use different user ID formats to log
in.
n Windows Group Check , so that a staged creation of DIGIPASS user accounts and assignment of
DIGIPASS authenticator is achieved.

A typical DUR process using Auto-Assignment and Windows Group Check is illustrated below.

Note
If the data store is case-sensitive and IDENTIKEY Appliance has not been configured to convert user IDs and
domains to upper or lower case, it is possible for multiple DIGIPASS user accounts to be created for a single user
(when Dynamic User Registration is also enabled and configured).

For example, if IDENTIKEY Appliance is not configured to convert user IDs and domains to upper case and a user
logs in with jsmith on one occasion, and JSmith on another, two DIGIPASS user accounts may be created – jsmith
and JSmith.

Tip
LDAP Synchronization can be used as an alternative to Dynamic User Registration (see 25. LDAP User Syn-
chronization). However, there is a difference between these two methods:

IDENTIKEY Appliance 3.18 – Product Guide 54

 3. User Authentication Process

Dynamic User Registration is a one-off synchronization. Deletion or modifications to a user account are not
updated in the back-end authentication system .

LDAP Synchronization supports ongoing synchronization of deletions or modifications to a user account in the
back-end authentication system.

IDENTIKEY Appliance 3.18 – Product Guide 55

 3. User Authentication Process

Image 30: Dynamic User Registration (Process)

IDENTIKEY Appliance 3.18 – Product Guide 56

 3. User Authentication Process

3.5.5. Verify DIGIPASS User Account Status

IDENTIKEY Appliance verifies the status of the DIGIPASS user account found for the user attempting to log in.

1. If the DIGIPASS user account is disabled, the authentication request is rejected.

2. If the DIGIPASS user account has expired because a specified expiration date has passed, the authen-
tication request is rejected.

3. If the DIGIPASS user account has been suspended due to inactivity, the authentication request is rejected.

IDENTIKEY Appliance can be configured to force a DIGIPASS user account to be suspended if it is not used
for a specified amount of time. The number of days that a DIGIPASS user account can remain unused
before being suspended can be configured in the policy used to log in. This value will be checked and the
number of days since the last login will be calculated. If the DIGIPASS user account has been unused for
too long, login will be denied.

4. If the DIGIPASS user account is locked, IDENTIKEY Appliance verifies whether a user auto-unlock attempt is
possible (see 27.8. DIGIPASS User Account Auto-Unlock).

If any unlock retries are left and the calculated lock duration since the last authentication request has
elapsed, IDENTIKEY Appliance assumes a possible user auto-unlock attempt and allows the authen-
tication request.

3.6. Local Authentication

Local authentication is a term used to describe the IDENTIKEY Appliance authenticating a user based on inform-
ation in its data store. Typically the DIGIPASS one-time password is required, but in other cases a static password
may be sufficient.

The Local Authentication Policy setting indicates whether to perform local authentication, and if so, whether a
static password is permitted. This setting is overridden by the same setting in the DIGIPASS user account, unless
that has the value Default. However, this setting in the DIGIPASS user account would typically be used only for rare
special case users.

Note
The Local Authentication policy setting is relevant in the context of software DIGIPASS provisioning. For more
information, see 5. Software DIGIPASS Provisioning.

Using the Windows Group Check in Back-End mode, this setting can be overridden. If a user is not in the list of
groups, no local authentication will be performed.

The possible values for the local authentication setting are as follows:

IDENTIKEY Appliance 3.18 – Product Guide 57

 3. User Authentication Process

Default
Local authentication is handled as configured in settings inherited from the parent policy. For more inform-
ation about policies, refer to 32.2. Policies.

None
No local authentication will take place.

DIGIPASS/ Password during Grace Period

A DIGIPASS one-time password or static password may be verified. The user can authenticate with their static
password until they start to use a DIGIPASS authenticator. The grace period of the authenticator expires the
first time an OTP is used to log in (if it has not been set manually to expire prior to that). After the grace period
has expired, the user can only authenticate with their DIGIPASS authenticator.

DIGIPASS or Password
This authentication mode allows users to permanently use their static password or their
DIGIPASS authenticator, even after the grace period has expired and/or they have previously already used
their authenticator for authentication. In the context of the authentication scenario, use of this authentication
mode is subject to licensing. For provisioning, this authentication mode is license-free.

DIGIPASS Only
A DIGIPASS one-time password must be verified. Users without DIGIPASS will not be able to log in. However,
Self-Assignment is still possible, as an OTP is used as part of the process.

Note
It is also possible to configure user-specific policy settings local authentication. These settings will override those
set by the parent policy.

3.6.1. DIGIPASS Lookup

The first step of local authentication is to search for DIGIPASS records applicable to the login. Normally, this is a
simple search for all DIGIPASS assigned to the DIGIPASS user account. However, there are exceptions:

3.6.1.1. No DIGIPASS user account

If there is no DIGIPASS user account, no search will be done. This can occur if Dynamic User Registration is
enabled.

3.6.1.2. Policy Restrictions

The policy can specify restrictions on which types of DIGIPASS and/or DIGIPASS applications may be used. Any com-
bination of the following restrictions can be defined:

IDENTIKEY Appliance 3.18 – Product Guide 58

 3. User Authentication Process

Application Names
This refer to a list of named applications. Only DIGIPASS that have one or more of the named applications will
be usable.

Application Type
This can be either Response-Only, Challenge/Response or Multi-Mode. If application Type is set to Response-
Only or Challenge/Response, only DIGIPASS with that application type will be usable. With Multi-Mode, all
application types will match.

For more information, refer to 2.4. DIGIPASS Authenticator Types.

DIGIPASS Type
This is a list of models, such as DPGO3, DIGIPASS 260. Only DIGIPASS from the listed models will be
usable. For a more extensive list of DIGIPASS models, refer to 2.4.1. Hardware DIGIPASS authenticator.

Therefore, it is possible that a DIGIPASS user account that has a DIGIPASS assigned will not be able to use that
DIGIPASS to log in, when a certain policy applies. Such a user will be regarded as without a DIGIPASS in that case.
In a different kind of login, a different policy may apply, with no restrictions. In that case, the same user would be
regarded as with a DIGIPASS.

Example
A company has GO 3 DIGIPASS (DPGO3) and Primary Virtual Mobile Authenticator (DPVTL). The Outlook Web
Access login permits both, so its policy does not restrict DIGIPASS Types. However the RADIUS VPN login requires
the Go 3, so its policy specifies DIGIPASS Type = DPGO3.

3.6.1.3. Linked DIGIPASS user account

If a person has multiple DIGIPASS user account (e.g. an administrative account and a normal user account), those
accounts can be linked together. This provides the ability for the two accounts to share a DIGIPASS. In this case,
the DIGIPASS is assigned to one of the accounts, then the other account is linked to it.

When an authenticating DIGIPASS user account is linked to another, the search for DIGIPASS will be done for the
other account.

Note
The linked DIGIPASS user account feature supports Response-Only and Challenge/Response authentication,
Authentication Signature, Push Notification Authentication, and Push Notification Transaction Data Signing.

Example
DIGIPASS user account 2 is linked to DIGIPASS user account 1. The DIGIPASS is assigned to DIGIPASS user account
1. When DIGIPASS user account 1 logs in, the DIGIPASS search is for that account. When DIGIPASS user account 2

IDENTIKEY Appliance 3.18 – Product Guide 59

 3. User Authentication Process

logs in however, the DIGIPASS search is for DIGIPASS user account 1.

3.6.2. Authentication with DIGIPASS

When the DIGIPASS lookup returns at least one DIGIPASS record, authentication processing requires a valid one-
time password to succeed, unless:

n All DIGIPASS found are within a grace period.

n The user successfully requests a challenge for Challenge/Response (see below).
n The user successfully requests a Virtual Mobile Authenticator one-time password (see below).

3.6.2.1. Server PIN

A Server PIN may be required in addition to the one-time password; the Server PIN can be used together with the
OTP generated by the DIGIPASS authenticator as part of the online authentication process. The Server PIN is a digit-
based secret, entered by the user during login with the OTP instead of a DIGIPASS PIN, which is entered into the
DIGIPASS authenticator- refer to Section 28.1. DIGIPASS Client PIN for more information. The entered Server PIN
and OTP are checked by the authenticating server, and server only permits verification of the OTP if submitted with
a valid Server PIN. The additional Server PIN thus provides an extra layer of security, a two-factor security solution.
To authenticate, the user needs to have a connection to the authenticating server, know the Server PIN (something
you know), and to be in possession of the DIGIPASS device (something you have) to generate an OTP.

In some cases a new Server PIN may need to be set. A user's Server PIN can be reset either manually by an
IDENTIKEY Authentication Server administrator, or in the course of assigning a DIGIPASS authenticator. When using
the DIGIPASS Self-Assignment or Auto-Assignment feature of IDENTIKEY Appliance, the user can reset their Server
PIN. When the Assignment Mode is set to Self-Assignment-Pin-Reset or Auto-Assignment-Pin-Reset, the user's
Server PIN is automatically reset. This is an optional feature and does not require any administrator action, once
the option has been enabled in the DIGIPASS properties and/or the relevant policy settings have been set accord-
ingly.

The following permutations of OTP and Server PIN are possible:

n OTP: the normal login where a Server PIN is not required.

n PINOTP: the normal login where a Server PIN is required and is entered before the OTP.
n PINOTPnewpinnewpin: to change the Server PIN, the new PIN is put twice after the OTP.
n OTPnewpinnewpin: to set the Server PIN on first use, when no initial PIN was programmed, the new PIN is
entered twice after the OTP. This is also necessary after an administrative PIN reset.

Server PIN run-time information is provided through the Administration Web Interface by selecting a specific
DIGIPASS record (see Table 2: Server Settings Regulating Server PINs).

Table 2: Server Settings Regulating Server PINs

Setting Explanation
PIN Supported Factory default built-in technology - controls whether a PIN must be included
in a user's login. (Only active if PIN Enabled setting is active.)

IDENTIKEY Appliance 3.18 – Product Guide 60

 3. User Authentication Process

Table 2: Server Settings Regulating Server PINs (continued)

Setting Explanation

PIN Enabled Factory default setting forcing a Server PIN to be used for login. (Only possible
if PIN Supported setting is active.)
PIN Change On Enables a user to change their Server PIN for this DIGIPASSdevice.
Force PIN Change Forces the user to change their Server PIN upon next login.
PIN Length The length of the current Server PIN.
PIN Minimum Length The minimum PIN length required by the server.

Server PIN States

The following diagram illustrates the different Server PIN states and which user/administrator actions result in each
one:

IDENTIKEY Appliance 3.18 – Product Guide 61

 3. User Authentication Process

Image 31: Server PIN States and Actions

When a server is in the PIN SET CHANGE FORCED state, its corresponding user is forced to change PINs upon login.
Once the user changes the PIN (user action <PIN><OTP><NewPIN><NewPIN>), the server state changes to PIN
SET.

For more information on other user and administrator actions that affect Server PIN states, refer to Section 28.4.
DIGIPASS Record Functions.

IDENTIKEY Appliance 3.18 – Product Guide 62

 3. User Authentication Process

3.6.2.2. Grace Period

Each DIGIPASS authenticator may be given a Grace Period when it is assigned to a DIGIPASS user account. This is
the default period (in days) between Auto-Assignment of a DIGIPASS authenticator and the date for users to start
using their authenticator to log in (if applicable). The grace period allows some time for users to continue using
their static password before they receive the DIGIPASS authenticator and learn how to use it. The grace period auto-
matically expires the first time an OTP is used to log in, i.e. after the OTP has been successfully validated (if it has
not been set manually to expire prior to that in the relevant policy).

The grace period does not apply when the Local Authentication mode in a policy is set to Digipass Only. When local
authentication in the relevant policy is set to DIGIPASS/Password during Grace Period, the user can authenticate
with their static password until the grace period has expired; after that they can only authenticate with their
DIGIPASS authenticator. When local authentication is set to DIGIPASS or Password, users can choose to use either
their static password or their DIGIPASS authenticator, even if they have already used their DIGIPASS authenticator,
independent of grace period restrictions.

The grace period can be set during manual administrative assignment of DIGIPASS records as well as during Auto-
Assignment. The grace period does not apply to Self- Assignment , because the user must use the
DIGIPASS authenticator to complete the Self-Assignment process.

3.6.2.3. Grace Period and Policy Restrictions

Because an applied policy might restrict which DIGIPASS authenticator can be used during a login, the grace period
for each DIGIPASS authenticator is independent of other DIGIPASS authenticators. This means that if a user is
assigned two DIGIPASS authenticators, each with a grace period of seven days, the user may log in using one
DIGIPASS within the seven-day period (ending the grace period for that DIGIPASS) without affecting the grace
period for the other DIGIPASS.

Example
The company has set up policies which require a Response-Only login via the local area network, and a Chal-
lenge/Response login via the internet; limited to certain employees. The local authentication mode is set to
DIGIPASS/Password during Grace Period.

Jane has two DIGIPASS authenticators assigned to her – a DIGIPASS 300 with the Challenge/Response applic-
ation enabled, and a DIGIPASS GO 3 with a Response-Only application. The DIGIPASS authenticators are both
assigned to her on Tuesday. Jane receives her DIGIPASS GO 3 on Friday, and immediately uses an OTP to login.
The grace period for her DIGIPASS GO 3 authenticator ends at that time – as of now she must use the DIGIPASS
GO 3 when logging into the intranet from the LAN.

Over the weekend, Jane needs to access the company intranet from home. Because a Challenge/Response
login is required via the internet and she does not yet have her DIGIPASS 300 authenticator, she uses only her
user ID and static password to log in. As she is still within the grace period for her DIGIPASS 300, the login is valid.

During the grace period, if OTP validation fails, the static password is checked. For more information on the static
password check during an authentication attempt, see Section 3.7. Back-End Authentication If the static password

IDENTIKEY Appliance 3.18 – Product Guide 63

 3. User Authentication Process

is valid, local authentication succeeds. However, the overall login can still fail if back-end authentication is
enabled.

The password is compared against the DIGIPASS user account's password value. However, if the DIGIPASS user
account does not have a password set, the password has to be verified with back-end authentication. With back-
end authentication disabled and without a password in the DIGIPASS user account, grace period password logins
will not work.

If the passwords do not match and back-end authenticationis enabled, the password will be verified with back-
end authentication.

3.6.2.4. Challenge Generation

There are two modes of generating a challenge for Challenge/Response DIGIPASS applications:

2-Step Challenge/Response
n This mode can be used for Web authentication, where Challenge/Response is supported. In this mode,
the authentication process takes place in two steps.

First, the user requests a challenge to be generated for them. The following policy settings define how this request
should be made:

n Request Method
n Request Keyword.

The challenge is generated specifically for their DIGIPASS and in accordance to the specified settings. For more
information about these settings, refer to 3.6.2.9. Request Method and Keyword.

Assuming that the request for the challenge is accepted and a challenge is returned, the user submits a second
step login with the response to the challenge as their OTP. This second step goes through the whole authen-
tication process again to verify the response.

1-Step Challenge/Response
This mode is also possible for Web authentication, where Challenge/Response is supported. In this mode, the user
sees only one logon step. This mode is suitable for time-based Challenge/Response, but is less secure for non-
time-based Challenge/Response. If an attacker manages to capture some valid responses, they can repeatedly
request new challenges until one they know comes up again.

In this mode, a random challenge is requested automatically by the Web application and presented to the user on
the login page. A general-purpose challenge is generated, without reference to any particular DIGIPASS' pro-
gramming. The user logs in with their response to the challenge as their OTP.

3.6.2.5. Secure Channel-Based Authentication Process

For authentication transactions via the Secure Channel feature, IDENTIKEY Authentication Server generates a
request message, based on the transaction details provided via the client application or a custom request body,
and delivers it to the client application. The request message is generated by IDENTIKEY Authentication Server

IDENTIKEY Appliance 3.18 – Product Guide 64

 3. User Authentication Process

upon the Get Secure Challenge and Get Signing Request commands, and is bound to the
DIGIPASS authenticator selected for the relevant transaction. The client application then generates either a QR
code or a color QR code, which represents this request message, and delivers it to the end user, who scans this
image, using a DIGIPASS authenticator that is compliant with the Secure Channel feature. The
DIGIPASS authenticator generates a response for this request message which the end user enters into the client
application; IDENTIKEY Authentication Server validates this response and returns the result to the client application
which completes the signature authentication process.

3.6.2.6. Push–Notification-Based Authentication Process

Push Notification can be used as an out-of-band (OOB) authentication method employing a push mode to enable
client applications on mobile devices, e.g. DIGIPASS App, to authenticate a user. The user receives a notification
prompt on the mobile device during the authentication process, and completes the authentication process by tap-
ping on the device (push and login).

For a typical user authentication process via Push Notification, the user initiates the authentication process by
providing their user ID/domain and a keyword, and enter their static password. The following policy settings spe-
cify how this request should be defined:

n Request Method
n Request Keyword

After receiving the corresponding request from the application server, IDENTIKEY Authentication Server generates
the required push notification message, and communicates this to the Message Delivery Component (MDC). The
MDC sends the Push Notification request to the OneSpan Notification Gateway. The DIGIPASS App retrieves the
push notification details from DIGIPASS Gateway and requests the user to confirm if they wish to log on to the spe-
cified client application. When the user confirms this and accepts the push–notification-based authentication, the
DIGIPASS App authenticates against IDENTIKEY Authentication Server via the DIGIPASS Gateway. IDENTIKEY
Authentication Server processes this request, and in case of success returns the authentication to the client applic-
ation; the user is informed via the client application that their authentication has succeeded.

For more information on this feature, refer to the DIGIPASS Push Notification - Getting Started Guide. For more
information on the DIGIPASS Gateway, refer to the DIGIPASS Gateway product documentation; for more information
on the DIGIPASS App, refer to the DIGIPASS App and DIGIPASS for Mobile product documentation.

3.6.2.7. Virtual Mobile Authenticator OTP Generation

Using Virtual Mobile Authenticator, the authentication process takes place in two steps:

First, the user requests an OTP to be generated and delivered to them. The following policy settings define how
this request should be made:

n Request Method
n Request Keyword
n Delivery method (SMS, Email, and/or Voice)

IDENTIKEY Appliance 3.18 – Product Guide 65

 3. User Authentication Process

The OTP is then sent to the user's mobile phone number or email address recorded in the DIGIPASS user account.
For more information about Request Method and Request Keyword settings, refer to 3.6.2.9. Request Method and
Keyword.

Backup Virtual Mobile Authenticator have additional available restrictions on usage, to minimize the cost of usage.
These are verified before an OTP will be generated. The restrictions are described in Chapter 28. DIGIPASS.

Assuming that the request for the OTP is accepted and an OTP is generated and delivered successfully, the user
submits a second step login with the OTP. This second step goes through the whole authentication process again
to verify the OTP.

This process occurs as follows:

1. User requests a Virtual Mobile Authenticator login.

2. IDENTIKEY Appliance generates a one-time password.
3. IDENTIKEY Appliance sends the one-time password, delivery method, and mobile phone number or email
address to the Message Delivery Component.
4. The Message Delivery Component passes the information to either of the following:
n SMS gateway, which sends a text message containing the one-time password to the user's
mobile phone.
n Mail server, which sends an email containing the one-time password to the user's email address.
n Voice gateway, which sends a text message containing the one-time password to the user's
phone.
5. User receives the one-time password.
6. User enters one-time password into login window.
7. IDENTIKEY Appliance authenticates login as usual.

3.6.2.8. Requesting a Virtual Mobile Authenticator OTP: User Perspective

There are three ways a user might request a one-time password to be delivered with either a Primary or Backup Vir-
tual Mobile Authenticator:

2-step Login
Two login prompts are used to provide an easy-to-use login interface for users with Virtual Mobile Authentic-
ator. The first prompt is used to request an OTP, and the second is for entering the received OTP. This can be
used with applications which support 2-step logins eg. Citrix Web Interface, RADIUS with support for Chal-
lenge/Response

Two 1-step Logins

The user must attempt two logins, the first of which will fail but will initiate the sending of an OTP to the user.
This is used when the 2- step login process is not supported - eg. RADIUS without support for Chal-
lenge/Response Web HTTP Basic Authentication.

IDENTIKEY Appliance 3.18 – Product Guide 66

 3. User Authentication Process

OTP Request Site

Alternatively, users can go to the OTP Request site when they need an OTP sent, then login normally at the
usual login screen. This method is preferable if a more user-friendly option than the previous is needed.

For more information on the OTP Request Site, refer to the IDENTIKEY Authentication Server Websites Admin-
istrator Guide.

3.6.2.9. Request Method and Keyword

For 2-Step Challenge/Response and Virtual Mobile Authenticator, the method of requesting a challenge or OTP
respectively can be defined in the policy. The methods for Primary and Backup Virtual Mobile Authenticator are
defined separately. The request methods are:

n Password - the static password.

n Keyword - a fixed keyword, which can be blank.
n PasswordKeyword - the static password followed by a fixed keyword, with no whitespace or separating
characters in between.
n KeywordPassword - a fixed keyword followed by the static password, with no whitespace or separating
characters in between.
n KeywordOnly - use the fixed keyword only.
n None - no method, the feature is disabled.

Note
If password is set for the Request Method, and a user's DIGIPASS is still within the grace period, IDENTIKEY Appli-
ance may process the authentication with the password only and not as a 2-Step Challenge/Response or Virtual
Mobile Authenticator login.

The static password in the request method is compared against the DIGIPASS user account's password value.
However, if the DIGIPASS user account does not have a password set, the password has to be verified with back-
end authentication. If there is no back-end authentication and no password in the DIGIPASS user account, the
request methods that use a password will not work.

If the passwords do not match and back-end authentication is enabled, the password will be verified with back-
end authentication.

The methods of requesting these three login processes can be the same. When it recognizes a request, the
IDENTIKEY Appliance will verify that there is a DIGIPASS capable of that login process. If there is not, it will ignore
the request.

For example, say that the request methods for Primary and Backup Virtual Mobile Authenticator are both defined
as keyword otp. A user has a Go 3 with Backup Virtual Mobile Authenticator enabled. When they login with the
keyword otp, the IDENTIKEY Appliance will produce a Backup Virtual Mobile Authenticator OTP, because the user
does not have a Primary Virtual Mobile Authenticator.

IDENTIKEY Appliance 3.18 – Product Guide 67

 3. User Authentication Process

3.6.2.10. Multiple DIGIPASS or DIGIPASS Applications

DIGIPASS users may have multiple DIGIPASS assigned to their user accounts. Those DIGIPASS may have multiple
applications enabled for a DIGIPASS. If so, the IDENTIKEY Appliance will need to know:

1. Whether a user is allowed to have multiple DIGIPASS applications assigned.

2. Which DIGIPASS and DIGIPASS Application will be used for a particular login of the user.

The following diagram illustrates an example of how DIGIPASS authenticators and applications can be assigned.

Image 32: Multiple DIGIPASS Assignments

You can configure whether to allow the use of multiple DIGIPASS applications per user. By default, this setting is
enabled.

IDENTIKEY Appliance 3.18 – Product Guide 68

 3. User Authentication Process

Note
As of version 3.7, IDENTIKEY Authentication Server also supports the DIGIPASS Multi-Device Licensing and Activ-
ation model.

One DIGIPASS license allows to instantiate several DIGIPASS instances bound to the same DIGIPASS license.
DIGIPASS instances are not different from DIGIPASS activated in the standard process with regard to the rep-
resentation of DIGIPASS applications. IDENTIKEY Authentication Server creates the DIGIPASS instance(s) for a par-
ticular license during the Multi-Device Activation process.

For more information on Multi-Device Licensing and Activation, refer to Section 2.5. DIGIPASS Licensing and Activ-
ation.

Aside from configuring whether multiple DIGIPASS applications per user is allowed, you can also restrict which
DIGIPASS Application is allowed for a specific policy. With this kind of restriction, IDENTIKEY Appliance will only
verify OTP against that type of DIGIPASS Application. So if a policy restricts allowed DIGIPASS Applications to
Response-Only, then IDENTIKEY Appliance will verify all OTP only against RO applications assigned to a user.

When considering whether to allow multiple DIGIPASS Applications per user and/or which DIGIPASS Applications to
allow, consider the following table. This table explains how IDENTIKEY Appliance authenticates OTP from each
DIGIPASS user account, given the following possible scenarios:

Table 3: OTP Authentication for Scenarios Involving Multiple and Single DIGIPASS Applications
Scenario DIGIPASS user account 1 DIGIPASS user account 2 DIGIPASS user account 3
Multiple DIGIPASS Applic- OTP is authenticated against all OTP is authenticated against all OTP is authenticated against
ations allowed, no policy DIGIPASS Applications from assigned DIGIPASS Applications from the DIGIPASS Application from
restrictions on DIGIPASS DIGIPASS authenticators. assigned DIGIPASS authenticators. assigned DIGIPASS authen-
Applications. ticators.
Multiple DIGIPASS Applic- OTP is authenticated only against OTP is authenticated only against OTP is authenticated against
ations allowed, only RO application1 of both assigned application 1 of assigned application 1 of
applications allowed. DIGIPASS authenticators. DIGIPASS authenticators. assigned DIGIPASS authen-
ticators.
Single DIGIPASS Applications IDENTIKEY Appliance detects multiple IDENTIKEY Appliance detects mul- OTP is authenticated against
allowed, no policy restric- DIGIPASS Applications assigned and tiple DIGIPASS Applications assigned DIGIPASS Application from
tions on DIGIPASS Applic- immediately fails the login attempt. and immediately fails the login assigned DIGIPASS authen-
ations. attempt. ticators.
Single DIGIPASS Applications IDENTIKEY Appliance detects multiple IDENTIKEY Appliance detects one RO OTP is authenticated against
allowed, only RO applications RO DIGIPASS Applications assigned assigned, and authenticates OTP DIGIPASS Application from
allowed. and immediately fails the login against this application. assigned DIGIPASS authen-
attempt. ticators.

3.6.3. Authentication without DIGIPASS

When the DIGIPASS lookup does not return a DIGIPASS record, authentication processing requires a static password
check to succeed. In addition, Self- Assignment is possible when the DIGIPASS lookup does not return any
DIGIPASS.

IDENTIKEY Appliance 3.18 – Product Guide 69

 3. User Authentication Process

3.6.3.1. Static Password Verification

With Static Password Verification, the password is compared against the DIGIPASS user account's password value.
If the static password is valid, local authentication succeeds (but note that back-end authentication, if used, can
subsequently still cause the overall login to fail).

Note
In this scenario, back-end authentication (if used) can still subsequently cause the overall login to fail.

However, if the DIGIPASS user account does not have a password set, the password has to be verified with back-
end authentication. If back-end authentication is disabled and there is no password in the DIGIPASS user account,
authentication without DIGIPASS cannot work. Similarly, during Dynamic User Registration (where there is no
DIGIPASS user account yet) the password has to be verified with back-end authentication.

If the passwords do not match and back-end authentication is enabled, the password will be verified with back-
end authentication.

If the Local Authentication setting is Digipass Only, static password verification on its own is not permitted. An OTP
must be used during login. This is possible using Self-Assignment.

3.6.3.2. Self-Assignment
A user can assign a DIGIPASS to their DIGIPASS user account using the Self-Assignment mechanism, when per-
mitted by the policy settings. The Assignment Mode setting must be Self-Assignment.

For Self-Assignment to succeed, the user needs to provide the following:

n A static password, validated by back-end authentication

n The serial number of an available DIGIPASS record
n A valid OTP for the DIGIPASS
n A new Server PIN, if required

The Self-Assignment process is possible during Dynamic User Registration. It is also possible when the Local
Authentication setting is Digipass Only.

When using the DIGIPASS Self-Assignment or Auto-Assignment feature of IDENTIKEY Appliance, the user can reset
their Server PIN. When the Assignment Mode is set to Self-Assignment-Pin-Reset or Auto-Assignment-Pin-Reset,
the user's Server PIN is automatically reset. This is an optional feature and does not require any administrator
action, once the option has been enabled in the DIGIPASS properties and/or the relevant policy settings have been
set accordingly.

Response-Only and Self-Assignment

For a DIGIPASS that supports Response-Only the user needs to enter the following in the password login field,
depending on whether a Server PIN is needed or not:

n SERIALNUMBERpasswordOTP – where a Server PIN is not required.

n SERIALNUMBERpasswordPINOTP – where a Server PIN is required.
n SERIALNUMBERpasswordOTPnewpinnewpin – where a Server PIN is required and no initial PIN was set.

IDENTIKEY Appliance 3.18 – Product Guide 70

 3. User Authentication Process

Challenge/Response and Self-Assignment

For a DIGIPASS that supports only Challenge/Response this process requires two steps. In the first step, the static
password and serial number are given. This results in a challenge being returned. If the correct response is given
to the challenge, the self-assignment is successful.

n Step 1: SERIALNUMBERpassword
n Step 2: OTP

Serial Number Format

The SERIALNUMBER may be entered in one of two formats, depending on the Serial No. Separator Policy set-
ting:

n No separator specified – the full 10 digit serial number must be entered, with no dashes (-) or spaces; e.g.
0097123456.
n Separator value specified – the serial number can be entered as written on the back of the DIGIPASS; e.g.
9-712345-6.

3.7. Back-End Authentication

Back-end authentication describes the process of checking user credentials with another system. It is used primar-
ily for:

n Enabling automatic management features such as Dynamic User Registration and Self-Assignment
n Static password verification for users who do not have a DIGIPASS and for Virtual Mobile Authenticator
n Retrieval of RADIUS attributes from a RADIUS server
n Password replacement to allow the user to log in with just a one-time password, in an environment where
the Windows password is required (e.g. Outlook Web Access)

IDENTIKEY Appliance supports back-end authentication with the following systems:

n RADIUS
n Microsoft Active Directory (via LDAP)
n NetIQ eDirectory (via LDAP)
n IBM Security Directory Server (via LDAP)

The back-end authentication setting indicates whether to perform back-end authentication, and if so, when to do
it. This setting is overridden by the same setting in the DIGIPASS user account, unless that has the value Default.
However, this setting in the DIGIPASS user account would typically be used only for rare special case users.

Using the Windows Group Check in Back-End Mode, this setting can be overridden. If a user is not in the list of
groups, back-end authentication will be performed whether it is enabled or not.

The Back-End Protocol setting indicates which type of back-end authentication should be used. The possible val-
ues for the back-end authentication setting are as follows:

IDENTIKEY Appliance 3.18 – Product Guide 71

 3. User Authentication Process

None
The IDENTIKEY Appliance will not utilize back-end authentication.

Always
The IDENTIKEY Appliance will use back-end authentication for every authentication request.

This setting is required, if you want to use offline authentication for DIGIPASS Authentication for Windows
Logon.

If Needed
back-end authentication will only be used in situations where local authentication is not sufficient and to sup-
port certain features:

n Dynamic User Registration

n Self-Assignment
n Password Autolearn (see below)
n Requesting a challenge or Virtual Mobile Authenticator OTP, when the request method includes a pass-
word
n Static password authentication, when verifying a Virtual Mobile Authenticator password-OTP combination
or during the grace period

Note
When a static password is used it is first verified with the stored static password, if one is used. If the static pass-
word matches the stored static password, no back-end authentication is carried out.

If the static password does not match the stored static password, or the stored static password is not available,
then back-end authentication will be performed.

3.7.1. Stored Static Password

The DIGIPASS user account has a Stored Static Password field. When back-end authentication is used, this field
can be used to:

n Store the static password required for back-end authentication. This means that the user does not need to
type in the static password at each login; they only need enter the OTP. The IDENTIKEY Appliance can
retrieve the stored static password from the DIGIPASS user account and use it for back-end authentication.
n Support password replacement. Back-end authentication is used to learn the static password so that it
can be replayed to the host system (eg. Outlook Web Access) when a successful OTP is given.

IDENTIKEY Appliance 3.18 – Product Guide 72

 3. User Authentication Process

3.7.2. Stored Password Proxy

When the Stored Password Proxy setting is enabled in the policy, the IDENTIKEY Appliance will retrieve the stored
static password from the DIGIPASS user account. If back-end authentication is required for a login, the stored static
password will be used. If there is a host system (eg. Outlook Web Access), the stored static password will be
returned to it, for it to complete its login process.

However, if the user enters a static password in front of their OTP, the static password they enter will take pre-
cedence over the stored static password. In that case, the stored static password will not be used at all for that
login.

When the Stored Password Proxy setting is not enabled in the policy, the stored static password will not be used
for back-end authentication. If back-end authentication is required for a login, the user will have to enter the static
password. This is done in front of the OTP if an OTP is also used. Similarly, if there is a host system that requires a
static password to be returned, the user will have to enter the static password.

3.7.3. Password Autolearn

When the Password Autolearn setting is enabled in the policy, the IDENTIKEY Appliance will automatically store the
static password when it is verified by back-end authentication. This can happen at any time from Dynamic User
Registration onwards.

If the user's static password has changed in the back-end authentication system, they will need to provide the
new static password during their next login. This is done in front of the OTP if an OTP is used. When the IDENTIKEY
Appliance sees that the user has entered a static password, if it does not match the stored static password
already, back-end authentication will occur to verify the new password. If it is verified, the stored static password
will be updated.

3.7.4. Back-End Server Records

A back-end server record is required when IDENTIKEY Authentication Server uses a RADIUS or LDAP server for
authentication. It is possible to create more than one back-end server record, for fail-over purposes. You can also
allocate different back-end servers for different user domains.

A back-end server record contains connection information for the system to be used. Typically, only one back-end
server record will be required for LDAP back-end authentication, whereas RADIUS back-end authentication will
require a record per RADIUS server to be used.

3.7.4.1. Fail-over Strategy

Each back-end server record is assigned a Priority. This comes into effect when multiple back-end servers are
available, and the IDENTIKEY Appliance must decide which to use for a back-end authentication request. It will

IDENTIKEY Appliance 3.18 – Product Guide 73

 3. User Authentication Process

attempt to connect to the back-end server with the highest priority rating. If it is not available after the set number
of retries, the IDENTIKEY Appliance will attempt to connect to the back-end server with the next-highest priority rat-
ing.

If the IDENTIKEY Appliance repeatedly fails to get a response from a back-end server, it will ignore it for some
minutes before trying it again. Therefore, a temporary slow response will not prevent the IDENTIKEY Appliance
from using a back-end server. But a consistent availability problem will cause it to stop using the back-end server
for a while, when it has an alternative.

3.7.4.2. Domain-Specific Back-End Servers

Back-end server records may be configured for use with a specific domain. This may be useful when multiple
back-end servers exist with different groups of user records on each.

When the IDENTIKEY Appliance has to choose a back-end server, it will search for those records in the domain iden-
tified by the user ID and name resolution process. If any are found, it will only use those back-end servers for that
domain. If none are found, it will use the back-end servers that are not assigned to a domain.

3.7.5. RADIUS back-end authentication

IDENTIKEY Appliance can pass RADIUS return attributes from the back-end server to the client. Back-end authen-
tication is supported with the following protocols:

n PAP
n CHAP
n MSCHAP
n MSCHAP2 with MPPE key generation

3.7.6. Microsoft Active Directory Back-End Authentication Using LDAP Protocol

IDENTIKEY Authentication Server also supports site awareness for Global Catalog-based Active Directory domain
controller lookup. IDENTIKEY Authentication Server queries the Global Catalog for all domain controllers serving the
user currently in process of back-end authentication and contacts the relevant domain controllers according to
their priority in the Global Catalog. In this context, IDENTIKEY Authentication Server identifies the network site to
which the machine that is running IDENTIKEY Authentication Server belongs. Those domain controllers that share
the same site with IDENTIKEY Authentication Server during back-end authentication take precedence over others.

When deploying Microsoft Active Directory with IDENTIKEY Appliance for back-end authentication, ensure that:

n The domain controllers are Windows Server 2008 or higher.

n If the global catalog is set up (via Back End > Settings in the Administration Web Interface) and no back-
end components have been defined, domain discovery will be used to search for a user and identify the
Active Directory server to authenticate the user.
n If domain discovery via the global catalog is to be used, users must be set up in the same domain
on Active Directory as they are on IDENTIKEY Appliance.

IDENTIKEY Appliance 3.18 – Product Guide 74

 3. User Authentication Process

n After domain discovery, communication to the Active Directory server containing the user cre-
dentials will use SSL if and only if Enable SSL for Back-End Servers is selected in the Global Cata-
log Domain Discovery setting. You can also use the SSL Port option in this section to override the
port to be used for SSL communication. If not specified, IDENTIKEY Appliance will determine the
port number from DNS or the global catalog.
n IDENTIKEY Appliance must be configured to use the DNS server containing the DNS records of the Active Dir-
ectory server on the host OS.
n The user ID that is to be used to log in to the Active Directory back end during authentication must have
both search and update permissions for the data that is to be accessed. Also, for ANY group that uses
back-end authentication via LDAP and Active Directory, the permission List contents must be granted in
the Active Directory Users and Computers Extension to bind to Active Directory.
Table 4: Supported User Name Formats for Microsoft Active Directory
User ID Format User ID Source
UserID sAMAccountName attribute of the user
MYREALM\userid Fully qualified domain name + sAMAccountName attribute of
the user
[email protected] sAMAccountName attribute of the user + fully qualified
domain name

LDAP Configuration

The LDAP back end needs to be configured in order to allow the back end to authenticate via the LDAP protocol.
For instructions on how to do this, refer to the IDENTIKEY Appliance Administrator Guide.

Warning
When using Microsoft Active Directory as the back end and configuring LDAP back-end authentication with SASL-
DIGEST-MD5, the cyrus-sasl-md5 library must be installed to ensure connectivity between IDENTIKEY Authentic-
ation Server and Active Directory!

Note
For instructions on setting up a back-end server record for an Active Directory server, refer to the Administration
Web Interface online help.

3.7.7. NetIQ eDirectory Back-End Authentication Using LDAP Protocol

The version of NetIQ eDirectory used for LDAP back-end authentication on IDENTIKEY Appliance must be version
8.8. In addition, the following rules must be followed to set up NetIQ eDirectory for LDAP back-end authentication
on IDENTIKEY Appliance:

n If anonymous binding is disabled on the NetIQ eDirectory server, the security principal DN has to be a NetIQ
eDirectory account that has the necessary permissions to search the directory for the user accounts that
have to be authenticated.
n Each user ID has to be unique below the search base distinguished name in the LDAP structure.

IDENTIKEY Appliance 3.18 – Product Guide 75

 3. User Authentication Process

n Partitioning is not supported, although exactly the same search base distinguished name may be used on
different servers.
n NetIQ eDirectory must be enabled with universal password.
Table 5: Supported User Logon Format for NetIQ eDirectory
User ID Format Source of User ID
UserID User ID of the user
MYREALM\userid Fully qualified domain name + user ID of the user
[email protected] User ID attribute of the user + fully qualified domain name

IDENTIKEY Appliance 3.18 – Product Guide 76

 3. User Authentication Process

Image 33: Back-End Authentication for NetIQ eDirectory

Note
For more information about setting up a back-end server record for NetIQ eDirectory, refer to the Administration

IDENTIKEY Appliance 3.18 – Product Guide 77

 3. User Authentication Process

Web Interface Help.

3.7.8. IBM Security Directory Server Back-End Authentication Using LDAP Protocol

Procedure 1: Enabling back-end authentication for IBM Security Directory Server

1. Identify the IBM Security Directory Server server based on the IBM Security Directory Server back end
records in IDENTIKEY Appliance.
2. Bind to IBM Security Directory Server using the security principal DN and password defined for the IBM
Security Directory Server back end record, if principal details specified.
3. Search the IBM Security Directory Server back-end server for the user to be authenticated based on the
User Object Class Name and the User ID Attribute Name defined on setup.
4. Try to authenticate with IBM Security Directory Server using a bind with the user ID and password of the
user to be authenticated.

If authentication fails, the attributes retrieved during the search will be used to determine the cause of the failure.

In addition, you will also need to:

n Configure IDENTIKEY Authentication Server to authenticate via LDAP SSL.

n After configuring SSL, you will need to set up a back-end server record for IBM Security Directory Server
(i.e. register it as a back-end server for IDENTIKEY Appliance via the Administration Web Interface). For
more information, refer to the Web Administration Service Help.

Note
When registering a IBM Security Directory Server back end for IDENTIKEY Appliance, ensure that the location
entered in the IBM Security Directory Server back end record (in the Administration Web Interface) is the same as
that shown on the Tivoli Web Administration > View Edit > Issued To > cn=<serverid>.

Note
IDENTIKEY Appliance only supports Simple binding with SSL as the client authentication mechanism for binding
with the supported instances of IBM Security Directory Server.

3.8. User Attributes

User attributes are used by IDENTIKEY Appliance to return specific information to a Client Component. There are
two types of user attributes available in IDENTIKEY Appliance:

n RADIUS attributes can be returned when handling authentication requests from a RADIUS Client.
n Custom user attributes can be returned to DIGIPASS Authentication Modules, DIGIPASS Plug-Ins and cus-
tom Web applications

IDENTIKEY Appliance 3.18 – Product Guide 78

 3. User Authentication Process

User attributes may be set for each DIGIPASS user individually, or to a group of DIGIPASS users. For instructions on
adding user attributes to one or more DIGIPASS user account, refer to the online help in the Administration Web
Interface.

For more information, refer to Section 27.3. User Attributes.

3.9. Host Codes

If the Client Component requests a Host Code and the DIGIPASS is capable of generating one, then IDENTIKEY
Authentication Server will generate a Host Code and the application will display it to the user. The user generates a
Host Code on their DIGIPASS and checks that it is the same as the one on the screen.

3.9.1. Host Code Generation and Usage

A DIGIPASS Host Code is computed as follows:

1. The DIGIPASS device generates a one-time password, and splits it into two parts. The first part is used for
end user authentication. The second part is the Host Code and is used for server authentication.
2. The end user sends the first part to the server as proof of identity and keeps the second part secret.
3. The server verifies the one-time password for end user authentication. If valid, the end user is authen-
ticated to the server. The server then computes the second part of the one-time password, i.e. the Host
Code.
4. The server sends the Host Code to the end user, who verifies (visually) whether it matches the Host Code
generated by the DIGIPASS device.

Host Code generation is passed as a parameter in the authentication request. This parameter has two options:

n Optional: only return a Host Code if the DIGIPASS is Host Code-capable.

n Required: DIGIPASS must be Host Code-capable or the request will fail.

3.10. Supported RADIUS Protocols

The following RADIUS protocols are supported by IDENTIKEY Appliance:

n PAP
n CHAP
n MSCHAP with MPPE (Microsoft Point-to-Point Encryption)
n MSCHAP2 with MPPE
n EAP-TTLSv0/PAP
n EAP-TTLSv0/CHAP
n EAP-TTLSv0/MSCHAP
n EAP-TTLSv0/MSCHAP2
n EAP-TTLSv0/EAP-MSCHAP2
n EAP-TTLSv0/EAP-GTC

IDENTIKEY Appliance 3.18 – Product Guide 79

 3. User Authentication Process

n PEAPv0/EAP-MSCHAP2
n PEAPv0/EAP-GTC
n PEAPv1/EAP-MSCHAP2
n PEAPv1/EAP-GTC

Some protocols do not support all authentication features of IDENTIKEY Appliance. Refer to 3.11. Limitations of
RADIUS Support in IDENTIKEY Appliance for more information.

3.11. Limitations of RADIUS Support in IDENTIKEY Appliance

The following sections describe the caveats and limitations of IDENTIKEY Appliance in RADIUS support.

3.11.1. Limitations of RADIUS Password Protocols

Some IDENTIKEY Appliance features are not supported with CHAP or MSCHAP. These protocols hash login data
together; this prevents separation of various entries.

The unsupported features are outlined below:

n Self-Assignment cannot be performed.

n The Server PIN cannot be changed.
n Challenge/Response is not supported.
n Windows back-end authentication is not supported unless the user ID and Windows password are manu-
ally stored, and Stored Password Proxy is enabled.
n Password Autolearn is not supported, as clear text passwords cannot be identified.
n Virtual Mobile Authenticator OTP request is not supported.

These limitations are also applicable to the following protocols:

n EAP-TTLSv0/CHAP
n EAP-TTLSv0/MSCHAP
n EAP-TTLSv0/MSCHAP2
n EAP-TTLSv0/EAP-MSCHAP2
n PEAPv0/EAP-MSCHAP2
n PEAPv1/EAP-MSCHAP2

The OneSpan User Websites, when utilized, can circumvent many of these problems by allowing users to manage
their account and DIGIPASS authenticators. Users can:

n Perform Self-Assignment
n Change their Server PIN
n Change their own Stored Static Password

IDENTIKEY Appliance 3.18 – Product Guide 80

 3. User Authentication Process

3.11.2. Unsupported RADIUS Password Protocols

The following RADIUS password protocols are not supported:

n MSCHAP with LM Hash

n The password change mechanism for MSCHAP and MSCHAP2

3.11.3. Limitations of International Character Support

A number of IDENTIKEY Appliance components provide international character support, and some limitations apply:

RADIUS
International character support in the IDENTIKEY Appliance using the RADIUS protocol is dependent on the
RADIUS Client(s) being used. If a RADIUS Client uses UTF-8 encoding, international characters will be fully sup-
ported. If a RADIUS Client uses a localized encoding (eg. ISO-8859-13), the same locale setting must be con-
figured on each machine.

If IDENTIKEY Appliance is used as an intermediary between a RADIUS client and RADIUS server, check the
encoding expected/required by the RADIUS server. If the RADIUS server requires any encoding format other
than UTF-8, you will need to configure IDENTIKEY Appliance accordingly.

Web
DIGIPASS Authentication for OWA, both Forms and Basic Authentication options, limit international character
support to a single configured encoding.

3.11.4. Limitations of Web Basic Authentication

In IDENTIKEY Appliance, the HTTP Basic Authentication mechanism does not support a 2-step login process. In addi-
tion, Challenge/Response is also unsupported.

3.11.5. Limitations for Score-Based DIGIPASS Applications

Score-Based DIGIPASS applications do not support CHAP-based RADIUS authentications.

IDENTIKEY Appliance 3.18 – Product Guide 81

 4. Signature Validation

4. Signature Validation
IDENTIKEY Appliance will allow you to sign transaction data using Electronic Signatures generated via two meth-
ods:

n Through a DIGIPASS that is set up to generate Electronic Signatures, or

n IDENTIKEY Appliance itself (i.e. virtual signature generation)

An Electronic Signature is based on transaction details entered into the DIGIPASS authenticator. The
DIGIPASS authenticator uses the transaction details and an embedded secret to generate and display an Electronic
Signature. With Virtual Signature Generation, the user supplies the transaction details directly to IDENTIKEY Appli-
ance, which will then generate the Electronic Signature, i.e. the virtual signature. Virtual signatures are delivered
to the user via the Message Delivery Component.

Once a user receives the Electronic Signature, they can then use it to sign a transaction, typically through a con-
firmation page (e.g. for finalizing a transaction). This signature will be validated by IDENTIKEY Appliance; if the sig-
nature is incorrect or invalid, then the transaction will not be permitted to proceed.

4.1. Signature Validation Process

If a signature is generated with a DIGIPASS authenticator, the signature validation process occurs as follows:

1. The user selects the signature application on their assigned authenticator.

2. The user enters the required transaction details. DIGIPASS can be programmed to accept up to eight trans-
action data fields such as:
n transaction amount
n transaction ID
n destination account number
3. The DIGIPASS authenticator will generate a signature and display it on its screen. The user enters this sig-
nature into the transaction and submits the transaction.

If signature generation is done via IDENTIKEY Appliance (i.e. virtual signature generation), the signature validation
process typically occurs as follows:

1. The user initiates the transaction as normal via a client program (e.g. money transfer via online banking
application). The client program then requests an Electronic Signature from the user in order to sign the
transaction.
2. At the same time, the client program submits the required transaction details to IDENTIKEY Appliance,
requesting a virtual signature.
3. IDENTIKEY Appliance then generates a virtual signature based on the transaction details supplied.
4. IDENTIKEY Appliance delivers the virtual signature to the user via e-mail, voice, SMS, or any supported
combination thereof (depending on how Message Delivery Component is configured).
5. The user receives the virtual signature and enters it into the transaction (as requested by the client pro-
gram).

IDENTIKEY Appliance 3.18 – Product Guide 82

 4. Signature Validation

Once the transaction is signed, it can then be sent to IDENTIKEY Appliance for validation. The signature validation
process from this point onwards is identical for transactions signed by either normal Electronic Signatures (gen-
erated via DIGIPASS) or virtual signatures (generated via IDENTIKEY Appliance).

4.1.1. Signature Validation with Secure Channel and DIGIPASS

As of IDENTIKEY Authentication Server 3.7, signatures can also be validated using the Secure Channel feature with
DIGIPASS authenticator compliant with this feature. Signature validation with the Secure Channel feature is used
for validating transactions such as e.g. online banking but is also used to add devices, activate DIGIPASS licenses
and instances in a Multi-Device Licensing and Activation Scenario. For more information on this, refer to Section
2.5. DIGIPASS Licensing and Activation.

1. The user logs in to the client application and enters the required transaction details.
2. After entering the transaction details, the user scans either a QR code or a color QR code, which are
provided by the client application.
3. The DIGIPASS authenticator displays the transaction signature and the user enters this in the client applic-
ation to complete the transaction.

4.1.2. Real-Time Signature Validation

Real-Time Signature Validation is generally used to provide security for transactions that require quick responses.
It is typically used by online banking applications.

With Real-Time Signature Validation, a user creates a transaction. The transaction normally requires a signature,
so the user enters the relevant details into their DIGIPASS. The DIGIPASS produces a signature and the user enters
this into the website, which then submits the transaction.

The transaction details and signature are verified by IDENTIKEY Appliance, and a status message is returned
straight to the web page the user is on. The user knows within the time it takes to process a normal transaction
whether or not the submitted transaction has been verified.

4.1.3. Deferred Signature Validation

Deferred Signature Validation is signature validation that is not performed in real-time. In typical cases that use
this validation, a user submits a transaction online with the signature generated by the DIGIPASS. The transaction
will then enter a queue to be verified. The user receives a message that the transaction has gone into a queue. A
batch job picks up the transaction and verifies it against the policies and details of the DIGIPASS. The user may not
know until minutes or hours later that the transaction has been signed and verified.

It is important in this case for the user to keep a record of the time the transaction was submitted, as this may be
important if the transaction is challenged.

IDENTIKEY Appliance 3.18 – Product Guide 83

 4. Signature Validation

4.2. Electronic Signature Application Types

IDENTIKEY Appliance supports the following types of signature applications.

4.2.1. Time-Based Signature

A signature application may be time-based. This means that the DIGIPASS will generate a different signature for
the same input data at different times.

The signature validation procedure relies on the time on the DIGIPASS and the time on IDENTIKEY Appliance being
synchronized to within an acceptable tolerance. Each time a one-time password or a signature is generated, the
IDENTIKEY Appliance records the time difference between the DIGIPASS and itself.

The time-based signature validation procedure also uses Time Steps to verify signatures. A Time Step is a setting
which specifies the number of seconds between generations of a one- time password on a DIGIPASS. The
IDENTIKEY Appliance will use the time step and the known difference in time between itself and the DIGIPASS to
verify signatures.

Use the Signature Time Window policy setting to set the tolerance allowable for signature verification.

Time based signatures can be real-time or deferred. If deferred time-based signatures are used, they may be re-
verified at a later date by comparing the input details against the signature produced by the DIGIPASS, as long as
the time the transaction was performed is known.

4.2.2. Event-Based Signature

A signature application may also be event-based. This means that it contains a numeric counter that increases
every time a signature is generated.

The signature process relies on an event counter to enable each signature to be unique. The DIGIPASS and
IDENTIKEY Appliance need to have synchronized event counters. The tolerance for the difference between the
event counters can be set by using the Event Window policy setting.

During Real-Time Signature Validation the event counter on IDENTIKEY Appliance is updated with the value used by
the DIGIPASS, to keep the two event counter values synchronized.

During Deferred Time Signature Validation the event counters for transactions generated on the DIGIPASS may get
out of step with the event counter held on IDENTIKEY Appliance. The Event Window policy setting can enable
signed transactions to be processed in any order without causing a verification error.

IDENTIKEY Appliance 3.18 – Product Guide 84

 4. Signature Validation

4.2.3. Static Signature

These signatures are generated using neither time or event counter. They will always produce the same signature
for the same input. There is no difference between real-time and deferred time with these signatures.

4.3. Signature Verification Process

Electronic Signatures are verified by IDENTIKEY Appliance using a number of specific checks, in the following
sequence:

1. Component checks
2. Policy checks
3. User account lookup and checks
4. Signature validation
5. Finalization

The following sections describe each step in detail.

4.3.1. Component Checks

IDENTIKEY Appliance will try to identify the application from which the request for registration came. There must be
a component record on the data store for that application. A client component record must exist for the Signature
Verification application and location from which it connects to the server. The component type is set as a para-
meter by the application; the location is the source IP address of the SOAP address.

Note
A client component with an IP address range (IPv4 CIDR notation) as component location will be used to handle
requests from any client within that IP address range. If two (or more) matching client components with over-
lapping IP address ranges are found, the client component with the smaller IP address range (more specific)
takes precedence and will be used to serve the request.

4.3.2. Policy Checks

IDENTIKEY Appliance identifies the policy to use in the signature authentication from the Client Component record
and checks the validity of the policy.

4.3.3. User Account Lookup and Checks

IDENTIKEY Appliance checks the user account to :

IDENTIKEY Appliance 3.18 – Product Guide 85

 4. Signature Validation

n Ensure that the user ID and domain have been defined

n Perform the Windows Group Check if necessary

n Check whether a user account exists

n Check whether the user account is disabled or locked if it already exists.

If the DIGIPASS user account is locked, IDENTIKEY Appliance verifies whether a user auto-unlock attempt is
possible (see 27.8. DIGIPASS User Account Auto-Unlock).

Dynamic User Registration is NOT possible. If the user account does not exist, then the check will fail.

4.3.4. Signature Validation

A search is performed for a DIGIPASS that is assigned to the user that fulfils the signature policy limits. If more than
one DIGIPASS is found, the list is filtered using the serial number for the DIGIPASS. This serial number will be
passed to the signature process as a parameter.

Note
When designing a web page that will allow transactions to be signed, ensure that users with multiple DIGIPASS
can enter a serial number to identify which DIGIPASS is being used.

When the correct DIGIPASS is identified, the DIGIPASS type is checked. The DIGIPASS type must be either SG (Sig-
nature) or MM (Multi Mode) to allow signatures. The signature is then verified and a response is produced.

4.3.5. Finalization

The relevant parts of the Data Store are updated after the signature validation has been carried out successfully. A
response is produced. The audit data is updated with the transactions that took place and the result of those trans-
actions.

If the Web Application requests a confirmation code and the DIGIPASS is capable of generating one, then
IDENTIKEY Appliance will generate a confirmation code and the application will display it to the user. The user gen-
erates a Confirmation Code on their DIGIPASS and checks that it is the same as the one on the screen.

Confirmation code generation is passed as a parameter in the authentication request. There are two options:

n Optional: only return a confirmation code if the DIGIPASS is confirmation code-capable

n Required: DIGIPASS must be confirmation code-capable or the request will fail.

4.4. Policy Settings Relevant to Signature Validation

The following policy settings affect signature verification:

IDENTIKEY Appliance 3.18 – Product Guide 86

 4. Signature Validation

n Event Window: the allowable difference between the DIGIPASS event counter and IDENTIKEY Appliance
event counter.
n Online Signature Level: specifies how signatures will be verified.
n Signature Time Window: Shows the acceptable difference in time between the time set on the DIGIPASS
and the time set on IDENTIKEY Appliance for signatures. The lowest value is 2, the highest is 500.

Note
For signature validation processes with the Secure Channel feature, IDENTIKEY Authentication Server provides
the default policy IDENTIKEY Signature Validation with Secure Channel.

IDENTIKEY Appliance 3.18 – Product Guide 87

 5. Software DIGIPASS Provisioning

5. Software DIGIPASS Provisioning

This chapter provides an overview of the different components involved in the provisioning of software DIGIPASS
authenticators, and a high-level description of the provisioning process. For more detailed information on software
DIGIPASS, refer to Section 2.4.2. Software DIGIPASS authenticator.

5.1. Provisioning Overview

In IDENTIKEY Appliance, the term Provisioning refers to delivery, registration, and activation of the software. The fol-
lowing sections describe each of these steps in detail.

5.1.1. Software Delivery

You are free to deliver the software to your customers in any way you choose. You can either deliver software to
users, or allow them to download the software from a secure site. An Activation Code is required to activate the
software DIGIPASS authenticator or authenticators such as DP110. This code may be delivered via two methods:

Online Delivery
With this method, the activation code is delivered directly to the application that is going to use it. If the activation
code is delivered in this way, the user will never see it. This option is available for DIGIPASS for Web, DP110,
DIGIPASS for Mobile, and the DIGIPASS App.

Offline Delivery
With offline delivery, available for DIGIPASS for Web and DIGIPASS for Mobile, the activation code is delivered via a
mechanism such as email, text message, or fax.

In DIGIPASS for Web the activation code will typically be delivered in an email containing a link. The applet reads
the activation code from the link.

5.1.2. User/DIGIPASS Registration

The DIGIPASS records must be imported from a *.dpx file before registration can occur.

Each software DIGIPASS user requires a DIGIPASS user account on IDENTIKEY Appliance. The user accounts can
either be imported into IDENTIKEY Appliance, created individually, or created dynamically during registration if
Dynamic User Registration is available.

For software DIGIPASS to work, a DIGIPASS record needs to be allocated to the user account. This can be done in
two ways:

IDENTIKEY Appliance 3.18 – Product Guide 88

 5. Software DIGIPASS Provisioning

n Manually by an administrator using, for example, the Administration Web Interface.

n Automatically, where IDENTIKEY Appliance will select a random DIGIPASS authenticator and assign it to the
new DIGIPASS user account as it is created . In IDENTIKEY Appliance this functionality is known as Auto-
Assignment. For more information, refer to 28. DIGIPASS.

Afterward, an activation code is generated and sent to the user.

5.1.3. Activate Software

Each software DIGIPASS needs to be activated before it can be used. This means that IDENTIKEY Appliance is
informed that all the components are in place for the software DIGIPASS and you are ready to use it.

There are two stages to activation:

n Delivering the activation code to the software

n Sending the first one-time password to the server.

Image 34: Steps of Provisioning

5.1.4. Delayed Activation

The DIGIPASS start time defines a particular date and time when an activated (software) DIGIPASS authenticator
can effectively be used for authentication. If defined in the effective policy, the start time can be automatically cal-
culated based on a delayed activation period when assigning/registering the DIGIPASS authenticator to a user.
Although the software DIGIPASS authenticator has already been activated, IDENTIKEY Authentication Server will not
allow it to be used for authentication, until the start time has been reached. This is called delayed activation.

IDENTIKEY Appliance 3.18 – Product Guide 89

 5. Software DIGIPASS Provisioning

If defined in the effective policy, two separate notification messages are sent to the respective user to indicate
delayed activation:

a. The activation delayed notification is sent when the DIGIPASS authenticator is assigned/registered to the
user.
b. The activation completed notification is sent when the start time has been reached, i.e. when the
DIGIPASS authenticator can effectively be used.

The notification messages are sent using Message Delivery Component (MDC) and handled independently of each
other: if defined, either both, none, or either one is sent.

5.1.5. Provisioning Components

There are two required components and one optional component required to implement provisioning:

Web Application (customized)

The Web Application controls the user interaction during provisioning. The Web Application uses the SOAP SDK to
communicate with IDENTIKEY Appliance. Refer to the SOAP SDK documentation for more information.

The Web Application should be able to:

n Make the software DIGIPASS available for download

n Facilitate delivery of the activation code to the user
n Send the first one-time password to IDENTIKEY Appliance

IDENTIKEY Appliance
IDENTIKEY Appliance handles DIGIPASS user account and DIGIPASS records. It generates activation codes, verifies
one-time password, and stores static passwords.

Back-End System
The back-end system can be used by IDENTIKEY Appliance for Dynamic User Registration and/or static password
verification. For more information, refer to 3.7. Back-End Authentication.

5.1.6. User Authentication during Provisioning

The user authentication method during a software DIGIPASS provisioning process depends on two factors: the local
authentication method set in the relevant policy, as well as on whether the user already has an activated DIGIPASS
authenticator.

The possible local authentication settings and their implications on the provisioning process are:

n If Local Authentication is set to DIGIPASS/ Password during Grace Period, the user must use their static
password when activating their first DIGIPASS authenticator. Upon successful completion of the DIGIPASS

IDENTIKEY Appliance 3.18 – Product Guide 90

 5. Software DIGIPASS Provisioning

activation the grace period ends, and any future provisioning operations will require the user to authen-
ticate with a one-time password.
n If Local Authentication is set to DIGIPASS or Password, the user must use their static password when activ-
ating their first DIGIPASS authenticator. After this, the user can authenticate with their static password or
their DIGIPASS authenticator during any future provisioning operations.

Warning
If the local authentication method is DIGIPASS Only, a user who is activating their first DIGIPASS authenticator will
be unable to complete the activation because they are not allowed to authenticate with their static password.

For more information about local authentication methods, see 3.6. Local Authentication.

5.2. Registration Process for Software DIGIPASS

The following diagram summarizes how software DIGIPASS is registered:

Image 35: Software DIGIPASS Registration Process

IDENTIKEY Appliance 3.18 – Product Guide 91

 5. Software DIGIPASS Provisioning

The following sections detail each step in the registration process.

Identify Component
IDENTIKEY Appliance will try to identify the application from which the request for registration came. A client
component record must exist for the provisioning application and location from which it connects to the
server. The component type is set as a parameter by the application; the location is the source IP address of
the SOAP request.

Note
A client component with an IP address range (IPv4 CIDR notation) as component location will be used to handle
requests from any client within that IP address range. If two (or more) matching client components with over-
lapping IP address ranges are found, the client component with the smaller IP address range (more specific)
takes precedence and will be used to serve the request.

Identify Policy
IDENTIKEY Appliance identifies the policy to use in the registration from the client component record and
checks the validity of the policy. The following settings of the policy will not be used as they are not relevant
to provisioning.

n DIGIPASS assignment settings

n Challenge settings

DIGIPASS user account Lookup and Checks

IDENTIKEY Appliance checks the user account to:

n Ensure that the user account and domain have been defined

n Perform the Windows Group Check if necessary

n Check whether a user account exists

n Check whether the user account is disabled or locked if it already exists.

If the DIGIPASS user account is locked, IDENTIKEY Appliance verifies whether a user auto-unlock attempt is
possible (see 27.8. DIGIPASS User Account Auto-Unlock).

Local Authentication
A static password or one-time password must be entered. For more information about local authentication
options and their implications on the user authentication process during software DIGIPASS provisioning, see
5.1.6. User Authentication during Provisioning

If back-end authentication is not enabled, the registration will fail if:

n Static password is not verified

n User account does not exist

IDENTIKEY Appliance 3.18 – Product Guide 92

 5. Software DIGIPASS Provisioning

n User account exists but has no password recorded against it

If back-end authentication is enabled, then the back-end system will verify the static password. If the pass-
word is verified but there is no user account in IDENTIKEY Appliance, an account will be created. Dynamic User
Registration must be enabled for this to succeed.

Note
User authentication during software DIGIPASS provisioning may vary depending on the local authentication policy
settings, and on whether the user already has an activated DIGIPASS authenticator. For more information, see
5.1.6. User Authentication during Provisioning.

Back-End Authentication
Back-end authentication is an optional step in software DIGIPASS registration. If enabled, the static password
will be authenticated by the back-end system. If the back-end system does not verify the credentials, regis-
tration will fail.

DIGIPASS Assignment
The registration process will perform the following steps:

n Search for an applicable DIGIPASS according to the criteria on the policy associated with the user account
that is capable of activation.
n If no DIGIPASS authenticator was found, the first applicable and available DIGIPASS record is assigned to
the user account.

Activation Code Generation

The reactivation restrictions are checked. If this is a reactivation and reactivation is allowed, then the user
account and the DIGIPASS record already exist in IDENTIKEY Appliance and will be used in the following steps.

The activation code is generated using the first capable application in the DIGIPASS. The activation code may
be encrypted with the user's password if the password was not verified by local and back-end authentication.

If defined in the effective policy, the DIGIPASS start time is calculated and set based on the delayed activation
period. If defined, notifications are scheduled to be sent to the respective user when (a) the delayed activ-
ation begins and (b) the DIGIPASS start time has been reached and the DIGIPASS authenticator becomes act-
ive.

Finalization
In the finalization step the created users and assignment are confirmed to the data store. Records are written
to the audit system to record the actions that have taken place, and the results. A response is sent to the user
to confirm registration or to show an error message if activation failed.

Note
For information specific to the registration process in the Multi-Device Licensing and Activation Mode, refer

IDENTIKEY Appliance 3.18 – Product Guide 93

 5. Software DIGIPASS Provisioning

to Section 5.4.2. Multi-Device Activation .

5.3. Software DIGIPASS Activation Process

The following diagram summarizes the activation process for Software DIGIPASS:

Image 36: Software DIGIPASS Activation Process

Identify component, policy and DIGIPASS user account lookup and checks
The activation process performs the same Identify Policy and DIGIPASS user account lookup and checks as
the registration process, except that the user account must already exist.

Verify one-time password

The one-time password is verified against the DIGIPASS record.

Activation
The DIGIPASS is set to ACTIVE in the data store and the grace period will end, if one was set.The grace period
automatically expires the first time an OTP is used to log in, i.e. after the OTP has been successfully validated
(if it has not been set manually to expire prior to that in the relevant policy).

IDENTIKEY Appliance 3.18 – Product Guide 94

 5. Software DIGIPASS Provisioning

Finalization
In the Finalization step the activation is confirmed to the data store. Records are written to the audit system
to record the actions that have taken place, and the results. A response is sent to the user to confirm activ-
ation or show an error message if activation failed.

Note
For information specific to the registration process in the Multi-Device Licensing and Activation Mode, refer
to Section 5.4.2. Multi-Device Activation .

5.3.1. Software DIGIPASS Reactivation

From time to time software DIGIPASS will have to be reactivated. This may occur rarely for DIGIPASS for Mobile,
such as when the user buys a new mobile phone, or it may occur more often for DIGIPASS for Web, such as when
the user clears the cookies in their browser.

Reactivation is carried out in the same way as the original activation, but the user account will already exist with a
capable DIGIPASS assigned. The registration process will use the assigned DIGIPASS to generate the activation
code.

The following limits can be enabled via IDENTIKEY Appliance Configuration Utility:

n Activation Limit: limits the number of activations that can be performed on one Software DIGIPASS.
n Minimum Interval: sets the minimum time interval between reactivations.
n Maximum Locations: sets the maximum number of locations a from which a Software DIGIPASS can be
activated, such as home, office, laptop. This only applies to DIGIPASS for Web.

Note
The activation limits apply to all activation attempts. If an activation fails in the second stage this will still count
as an activation, and will count against the activation limits.

5.4. Provisioning Scenarios

The following scenarios show how provisioning will work for different DIGIPASS authenticators in different situ-
ations.

The user authentication method during the provisioning process may vary depending on the local authentication
policy setting, and on whether the user already has an activated DIGIPASS authenticator. For more information,
see 5.1.6. User Authentication during Provisioning.

IDENTIKEY Appliance 3.18 – Product Guide 95

 5. Software DIGIPASS Provisioning

Table 6: Provisioning Scenarios

Scenarios User User knows Static Provisioning Policy
Account? Password?
Local Authentication Back- DIGIPASS Back-End Pro- Dynamic
End Type tocol User Regis-
Auth tration
DIGIPASS for Mobile Y Yes, at least for a DIGIPASS/Password None MOB40 - -
Online Activation user's first pro- during Grace
visioning operation. Period or DIGIPASS
See 5.1.6. User or Password
Authentication during
Provisioning
Multi-Device Activ- N Yes, at least for a DIGIPASS/Password Always DAL10 Windows, Enabled
ation of compliant user's first pro- during Grace or If RADIUS, LDAP,
authenticators (e.g. visioning operation. Period or DIGIPASS Needed custom
DIGIPASS for Mobile, See 5.1.6. User or Password
DIGIPASS 760) Authentication during
Provisioning.
DIGIPASS for Web 1 Y Y None None WEB10 - -
DIGIPASS for Web 2 Y Y Digipass Only or None WEB10 - -
DIGIPASS/Password
during Grace
Period
DIGIPASS for Web 3 N Y Digipass Only or Always WEB10 Windows, Enabled
DIGIPASS/Password or If RADIUS, LDAP,
during Grace Needed custom
Period
DP110 1 Y Y None DP110 - -
DP110 2 N Y None Always DP110 Windows, -
RADIUS, LDAP,
custom

5.4.1. DIGIPASS for Mobile

In a scenario involving DIGIPASS for Mobile, activation codes are encrypted with pre-loaded static passwords.

Pre-Conditions
n The user account has been created on IDENTIKEY Appliance
n The user knows their static password (in case of first-time software DIGIPASS provisioning)
n The static password has been imported into IDENTIKEY Appliance
n The provisioning policy has been defined with the following settings
n Local authentication (DIGIPASS/Password during Grace Period or DIGIPASS or Password)
n No back-end authentication (None)
n DIGIPASS type is the appropriate type for the version of DIGIPASS for Mobile being used.

Note
User authentication during software DIGIPASS provisioning may vary depending on the local authentication policy

IDENTIKEY Appliance 3.18 – Product Guide 96

 5. Software DIGIPASS Provisioning

settings, and on whether the user already has an activated DIGIPASS authenticator. For more information, see
5.1.6. User Authentication during Provisioning.

Image 37: DIGIPASS for Mobile Offline Activation Process

There is a choice of activation options for DIGIPASS for Mobile 4.x DIGIPASS provisioning, and the choice of activ-
ation option affects how the DIGIPASS for Mobile authenticator is provisioned:

IDENTIKEY Appliance 3.18 – Product Guide 97

 5. Software DIGIPASS Provisioning

n Offline activation - manual or via QR code

n Standard online activation
n Advanced online activation
n Multi-Device Activation

5.4.1.1. Offline Activation - manual or via QR code

Offline activation is performed by the administrator who assigns the DIGIPASS for Mobile 4.x authenticator to a
user, and then uses the Administration Web Interface or the Active Directory Users and Computers Extension to gen-
erate the activation data. When the activation data has been generated, it has to be entered in to the activation
screen in the DIGIPASS for Mobile application on the mobile phone. The activation data can be sent via SMS or
email, or it can be scanned using a QR code or a color QR code. The activation code is entered and the transaction
is committed on the phone.

If a bind is required, the administrator has to manually bind the device using the Administration Web Interface or
the Active Directory Users and Computers Extension.

The entire mobile phone, with activated DIGIPASS for Mobile application is then distributed to the user.

IDENTIKEY Appliance 3.18 – Product Guide 98

 5. Software DIGIPASS Provisioning

Image 38: DIGIPASS for Mobile Online Activation Process

5.4.1.2. Standard Online Activation

The user enters their user ID, password, domain and mobile phone number into the provisioning Web site standard
registration page. The provisioning Web site then verifies with IDENTIKEY Authentication Server that the user is
valid and then assigns a DIGIPASS for Mobile DIGIPASS and sends an SMS with the URL to be used to download the

IDENTIKEY Appliance 3.18 – Product Guide 99

 5. Software DIGIPASS Provisioning

DIGIPASS for Mobile package. The registration identifier and activation password are then displayed on the pro-
visioning Web site. The user must then download the DIGIPASS for Mobile package, and enter the registration iden-
tifier and activation password into the DIGIPASS for Mobile application on the phone.

When the user has entered the registration identifier and activation password, the mobile phone sends a request
to the provisioning Web site for the activation data. The provisioning Web site sends the activation data back to the
mobile phone, which will then automatically activate the DIGIPASS for Mobile application. After this, if a bind is
required, the DIGIPASS for Mobile application will request the bind data and will bind DIGIPASS.

The user then receives a response on the mobile device indicating whether the activation has been successful.

5.4.1.3. Advanced Online Activation

Advanced Online activation is performed by the user and uses the DIGIPASS Software Advanced Provisioning Pro-
tocol (DSAPP) protocol. The difference between advanced online activation and standard online activation is the
way that the one-time password is generated when DIGIPASS is used. If you intend to use the DSAPP protocol, you
must perform advanced online activation. If you do not intend to use the DSAPP protocol when generating OTPs,
you must use standard online activation.

The DSAPP protocol can be used for activation, providing it has been enabled on IDENTIKEY Authentication Server.
If the DSAPP protocol is to be used, the user has to enter a user ID, domain and password into the
DSAPP registration page of the provisioning Web site. The provisioning Web site verifies with IDENTIKEY Authentic-
ation Server that the user is valid and then assigns a DIGIPASS for Mobile DIGIPASS and sends an SMS with the URL
to be used to download the DIGIPASS for Mobile package. The registration identifier and activation password are
then displayed on the provisioning Web site. The user must then download the DIGIPASS for Mobile package, and
enter the registration identifier and activation password into the DIGIPASS for Mobile application on the phone.

When the user has entered the registration identifier and activation password, the mobile phone sends a request
to the provisioning Web site for the activation data. The provisioning Web site sends the activation data back to the
mobile phone, which will then automatically activate the DIGIPASS for Mobile application. After this, if a bind is
required, the DIGIPASS for Mobile application will request the bind data and will bind DIGIPASS.

The user then receives a response on the mobile device indicating whether the activation has been successful.

5.4.2. Multi-Device Activation

This section describes the post-deployment DIGIPASS provisioning using the Multi-Device Licensing and Activation
feature of IDENTIKEY Authentication Server. For more information on Multi-Device Licensing and Activation, refer to
Section 2.5. DIGIPASS Licensing and Activation.

Note
A DIGIPASS authenticator compliant with Multi-Device Licensing is required to perform Multi-Device Activation, for
instance DIGIPASS for Mobile and DP760.

During the provisioning procedures as described below a DIGIPASS instance is loaded into a DIGIPASS device.
These procedures are executed each time a new DIGIPASS instance needs to be loaded into a DIGIPASS device.

IDENTIKEY Appliance 3.18 – Product Guide 100

 5. Software DIGIPASS Provisioning

The following preconditions apply for the provisioning procedure to succeed:

n The user account has not been created on IDENTIKEY Authentication Server
n The user knows their static password (in case of first-time software DIGIPASS provisioning)
n The provisioning policy has been defined with the following settings:
n Local Authentication (DIGIPASS/Password during Grace Period or DIGIPASS or Password)
n Back-end Authentication (Always or If Needed)
n Back-end Protocol (Windows, RADIUS, LDAP Back-End Authentication, or custom name)
n Dynamic User Registration is enabled

Note
User authentication during software DIGIPASS provisioning may vary depending on the local authentication policy
settings, and on whether the user already has an activated DIGIPASS authenticator. For more information, see
5.1.6. User Authentication during Provisioning.

The first step in the provisioning procedure is to register with the system to start the post-deployment provisioning
of a new DIGIPASS device.

Procedure 2: Register a DIGIPASS license

1. Start a provisioning registration operation to provide the user credentials to IDENTIKEY Authentication
Server.
2. IDENTIKEY Authentication Server checks that a user account is available, validates the user credentials,
and queries for DIGIPASS licenses assigned to your user. The system then generates Activation Message 1
and includes it in the response envelope.
3. The client application provides Activation Message 1 in form of an image - scan this image with the
DIGIPASS authenticator that supports the Multi-Device Licensing model.
4. The DIGIPASS device generates and displays a device code.

Note
If no DIGIPASS license is assigned to the user, IDENTIKEY Authentication Server checks if Auto-Assignment has
been set in the policy used, and will search a random available DIGIPASS license which it assigns to the end user.
When Auto-Assignment has not been enabled in the policy, the provisioning operation fails.

When IDENTIKEY Authentication Server queries for DIGIPASS licenses assigned to the user but there are no activ-
ations left for this particular DIGIPASS license, the system will return an error message explaining that the activ-
ation threshold for this license has been reached.

After you have registered a DIGIPASS license, the second step in the Multi-Device Activation process is to register a
device.

Procedure 3: Register a DIGIPASS device

1. The client application starts a provisioning DIGIPASS authenticator registration operation and provides the
end user's registration identifier and the device code to IDENTIKEY Authentication Server.
2. The server retrieves the registration context (e.g. the DIGIPASS serial number used in the previous step),
validates the device code, and generates a new DIGIPASS instance using the DIGIPASS license.

IDENTIKEY Appliance 3.18 – Product Guide 101

 5. Software DIGIPASS Provisioning

3. The server then generates Activation Message 2 for the DIGIPASS license and includes it in the response
envelope.
4. The client application provides Activation Message 2 in form of an image - scan this image with the
DIGIPASS authenticator that supports the Multi-Device Licensing model.
5. The DIGIPASS authenticator generates and displays a signature.

After registering the device, the end user activates a new DIGIPASS instance. Based on Activation Message 2, a sig-
nature generated with the DIGIPASS instance is validated. With this, the new DIGIPASS instance is activated.

5.4.2.1. Banking Scenario: Self-Provisioning and Administrating of DIGIPASS Authenticators in Multi-Device Activ-
ation
This section describes DIGIPASS self-provisioning and administrating in a banking context using the Multi-Device
Licensing and Activation feature of IDENTIKEY Authentication Server, with compliant DIGIPASS authenticators. This
includes generation and administration of an activation letter for the end user who then activates a new DIGIPASS.

Generating and sending an activation letter

The end user requests the bank to send them an activation letter for activating DIGIPASS authenticators. Once the
end user has entered the banking credentials to the client application, the system validates these credentials, cre-
ates a user account in the IDENTIKEY Authentication Server database, and assigns a DIGIPASS license to the newly
created user account. On the basis of Activation Message 1 which the system generates, the client application gen-
erates a color QR code and prints an end user-specific activation letter that includes the serial number of the
DIGIPASS license and the color QR code.

Note
If no DIGIPASS license is available for assignment, the provisioning operation fails, and the client application noti-
fies the end user to contact their bank.

Also, for this operation to succeed, the policy specified in the client record in IDENTIKEY Authentication Server for
the client application must allow Auto-Assignment.

Alternatively, the user administrator can also initiate sending activation letter to end users by connecting to the cli-
ent application, entering the IDENTIKEY Authentication Server credentials, and uploading a .dpx file to the client
application. The system creates a DIGIPASS record to process all .dpx files. The user administrator also uploads a
user .csv file that aligns the DIGIPASS licenses with the user IDs for assignment. The system then generates Activ-
ation Message 1 and returns it to the client application which generates a color QR code on the basis of this mes-
sage, and prints an end user-specific activation letter which includes the serial number of the DIGIPASS license and
the color QR code. The activation letters are sent to the end users by post.

Activating a new DIGIPASS instance in the DIGIPASS device

Once the end user has received the activation letter, they scan the color QR code contained in the letter with a
DIGIPASS device that is compliant with the Multi-Device Licensing and Activation feature. For more information on
compliant DIGIPASS authenticator, refer to Section 2.5. DIGIPASS Licensing and Activation . The end user also
enters the banking credentials, the serial number contained in the activation letter, and the device code the
DIGIPASS authenticator has generated upon scanning the color QR code. The system validates the end user's

IDENTIKEY Appliance 3.18 – Product Guide 102

 5. Software DIGIPASS Provisioning

credentials in a back-end directory and verifies the DIGIPASS license with the provided serial number assigned to
the local user ID of the end user. The system adds the new device, creates a new DIGIPASS instance, and gen-
erates Activation Message 2. This message is returned together with a request key and the serial number of the
new DIGIPASS instance to the client application.

The client application generates a color QR code that represents Activation Message 2 - the end user scans this
image with the same DIGIPASS device that was used to scan the color QR code from the activation letter. With this,
the DIGIPASS device creates a new DIGIPASS instance based on Activation Message 2, and displays an activation
signature to be entered into the client application by the end user. The system validates the activation signature,
returns the result to the client application which displays this result to the end user who then disconnects from the
client application.

5.4.3. DIGIPASS for Web

There are three scenarios that can be employed when activating DIGIPASS for Web, and each one has different
pre-conditions. Which scenario is employed will depend on how IDENTIKEY Appliance is implemented.

5.4.3.1. Scenario 1: Activation Codes are Encrypted with Pre-Loaded Static Passwords

Pre-Conditions
n The user account has been created on IDENTIKEY Appliance
n The user knows their static password
n The static password has been imported into IDENTIKEY Appliance
n The provisioning policy has been defined with the following settings:
n No local authentication (None)
n No back-end authentication (None)

Process

IDENTIKEY Appliance 3.18 – Product Guide 103

 5. Software DIGIPASS Provisioning

Image 39: DIGIPASS for Web Scenario 1 Process

The user enters their user ID, email address and PIN on the website. If registration is successful, the DIGIPASS for
Web is provided with the serial number of the DIGIPASS that is to be activated and an encrypted activation code.

IDENTIKEY Appliance 3.18 – Product Guide 104

 5. Software DIGIPASS Provisioning

Note
In this case, the PIN is not sent to the server; rather, it is used locally by the DIGIPASS for Web applet.

The user will have to re-enter their user ID, PIN and password to decrypt the activation code and complete activ-
ation. The applet decrypts the activation code, activates itself and sends a one-time password to the server.

The user then receives a response indicating whether the activation has been successful.

Options
To make sure that the user changes their static password, extra fields can be added to the second page in this
scenario. Fields can be added to the input page so that the user can enter a new static password, and then enter it
again for confirmation. The user needs to do this so that the original password can only be used once, for activ-
ation. The new password can be used for re-activation.

For more information, refer to 5.3.1. Software DIGIPASS Reactivation.

5.4.3.2. Scenario 2: Pre-Loaded User Accounts and Static Passwords

Pre-Conditions
n The user account has been created on IDENTIKEY Appliance
n The user knows their static password
n The static password has been imported into IDENTIKEY Appliance
n The provisioning policy has been defined with the following settings:
n Local authentication (Digipass Only or DIGIPASS/Password during Grace Period)
n No authentication (None)

IDENTIKEY Appliance 3.18 – Product Guide 105

 5. Software DIGIPASS Provisioning

Process

Image 40: DIGIPASS for Web Scenario 2 Process

The user enters their user ID, email address, static password and PIN on the registration website. If registration is
successful, the serial number of the DIGIPASS that is to be activated and an activation code are delivered to the
DIGIPASS for Web applet.

IDENTIKEY Appliance 3.18 – Product Guide 106

 5. Software DIGIPASS Provisioning

The user re-enters the user ID and PIN. DIGIPASS for Web generates a one-time password and then submits this
with the serial number to the server. Activation then takes place.

The user will then receive a response indicating whether the activation has been successful.

Options
To make sure that the user changes their static password, extra fields can be added to the second page in this
scenario. Fields can be added to the input page so that the user can enter a new static password, and then enter it
again for confirmation. The user needs to do this so that the original password can only be used once, for activ-
ation. The new password can be used for re-activation.

For more information, refer to 5.3.1. Software DIGIPASS Reactivation.

5.4.3.3. Scenario 3: Dynamic Registration Using Back-End System

Pre-Conditions
n The user account has not been created on IDENTIKEY Appliance
n The user knows their static password for their account in the back-end system
n The provisioning policy has been defined with the following settings:
n Local authentication ( Digipass Only or DIGIPASS/Password during Grace Period)
n Back-end authentication (Always or If Needed)
n Back-end protocol (Windows, RADIUS, LDAP Back-End authentication, or custom name)
n Dynamic User Registration enabled

IDENTIKEY Appliance 3.18 – Product Guide 107

 5. Software DIGIPASS Provisioning

Process

Image 41: DIGIPASS for Web Scenario 3 Process

IDENTIKEY Appliance 3.18 – Product Guide 108

 5. Software DIGIPASS Provisioning

The procedure for this scenario is very similar to that of 5.4.3.2. Scenario 2: Pre-Loaded User Accounts and Static
Passwords; the difference for the IDENTIKEY Appliance is that the back-end system is used to verify the user ID and
password. If both are OK, the account is created automatically in IDENTIKEY Appliance. Both scenario 2 and 3 are
identical from the user's perspective.

Options
To make sure that the user changes their static password, extra fields can be added to the second page in this
scenario. Fields can be added to the input page so that the user can enter a new static password, and then enter it
again for confirmation. The user needs to do this so that the original password can only be used once, for activ-
ation. The new password can be used for re-activation.

For more information, refer to 5.3.1. Software DIGIPASS Reactivation.

5.4.4. DIGIPASS 110 Provisioning

The DIGIPASS 110 is a hardware/software combination DIGIPASS. It does not require any software to be installed
on the client-side to enable it to run, but it does require the correct policy settings to be provided, followed by activ-
ation.

There are two scenarios that can be employed when activating a DIGIPASS 110. They both have different pre-con-
ditions. Which scenario is used will depend on how IDENTIKEY Appliance is implemented.

5.4.4.1. Scenario 1: No back-end authentication

Pre-Conditions
n The user account has been created
n The user knows their historical secret
n Historical Secret imported in IDENTIKEY Appliance (as static password)
n The provisioning policy has been defined with the following settings:
n Local authentication
n No back-end authentication
n DIGIPASS type is DIGIPASS 110

IDENTIKEY Appliance 3.18 – Product Guide 109

 5. Software DIGIPASS Provisioning

Process

Image 42: DIGIPASS 110 Scenario 1

IDENTIKEY Appliance 3.18 – Product Guide 110

 5. Software DIGIPASS Provisioning

The user opens the browser on their computer, and goes to the registration page of the DIGIPASS 110 provisioning
website. The DIGIPASS 110 provisioning website generates a challenge which will be used to encrypt the new
Server PIN. The user enters their user ID, static password, new Server PIN, confirmation of new Server PIN, and
DIGIPASS 110 serial number on the registration website. The DIGIPASS 110 Applet generates a Challenge Encrypted
Static Password (CESPR) using the generated challenge and the new Server PIN.

On the server-side, the CESPR is verified. If verification is successful the DIGIPASS 110 is assigned to the user, and
the initial PIN is set. The DIGIPASS grace period is set according to pre-defined parameters. The activation page is
returned if the provisioning is successful, or an error message will be returned if the provisioning is not successful.

5.4.4.2. Scenario 2: Back-end authentication always enabled

Pre-Conditions
n The user account has NOT been created
n The user knows historical secret to allow authentication by a legacy back-end system
n The provisioning policy has been defined with the following settings:
n NO local authentication (None)
n Back-end authentication (Always)
n DIGIPASS type is DIGIPASS 110

IDENTIKEY Appliance 3.18 – Product Guide 111

 5. Software DIGIPASS Provisioning

Process

Image 43: DIGIPASS 110 Scenario 2

The user enters their user ID, static password, challenge, CESPR, and DIGIPASS 110 serial number on the regis-
tration website. On the server-side, the user is authenticated on the back end. If the back-end authentication is
successful the user is then registered to using Dynamic User Registration. The DIGIPASS 110 is then assigned to
the user, and the initial PIN is set. The DIGIPASS grace period is set according to pre-defined parameters.

A response will be received indicating whether the activation has been successful.

IDENTIKEY Appliance 3.18 – Product Guide 112

 6. DIGIPASS Authentication for Windows Logon

6. DIGIPASS Authentication for Windows Logon

DIGIPASS Authentication for Windows Logon provides strong authentication when logging on to Microsoft Win-
dows. In this type of authentication, a user logs on to Microsoft Windows using:

n User ID
n Password
n one-time password generated by a DIGIPASS authenticator
n Server PIN

The credentials used by DIGIPASS Authentication for Windows Logon are either validated directly by IDENTIKEY
Authentication Server (online authentication) or using offline authentication data generated by IDENTIKEY Authentic-
ation Server (offline authentication). Whether DIGIPASS Authentication for Windows Logon performs an online or an
offline authentication depends on the availability of the IDENTIKEY Authentication Server instance and is com-
pletely transparent to the user.

The DIGIPASS Authentication for Windows Logon consists of a client software package, which is installed on the cli-
ent computer, and server-side functionality, which is part of IDENTIKEY Appliance. DIGIPASS Authentication for Win-
dows Logon requires a valid license to enable it on IDENTIKEY Appliance.

Warning
If your organization is impacted by the General Data Protection Regulation (GDPR), note that for being GDPR-com-
pliant, DIGIPASS Authentication for Windows Logon requires the Verify server SSL certificate box to be checked in
the DIGIPASS Authentication for Windows Logon Configuration Center.

For more information on GDPR, refer to the IDENTIKEY Appliance General Data Protection Regulation Compliance
Guide.

6.1. Additional References

n DIGIPASS Authentication for Windows Logon Product Guide

n DIGIPASS Authentication for Windows Logon Getting Started Guide
n DIGIPASS Authentication for Windows Logon User Guide

6.2. Online Authentication

Online authentication occurs when a user authenticates to Microsoft Windows using DIGIPASS Authentication for
Windows Logon while the client computer is connected to the network and can establish a connection to
IDENTIKEY Appliance. Authentication is performed using IDENTIKEY Appliance in real time.

IDENTIKEY Appliance 3.18 – Product Guide 113

 6. DIGIPASS Authentication for Windows Logon

Image 44: DIGIPASS Authentication for Windows Logon Online Authentication

The user ID, password (optional), and one-time password (OTP) are sent to IDENTIKEY Appliance to be verified. If
the OTP credentials are valid, DIGIPASS Authentication for Windows Logon receives the static Windows user pass-
word from IDENTIKEY Appliance and uses it to authenticate to Microsoft Windows.

If offline authentication is enabled, IDENTIKEY Appliance also sends (encrypted) offline authentication data to
DIGIPASS Authentication for Windows Logon. Offline authentication data is used for offline authentication when no
connection to IDENTIKEY Appliance can be established.

DIGIPASS Authentication for Windows Logon and IDENTIKEY Appliance communicate via SOAP using HTTPS.

6.3. Offline Authentication

Offline authentication occurs when a user authenticates to Microsoft Windows using DIGIPASS Authentication for
Windows Logon while the client computer is not connected to the network or cannot establish a connection to
IDENTIKEY Authentication Server. Authentication is performed using (locally stored and encrypted) offline authen-
tication data.

The offline authentication data is generated by IDENTIKEY Authentication Server during successful online authen-
tication. Offline authentication data is either limited to a specific time span (time-based) or a number of authen-
tications (event-based), thus requiring the client to perform online authentication regularly.

Offline authentication needs to be enabled via the IDENTIKEY Authentication Server configuration.

IDENTIKEY Appliance 3.18 – Product Guide 114

 6. DIGIPASS Authentication for Windows Logon

Image 45: DIGIPASS Authentication for Windows Logon Offline Authentication

The user ID, password (optional), and one-time password (OTP) are authenticated using the offline authentication
data. The authentication result is then sent back to DIGIPASS Authentication for Windows Logon on the client com-
puter. The offline authentication data can be used a limited number of times, and that limit can be configured
using the Administration Web Interface.

DIGIPASS Authentication for Windows Logon checks whether:

n Offline authentication data is available for the user. Offline authentication data is generated after a suc-
cessful online authentication when offline authentication is enabled in the relevant DIGIPASS Authentic-
ation for Windows Logon client component policy.

n This offline authentication data is still valid. Offline authentication data is valid for a limited time for time-
based data, or a limited number of logons for event-based data. The time or event limit is defined in the
relevant DIGIPASS Authentication for Windows Logon client component policy.

n The OTP validation succeeds with the offline authentication data.

Note
Although a user can have more than one DIGIPASS authenticator assigned, only the first one ever used with
DIGIPASS Authentication for Windows Logon has offline authentication data assigned. If the user attempts an off-
line authentication using another DIGIPASS authenticator with no offline authentication data assigned, DIGIPASS
Authentication for Windows Logon will display an authentication error.

If you need to switch offline authentication data support to another DIGIPASS authenticator, reset the offline
authentication data for the currently used DIGIPASS authenticator in the Administration Web Interface and per-
form an online authentication using the other DIGIPASS authenticator immediately afterward.

Note
It is also possible to configure user-specific policy settings for offline authentication. These settings will override
those set by the parent policy.

IDENTIKEY Appliance 3.18 – Product Guide 115

 6. DIGIPASS Authentication for Windows Logon

6.3.1. Disabling Offline Authentication

When offline authentication is disabled for a user, be aware of the following:

n Disabling offline authentication for a user means that IDENTIKEY Authentication Server will not send any
new encrypted offline logon data to the client computer.
n Disabling offline authentication for a user means that the user will still be able to use offline authen-
tication from the time that it is disabled until the encrypted offline logon data expires OR until the user per-
forms the next online authentication.

6.3.2. Forcing Static Password Verification

You can enforce static password verification during offline authentication via DIGIPASS Authentication for Windows
Logon, by disabling Stored Password Proxy and setting Back-End Authentication to Always.

6.3.3. Forcing OTP Use

A user may be forced to log on either online or offline using OTP by configuring DIGIPASS Authentication for Win-
dows Logon accordingly. For more information, refer to the DIGIPASS Authentication for Windows Logon User
Guide, Section "Enforcing DIGIPASS authentication".

6.3.4. Backup Offline Authentication for DIGIPASS Authentication for Windows Logon

You can use Primary Virtual Mobile Authenticator as a backup solution for DIGIPASS Authentication for Windows
Logon offline authentication. This extends the OTP delivery features of Message Delivery Component to DIGIPASS
Authentication for Windows Logon.

Warning
If your organization is impacted by the General Data Protection Regulation (GDPR), note that for being GDPR-com-
pliant, DIGIPASS Authentication for Windows Logon requires the Verify server SSL certificate box to be checked in
the DIGIPASS Authentication for Windows Logon Configuration Center, and the SEAL protocol used for com-
munication with IDENTIKEY Authentication Server must be SSL enabled in the Message Delivery Component Con-
figuration Utility.

For more information on GDPR, refer to the IDENTIKEY Appliance General Data Protection Regulation Compliance
Guide.

Backup offline authentication is intended as a temporary backup login solution. If offline authentication is enabled
in the used IDENTIKEY Authentication Server policy, IDENTIKEY Authentication Server sends encrypted offline
authentication data (for offline authentication with the primary DIGIPASS authenticator) and backup offline

IDENTIKEY Appliance 3.18 – Product Guide 116

 6. DIGIPASS Authentication for Windows Logon

authentication data (for backup offline authentication with Primary Virtual Mobile Authenticator) to the DIGIPASS
Authentication for Windows Logon client during successful online authentication; during backup offline authen-
tication, the DIGIPASS Authentication for Windows Logon client verifies OTPs against the backup offline authen-
tication data.

Backup offline authentication requires that users have assigned both a DIGIPASS authenticator for online and off-
line authentication, and Primary Virtual Mobile Authenticator for backup offline authentication. To generate
(backup) offline authentication data, users must successfully complete at least one online authentication pro-
cedure using DIGIPASS Authentication for Windows Logon.

Warning
Backup offline authentication will not work with Backup Virtual Mobile Authenticator.

6.4. Dynamic Component Registration (DCR)

Dynamic Component Registration (DCR) is used by DIGIPASS Authentication for Windows Logon 1.x to register a
component for use when logging on to Microsoft Windows using a one-time password (OTP). DIGIPASS Authentic-
ation for Windows Logon requires a client component to be registered for a user at the IP address used. DCR
checks to see if a client component for that IP address exists for a user, and if not it creates one.

Note
Dynamic Component Registration (DCR) is only supported for DIGIPASS Authentication for Windows Logon 1.x.

The Windows Logon client component is identified by the following formats:

n Client machine hostname: If a DNS-based reverse lookup of an IP address is being used with the DNS suf-
fix not set on the client machine.
n Fully qualified domain name (FQDN): If a DNS-based reverse lookup of an IP address is being used with
the DNS suffix set.

Using Windows Group Check, IDENTIKEY Appliance can test for Microsoft Windows groups of client computers on a
network. These groups can be used to define which computers on a network can use DIGIPASS Authentication for
Windows Logon, thus allowing a gradual and controlled implementation.

For more information about Dynamic Component Registration, refer to the DIGIPASS Authentication for Windows
Logon Product Guide.

6.5. Password Randomization

Warning
Password randomization is only possible in a Microsoft domain environment.

IDENTIKEY Appliance 3.18 – Product Guide 117

 6. DIGIPASS Authentication for Windows Logon

DIGIPASS Authentication for Windows Logon can be configured to provide password randomization. With password
randomization, the Windows logon password is generated in the background, with a randomized password format-
ted according to strict formatting rules.

With password randomization, the user logs on by entering only the user ID, OTP, and (optionally) a Server PIN,
with the password generated in the background. Using password randomization prevents a user from logging on
to Windows using a client computer which does not have DIGIPASS Authentication for Windows Logon installed.

After a successful authentication towards the IDENTIKEY Appliance, password randomization replaces the static
password used to authenticate the Windows client to the Windows domain with a randomly-generated static pass-
word. This randomly-generated password is no longer known to the user, thereby forcing the user to use DIGIPASS
OTP authentication.

Note
For Active Directory deployments with password randomization enabled, a new random password will be gen-
erated again once Active Directory indicates that the password is about to expire.

The randomly-generated password remains constant in the IDENTIKEY Appliance user account record, and a cor-
responding attribute is added to trace randomization status.

Configuring password randomization requires:

n LDAP or Windows back-end authentication towards Active Directory

n Password Randomization to be enabled in the policy

Note
If the Password Randomization feature of IDENTIKEY Authentication Server is used, the policy used in IDENTIKEY
Authentication Server must not apply password proxying for the changeBackendPassword SOAP com-
mand because this would lead to a user with a randomized password being able to change their password.

For more information about password randomization, refer to 2.12. Static Password Management.

6.6. Password Synchronization Manager

Password Synchronization Manager (PSM) is a product that is installed on the domain controller which allows a
change of the Windows password to be automatically updated on IDENTIKEY Appliance. The new Windows pass-
word will be reflected as the static password on IDENTIKEY Appliance.

When the Windows password is changed, it is updated on the domain controller. PSM checks for the availability of
IDENTIKEY Appliance before sending the new password to IDENTIKEY Appliance so that the data store can be
updated.

If IDENTIKEY Appliance is not available the synchronization will fail.

If the user is not defined on IDENTIKEY Appliance, only the password on the domain controller will be changed.

IDENTIKEY Appliance 3.18 – Product Guide 118

 6. DIGIPASS Authentication for Windows Logon

Warning
If your organization is impacted by the General Data Protection Regulation (GDPR), and if using tracing or dia-
gnostic log files, ensure to configure log file rotation.

For more information on GDPR, refer to the IDENTIKEY ApplianceGeneral Data Protection Regulation Compliance
Guide.

6.7. IDENTIKEY Appliance Retrieval and Failover

Clients can discover an IDENTIKEY Appliance instance:

n Manually using manual configuration in each Microsoft Windows client or by using the Active Directory (AD)
group policy infrastructure to push configuration.

n Automatically using DNS Service (SRV) records:

n Using anonymous DNS update

n Using Transaction SIGnature (TSIG) authentication.

TSIG is used primarily by the Domain Name System (DNS) to provide a means of authenticating
updates to a dynamic DNS database. It uses shared secret keys and one-way hashing to provide
a cryptographically secure way of identifying whether each endpoint of a connection is allowed to
make or respond to a DNS update.

Additionally, to support failover it is possible to configure primary and backup IDENTIKEY Appliance instances in a
replication setup (see 26. Replication).

6.8. IDENTIKEY Appliance SSL Certificate

DIGIPASS Authentication for Windows Logon uses secure connections to the IDENTIKEY Appliance using the Secure
Sockets Layer (SSL) protocol.

DIGIPASS Authentication for Windows Logon can be configured to validate the server certificate when establishing
a connection. Validation requires the server certificate to be registered in the certificate store on the client work-
station.

For more information on using and exporting this certificate, refer to the Chapter "DIGIPASS Authentication for Win-
dows Logon" in the IDENTIKEY Appliance Administrator Guide.

IDENTIKEY Appliance 3.18 – Product Guide 119

 7. EMV-CAP

7. EMV-CAP
EMV-CAP is the Chip Authentication Program (CAP) developed by credit card leaders Europay, Mastercard, and Visa
(EMV). OneSpan provides a range of smart card readers, which are EMV-CAP–compliant.

Image 46: DIGIPASS 810

7.1. Hardware Security Module

A Hardware Security Module is highly recommended for use with EMV-CAP smart card readers (see 8.2. Licensing
and Configuration).

7.2. EMV-CAP Scenario

The EMV-CAP scenario must be enabled in the configuration of each IDENTIKEY Appliance before EMV-CAP func-
tionality is available. For more information, refer to the Configuration Utility Help or the IDENTIKEY Authentication
Server Administrator Reference, Section "Configuration".

7.3. Licensing

These licensing options must be included for each IDENTIKEY Appliance:

n HSM
n EMV-CAP

IDENTIKEY Appliance 3.18 – Product Guide 120

 7. EMV-CAP

7.4. Unsupported Standard IDENTIKEY Appliance Features

The following standard features of IDENTIKEY Appliance are not supported with EMV-CAP:

n Dynamic User Registration

n Auto-Assignment

n Self-Assignment

7.5. Primary Account Number (PAN)

Whenever Primary Account Number (PAN) fields are displayed on the Administration Web Interface or the Con-
figuration Utility, they will be masked. Certain administrators will have an additional administrative permission
which will enable them to see PANs in clear text.

PANs will be stored as encrypted numbers on the data store. When the numbers are displayed they are decrypted
and then masked.

7.6. EMV-CAP modes

IDENTIKEY Authentication Server supports three EMV-CAP–compliant DIGIPASS applications, or modes. All modes
provide a secure code as output, but differ in the type of input data:

Table 7: Supported EMV-CAP modes in IDENTIKEY Authentication Server

Mode Data sent to IDENTIKEY Authentication Mandatory? Secure Code
Server

Mode 1 Challenge, transaction amount, or transaction NO Secure Code

currency
Mode 2 (Transaction Data Signing) Nine different data fields NO Signature
Mode 3 (Challenge/Response) Challenge YES Secure Code

IDENTIKEY Appliance 3.18 – Product Guide 121

 8. Hardware Security Module

8. Hardware Security Module

A Hardware Security Module (HSM) may be integrated with IDENTIKEY Appliance to provide an extra layer of secur-
ity to data storage.

8.1. Supported Hardware Security Modules

IDENTIKEY Appliance supports the following Hardware Security Module models:

n SafeNet ProtectServer External 2

n SafeNet ProtectServer Internal Express

If you plan to integrate IDENTIKEY Appliance with a supported Hardware Security Module, this HSM must be
installed and functioning correctly prior to IDENTIKEY Appliance installation.

8.2. Licensing and Configuration

To use HSMs, all instances of IDENTIKEY Appliance involved must be licensed for Hardware Security Modules.

Connection and encryption settings for IDENTIKEY Appliance to use with the Hardware Security Module(s) are con-
figured when running the IDENTIKEY Wizard.

8.3. Unsupported Standard IDENTIKEY Appliance Features and Limitations

When using HSMs with IDENTIKEY Appliance, certain standard features are not supported and certain limitations
apply.

The following standard features are not supported with HSMs:

n OATH-based authenticators
n Offline Data Generation (for Windows Logon)

The following RADIUS protocols are not supported with HSMs:

n CHAP
n MSCHAP
n MSCHAP2

8.3.1. Limitations in the usage of HSMs

n IDENTIKEY Appliance only supports network Hardware Security Modules.

IDENTIKEY Appliance 3.18 – Product Guide 122

 8. Hardware Security Module

8.4. Load Balancing and Failover

IDENTIKEY Appliance provides load-balancing and failover between Hardware Security Module slots.

The IDENTIKEY Wizard can be used to choose from a list of available HSM for this purpose. For more information,
refer to the IDENTIKEY Appliance Installation and Maintenance Guide.

8.4.1. Session Pool

When the VASCO IDENTIKEY Authentication Server daemon is started, IDENTIKEY Appliance will automatically cre-
ate a Session Pool for use in accessing each HSM. HSM slots with an attribute matching the IDENTIKEY Authentic-
ation Server configuration setting slotSelectionAttribute will be added to the Session Pool – up to the value of the
slotsExpected configuration setting.

When IDENTIKEY Appliance needs to access data protected by the HSM(s), it takes a random session from the
pool. Where multiple HSMs are available, this spreads the load across all slots.

If a session does not receive a response from a slot, the HSM is blacklisted and slots on the other HSM(s) will be
used, where available.

8.4.2. HSM Re-Initialization

IDENTIKEY Appliance will stop and re-initialize all HSMs in the Session Pool when:

n All configured HSMs are blacklisted, or

n At least one HSM has been blacklisted and no sessions are currently required

8.5. Cryptographic Keys

A Hardware Security Module can be used to protect and manage your high-value cryptographic keys. HSMs provide
stronger authentication for server applications. Cryptographic keys are used to encrypt four types of data:

n Storage data
n Sensitive data
n Transport keys
n Audit data (when Secure Auditing is enabled)

Storage data cryptographic keys are used for securing DIGIPASS BLOBs. Each DIGIPASS Application for each
DIGIPASS device has its own BLOB. This BLOB contains DIGIPASS configuration and other important information
about the device.

IDENTIKEY Appliance 3.18 – Product Guide 123

 8. Hardware Security Module

Audit data cryptographic keys are used for encrypting audit entries when secure auditing is enabled. For more
information, refer to 20.4. Secure Auditing.

Sensitive data keys are used for all other types of data.

Transport keys are used to decrypt DIGIPASS import files (.dpx files). Such files are protected by double-DPX encryp-
tion, which provides extra security to DIGIPASS records prior to importing.

Access to sensitive data, storage data, and audit data can be protected by the keys, which can be rotated at reg-
ular intervals, providing even greater security. To rotate the keys a job must be initiated from the Administration
Web Interface. The job can be scheduled or run immediately.

Note
When copying, migrating, or backing up encrypted database files, ensure that the encryption key (and/or the
optional password key) is also backed up. Otherwise, you will not be able to read the data, as it will be encryp-
ted.

The key rotation process involves decrypting data with an old encryption key, then re-keying the data with a new
encryption key. Rotating one sensitive data key affects all other sensitive data keys, while rotating a storage data
key affects all other storage data keys.

Cryptographic key rotation can take some time. You can schedule a key rotation to run at a convenient time, then
cancel it if not finished when system resources are needed again. If you restart the key rotation later, processed
data does not need to be re-processed.

With SafeNet HSMs, each slot contains a token. Multiple cryptographic keys can be stored in each token, as illus-
trated below:

IDENTIKEY Appliance 3.18 – Product Guide 124

 8. Hardware Security Module

Image 47: SafeNet Cryptographic Keys Allocated by Token Name and Slot ID

IDENTIKEY Appliance 3.18 – Product Guide 125

 9. Administration

9. Administration
IDENTIKEY Appliance provides three major user interfaces to allow quick and easy administration:

n Configuration Tool. Used for installation and maintenance.

n Administration Web Interface. Used for everyday system administration.
n Rescue Tool. Used to set the IP address, rescue the first administrator, and set other limited settings.

The administration interface to use in a particular situation depends on the required tasks and the data store used
by IDENTIKEY Appliance.

9.1. Default Administrative Users

Each administration interface has its own default administrative user with its own default credentials.

Table 8: Default Administrative User Credentials

Interface User Name Factory Default Password
Configuration Tool sysadmin sysadmin
Rescue Tool rescue (none required)

The password for sysadmin to access the Configuration Tool must be changed during initial setup via the First
Time Configuration Wizard.

Passwords for the Configuration Tool default administrative users can be reset to the factory default values in the
Configuration Tool (via System > Actions). For more information, refer to the IDENTIKEY Appliance Installation and
Maintenance Guide.

You can also add password protection to the Rescue Tool (see Section 36.1. Accessing the Rescue Tool).

The Administration Web Interface user name and password are defined during the installation and setup process.
The IDENTIKEY Authentication Server Setup Wizard will prompt you to configure an administrator login at that time
(see Section 10.4. IDENTIKEY Authentication Server Setup Wizard).

Note
A system administrator named _ system is registered in the Master Domain by default, and cannot be
removed. This administrator is used by the IDENTIKEY Appliance for system operations.

9.2. Creating a New System Administrator

During the installation process, the IDENTIKEY Authentication Server Setup Wizard will prompt you to configure an
administrative login (using an administrative user name and password). By default, this login will have access to
the Administration Web Interface and the Configuration Tool.

IDENTIKEY Appliance 3.18 – Product Guide 126

 9. Administration

For more information about the IDENTIKEY Authentication Server Setup Wizard, refer to Section 10.4. IDENTIKEY
Authentication Server Setup Wizard.

Using the default user account sysadmin to access the Configuration Tool is less secure than using the user-
defined administrator login. We therefore recommend that you disable the sysadmin account as soon as the
administrator login is enabled.

For information about disabling the sysadmin account, refer to the IDENTIKEY Appliance Administrator Guide.

For information about creating and configuring an administrator login, refer to the IDENTIKEY Appliance Installation
and Maintenance Guide.

9.3. Configuration Tool

The Configuration Tool interface supports installation and management of the IDENTIKEY Appliance and is inten-
ded for system administrators. Some of the features managed through the Configuration Tool require connection
to the VASCO Customer Portal (see Section 2.14. VASCO Customer Portal).

The Configuration Tool comprises the following functionality, supported through the Configuration Tool:

n Installation configuration. The Configuration Wizard supports installation configurations (see Chapter 10.
Installation Configuration). Manual configurations are also possible after completing the Configuration Wiz-
ard, using the Configuration Tool (see Section 10.5. Manual Configurations).
n Licensing. All instances of IDENTIKEY Appliance need to be licensed (see Chapter 11. Licensing).
n Updating. Manually download and install updates, when available (see Chapter 16. Updating).
n Backup and restore (see Chapter 17. Backup and Restore)
n Auditing and logging. Information generated from the IDENTIKEY Appliance can be searched using live
viewers (see Chapter 20. Auditing and Chapter 19. System Logging).
n System statistics. Statistics is available about the IDENTIKEY Appliance, the services, disk and memory
usage, and interface (see Chapter 22. Statistics).
n Message Delivery Component: This component supports the use of Virtual DIGIPASS and is used to send
IDENTIKEY Appliance notifications (see Chapter 23. Message Delivery Component).
n Remote support. Remote support can be provided by OneSpan (see Section 24.2. Remote Support). Note
that remote support requires a connection to the VASCO Customer Portal.
n LDAP user synchronization. Synchronization supports automatically creating and updating user account
records from an LDAP Server to the IDENTIKEY Appliance (see Chapter 25. LDAP User Synchronization).
n Replication (see Chapter 26. Replication)
n System actions. Restarting, shutting down, and resetting default administrative user passwords are
actions possible using the System Actions menu in the Configuration Tool. For more information, refer to
the IDENTIKEY Appliance Installation and Maintenance Guide.

9.4. Administration Web Interface

The Administration Web Interface is intended for use by help desks and system administrators and support:

IDENTIKEY Appliance 3.18 – Product Guide 127

 9. Administration

1. Creating a customized administrator account with the correct administration privileges to allow access to
the Configuration Tool using a DIGIPASS user account (based on the DIGIPASS user account or policy set-
tings). This allows you to disable the sysadmin user account (which uses a static password), hence
strengthening administrator logon and enabling authentication with DIGIPASS one-time password.

For information about creating this administrator account, refer to the IDENTIKEY Appliance Administrator
Guide.

2. Administrating the IDENTIKEY Appliance day-to-day. The Administration Web Interface allows managing:
n User accounts. Each DIGIPASS holder is registered in the database, with a DIGIPASS user account
(see Chapter 27. DIGIPASS User Accounts).
n DIGIPASSDeployment. Each DIGIPASS device is registered in the IDENTIKEY Appliance database
(see Chapter 28. DIGIPASS).
n Client components. Authentication and administration clients are registered in the IDENTIKEY
Appliance (see Chapter 30. Client Components).
n System. Server components are registered in the IDENTIKEY Appliance (see Chapter 31. Server
Components).
n Policies. Policies specify various settings that affect request handling processes. Each request is
handled according to a policy that is identified by the applicable component record (see Chapter
32. Policies).
n Back-end servers. Back-end authentication is the process of verifying user credentials with
another system (see Section 3.7. Back-End Authentication). With IDENTIKEY Appliance this can be
an LDAP or RADIUS server.

Back-end authentication is used for various purposes, including:

n Enabling automatic management features such as Dynamic User Registration and Self-
Assignment.
n Verifying static passwords for users who do not have a DIGIPASS device and for Virtual
Mobile Authenticator.
n Enabling password replacement - allowing the user to log in with just a one-time pass-
word , in an environment where the Microsoft Windows password is required, e.g.
Outlook Web Access.
n Retrieving RADIUS attributes from a RADIUS server.

Back-end server records are registered in the IDENTIKEY Appliance.

n Domains and organizational units. User accounts and DIGIPASS records can be grouped in the
IDENTIKEY Appliance using two structures: domains and organizational units (see Chapter 35.
Organization).
n Reports. The IDENTIKEY Appliance reporting functionality allows you to create reports from the
database and the audit information (see Chapter 33. Reporting).

The Administration Web Interface uses the IDENTIKEY Appliance SOAP administration interface to manage data.

9.5. Rescue Tool

The Rescue Tool allows administrators to access a limited number of settings through a menu.

IDENTIKEY Appliance 3.18 – Product Guide 128

 9. Administration

The Rescue Tool can be used to:

n Reset configuration settings to factory default settings.

n Reset the sysadmin user account for Configuration Tool administration.
n Reset the access settings for Configuration Tool administration
n Change and view network settings, e.g. changing the IP address.
n Reboot or shut down the system.

For more information, refer to Chapter 36. Rescue Tool.

IDENTIKEY Appliance 3.18 – Product Guide 129

 10. Installation Configuration

10. Installation Configuration

Installation is the process of linking the IDENTIKEY Appliance to your organization network and configuring general
settings.

Installation and licensing are both necessary to use IDENTIKEY Appliance services. In this chapter we describe
installation. For information about licensing, refer to Chapter 11. Licensing.

For more information about how to install IDENTIKEY Appliance, refer to the IDENTIKEY Appliance Installation and
Maintenance Guide.

For more information about the fields in the Configuration Tool, refer to the IDENTIKEY Appliance Administrator
Reference.

10.1. First Time Setup

First you must set the IP address. You can do this by:

n Using the IDENTIKEY Appliance Rescue Tool (see Chapter "Rescue Tool" in the IDENTIKEY Appliance Install-
ation and Maintenance Guide). This is the simplest way to set the IP address.
n Temporarily isolating a client workstation from the network and linking it to the IDENTIKEY Appliance to
set the IDENTIKEY Appliance IP address within the range of the network.

Procedure 4: Setting the IDENTIKEY Appliance IP address within range of a network

1. Change a client workstation IP address to within the specified IP address range for the IDENTIKEY Appli-
ance.
2. Connect the client workstation to the IDENTIKEY Appliance with a network cable.
3. Use a Web browser on the client workstation to access the IDENTIKEY Appliance Configuration Tool.

The IDENTIKEY Appliance automatically detects that this is a first-time installation and launches the Con-
figuration Wizard.

4. Configure a new IP address within your network range on the IDENTIKEY Appliance via the Configuration
Wizard.

When the Configuration Wizard has finished you will be redirected to the new IP address. You can then
use the IDENTIKEY Appliance via the new IP address. If your workstation is still in the wrong range for the
network, you should change it now.

The IDENTIKEY Appliance is now integrated within your setup.

IDENTIKEY Appliance 3.18 – Product Guide 130

 10. Installation Configuration

10.2. Configuration Wizard

The Configuration Wizard is launched when a new Configuration Tool is accessed and must be completed to allow
full access to the Configuration Tool, for manual configurations.

It guides the system administrator through a minimal number of settings:

n Password change
n Network settings: IP address within your network including the net mask, and the default gateway to
access the Internet
n Hostname, DNS suffix, DNS server
n NTP (time) server
n IDENTIKEY Appliance certification authority (CA) information

For more information, refer to the IDENTIKEY Appliance Administrator Reference.

Tip
The major settings are completed during the Configuration Wizard, but additional features may also require to be
configured, including:

1. Message Delivery Component to support Virtual Mobile Authenticator authentication (see Chapter 23.
Message Delivery Component).
2. Replication for synchronization of data between multiple IDENTIKEY Appliance devices (see Chapter 26.
Replication)
3. LDAP Synchronization to synchronize user account records from an LDAP Active Directory (see Chapter
25. LDAP User Synchronization).
4. Back-end authentication for checking user credentials with a RADIUS or LDAP server (see Section 3.7.
Back-End Authentication).

For more information, refer to IDENTIKEY Appliance Administrator Guide.

10.3. License Configuration Wizard

A license must be installed at this point to enable IDENTIKEY Appliance to be set up and function correctly (see Sec-
tion "Upload License" in the IDENTIKEY Appliance Installation and Maintenance Guide).

10.4. IDENTIKEY Authentication Server Setup Wizard

The IDENTIKEY Authentication Server Setup Wizard will walk you through the configuration of a Master Domain,
along with an administrator logon (username and password) for that domain. This wizard will also allow you to eas-
ily enable and configure HSM and Secure Auditing.

IDENTIKEY Appliance 3.18 – Product Guide 131

 10. Installation Configuration

If you enable HSM, the IDENTIKEY Authentication Server Setup Wizard will prompt you to configure the settings
necessary for enabling HSM linking (see Chapter 8.2. Licensing and Configuration).

If you enable Secure Auditing, the IDENTIKEY Authentication Server Setup Wizard will prompt you to configure
Secure Auditing settings. The IDENTIKEY Appliance settings available for Secure Auditing are identical to those avail-
able in IDENTIKEY Authentication Server (see Section 20.4. Secure Auditing).

For more information, refer to the IDENTIKEY Appliance Installation and Maintenance Guide.

10.4.1. Case-Sensitive User IDs and Domain Names

The IDENTIKEY Authentication Server Setup Wizard also allows you to configure case-sensitive user IDs and
domain names. This setting is useful when authenticating against case-sensitive data stores: for example, if
IDENTIKEY Authentication Server is configured to be case-insensitive, then user ID Jsmith can be authenticated
against user jsmith in a case-sensitive data store.

Case-sensitivity is particularly important when Dynamic User Registration is enabled, as it can prevent the creation
of multiple DIGIPASS users from multiple logons (see Section 3.5.4. Dynamic User Registration).

10.5. Manual Configurations

Completing the IDENTIKEY Appliance Configuration Wizard is mandatory before manual changes are possible in
the Configuration Tool.

Manual configuration is necessary:

n to change default settings which are not available during the Configuration Wizard
n to change settings after initial setup (the Configuration Wizard is only offered on a factory default system)

For more information, refer to the IDENTIKEY Appliance Administrator Reference.

10.6. Migration to IDENTIKEY Appliance / IDENTIKEY Virtual Appliance from IDENTIKEY Authentic-
ation Server

When migrating to IDENTIKEY Appliance / IDENTIKEY Virtual Appliance from IDENTIKEY Authentication Server you
can use the Data Migration Tool and the IDENTIKEY Appliance Update Wizard to migrate for instance user data or
DIGIPASS data. For information how to set the source IDENTIKEY Appliance / IDENTIKEY Virtual Appliance into migra-
tion mode, refer to the Data Migration Tool Administrator Guide; for information how to load the required package
into IDENTIKEY Appliance / IDENTIKEY Virtual Appliance, refer to the IDENTIKEY Appliance Installation and Main-
tenance Guide.

IDENTIKEY Appliance 3.18 – Product Guide 132

 11. Licensing

11. Licensing
Licensing is the process of obtaining a product or evaluation license. This serves for OneSpan to identify an issued
IDENTIKEY Appliance and to issue a license file to make IDENTIKEY Appliance fully operational. After installation,
and before licensing, the Configuration Tool and the Administration Web Interface are accessible for configuration
and management, but no services, such as authentication, are available.

The licensing process requires registering information on the VASCO Customer Portal. This information identifies
the appliance to OneSpan to issue a license file.

Two levels of licensing are possible:

n Evaluation license, which lasts for a finite length of time and allows you to evaluate the product (see Sec-
tion 2.13.4. Evaluation Licensing).
n Commercial license, which is the full operating license (see Section 2.13.3. Commercial Licensing).

The licensing procedure is supported by a Licensing Wizard. The Licensing Wizard is accessible through the
IDENTIKEY Appliance Configuration Tool (see Chapter 9. Administration).

For more information about how to install and license the IDENTIKEY Appliance, refer to the IDENTIKEY Appliance
Installation and Maintenance Guide.

11.1. First Time Licensing

The licensing procedure has five main steps:

1. Initiating the Licensing Wizard.

When the IDENTIKEY Appliance is accessed for the first time after installation (see Chapter 10. Install-
ation Configuration), the Configuration Tool displays a warning message that the appliance is not licensed
and provides a link to launch the Licensing Wizard.

2. Downloading a system information file identifying the IDENTIKEY Appliance using the Licensing Wizard.

This file contains information specific to the IDENTIKEY Appliance, including:

Host key, which is specific to the appliance

n
Configuration key, which is specific to the configuration. This may change for an appliance,
n
when:
n The appliance is reset to factory default.
n Under certain conditions when a backup is restored (see Section 17.3. Backup Restore).
n IP address
n Product version number
3. Uploading the system information file (.txt file) to the VASCO Customer Portal (https://cp.onespan.com/)
together with the following information:
n Maintenance reference (commercial licenses only)
n Serial number (commercial licenses only)

IDENTIKEY Appliance 3.18 – Product Guide 133

 11. Licensing

n Details of the organization where the appliance is installed

4. Downloading a license file (.dat file) from the VASCO Customer Portal.
5. Uploading the license file to the IDENTIKEY Appliance through the Licensing Wizard.

For more information, refer to the IDENTIKEY Appliance Installation and Maintenance Guide.

11.2. Re-Licensing

Re-licensing is necessary when:

n Changing the IP address (see Section 11.2.1 Change IP address).

n Restoring a backup another IDENTIKEY Appliance, e.g. for replacement (see Section 11.2.2 Restoring
back).
n Upgrading an evaluation license to a commercial license (see Section 11.2.3 Upgrading from Evaluation).
n Upgrading a commercial license to add new license options (see Section 11.2.4 Upgrading Commercial
License).
n Upgrading a major software version, e.g. from version 3.0.2.0 to 3.1.3.1 (see Section 11.2.5 Major version
upgrade).
n Restoring to the factory default state (see Section 11.2.6 After restoring ).

Re-licensing may require you to contact your IDENTIKEY Appliance supplier to release the initial (but now invalid)
license from the IDENTIKEY Appliance. Afterwards you need to re-run the License Wizard.

For more information, refer to the IDENTIKEY Appliance Installation and Maintenance Guide.

11.2.1. Changing the IP Address

Warning
It is not possible to re-license an appliance for which the IP address has changed until you have contacted your
IDENTIKEY Appliance supplier (see Chapter 37. Support Procedure).

Changing the IP address of the IDENTIKEY Appliance renders the license invalid, immediately stopping all services,
such as authentication. As no valid license is present for the new IP address, there is no grace period, although the
Configuration Tool and the Administration Web Interface remain accessible for configuration and management.

The IDENTIKEY Appliance automatically detects that the IP address has changed and that the license is no longer
valid. The Configuration Tool displays a warning message with a link to the Licensing Wizard. Then you need to
contact your IDENTIKEY Appliance supplier to release the initial (and now invalid) license from the IDENTIKEY Appli-
ance. Re-licensing follows the same procedure as first-time licensing.

The old IP address is removed the same way it is set for first time setups (see Section 10.1. First Time Setup). The
old IP address can be reassigned to the IDENTIKEY Appliance, and the appliance can be re-licensed using the old
license file, if necessary.

IDENTIKEY Appliance 3.18 – Product Guide 134

 11. Licensing

11.2.2. Restoring a Backup to an IDENTIKEY Appliance

Warning
Restoring a backup from a different appliance renders the license invalid. It is not possible to re-license the appli-
ance until you have contacted your IDENTIKEY Appliance supplier (see Chapter 37. Support Procedure).

Note
The configuration key and the license from a backup are always restored.

Restoring a backup created by the same appliance does not require re-licensing, as the IP address, the host key
and the configuration key remain the same as supplied in the original system information file used for issuing the
license.

Restoring a backup created by the same appliance when the appliance has been reset to factory default does not
require re-licensing, as the IP address and the host key remain the same. Although the configuration key changed
when the appliance was reset to factory default, this value is overwritten by the original configuration key restored
from the backup. All reference values are the same as supplied in the original system information file used for issu-
ing the license.

Restoring a backup created by a different appliance, e.g. restoring to a new appliance in case of hardware failure,
requires re-licensing. Although the license restored from the backup is bound to the restored configuration key, the
host key is different to the one supplied in the original system information file used for issueing the license. After a
backup is restored, all services remain available for a grace period of 30 days; afterwards, all services will stop,
although the Configuration Tool and the Administration Web Interface remain accessible for configuration and man-
agement. The grace period allows you to contact your IDENTIKEY Appliance supplier to release the initial license
from the IDENTIKEY Appliance. Re-licensing follows the same procedure as first-time licensing.

For more information about restoring a backup and using a replacement appliance, refer to the IDENTIKEY Appli-
ance Installation and Maintenance Guide.

For more information about backup and restore, refer to Chapter 17. Backup and Restore.

11.2.3. Upgrading an Evaluation License to a Commercial License

With an evaluation license all services remain available for a grace period of 45 days (30 days, if the license con-
tains a different host key); afterwards all services will stop, although the Configuration Tool and the Administration
Web Interface remain accessible for configuration and management. You need to re-license the IDENTIKEY Appli-
ance with a commercial license before the evaluation license expires.

It is not necessary to contact your IDENTIKEY Appliance supplier to upgrade from an evaluation to a commercial
license. Re-licensing follows the same procedure as first-time licensing (see Section 11.1. First Time Licensing).

IDENTIKEY Appliance 3.18 – Product Guide 135

 11. Licensing

11.2.4. Upgrading a Commercial License to Add New License Options

Upgrading a commercial license to add new license options requires re-licensing.

In this case, it is not necessary to upload the system information file to the VASCO Customer Portal, as the IP
address, the host key and the configuration key remain the same as supplied in the original system information
file used for issuing the license.

A new license file is made available via the VASCO Customer Portal after receiving a purchase order. The license
file can then be uploaded using the License Wizard (see Section 11.1. First Time Licensing) without downloading a
system information file first.

After successful re-licensing all services are operational and new options are immediately available.

11.2.5. Upgrading a Major Software Version

A major version upgrade, e.g. from version 3.0.2.0 to 3.1.3.1, may require re-licensing. Re-licensing follows the
same procedure as upgrading a commercial license to add new options (see Section 11.2.4. Upgrading a Com-
mercial License to Add New License Options).

11.2.6. Restoring to Factory Default

Warning
Restoring to factory defaults renders the license invalid. It is not possible to re-license the appliance until you
have contacted your IDENTIKEY Appliance supplier (see Chapter 37. Support Procedure).

Restoring IDENTIKEY Appliance to the factory default state cleans the system and changes the configuration key. In
this case the running license is bound to the previous configuration key, so re-licensing is not allowed. You need to
contact your IDENTIKEY Appliance supplier to release the initial license from the IDENTIKEY Appliance. Re-licensing
follows the same procedure as first-time licensing.(see Section 11.1. First Time Licensing).

Note
If a backup is restored to an appliance in the factory default state, the configuration key from the backup is
restored (see Section 11.2.2. Restoring a Backup to an IDENTIKEY Appliance).

IDENTIKEY Appliance 3.18 – Product Guide 136

 12. Secure Network Management Protocol (SNMP)

12. Secure Network Management Protocol (SNMP)

The Secure Network Management Protocol (SNMP) is a UDP-based network protocol. Although an explanation of
the concepts of SNMP is outside the scope of this manual, the protocol is used in network management systems to
monitor devices on the network which may need attention. SNMP supplies device variables, which can be queried
by managing applications. SNMP thus allows the IDENTIKEY Appliance to be monitored by a managing application.

In order to connect to IDENTIKEY Appliance the authentication and privacy encryption of an SNMP client must be
properly configured. In addition, you can add more information to the SNMP server by enabling the Performance
Monitoring Counter plug-in (see Chapter 13. Performance Monitoring).

12.1. Supported SNMP Versions

IDENTIKEY Appliance supports the following SNMP versions:

n Version 2c (for use on trusted networks)

n Version 3 (secure communication with authentication and encryption)

12.2. SNMP Usage in IDENTIKEY Appliance

In IDENTIKEY Appliance, SNMP is used for querying statistics and for system monitoring purposes.

12.2.1. Querying Statistics

SNMP is used to query IDENTIKEY Authentication Serverstatistics and system statistics. Querying IDENTIKEY
Authentication Server statistics includes for instance the number of authentications and failed authentications.
Querying system statistics includes memory usage, disk usage, system load etc.

12.2.2. Using SNMP for System Monitoring

SNMP is also used for system monitoring purposes to alert administrator of certain events by creating and sending
targets, amongst other, in the form of SNMP traps. We recommend to monitor the following types of events:

n System OS events
n IDENTIKEY Appliance Configuration Tool events
n IDENTIKEY Authentication Server events

For more information on the practical usage of SNMP and a detailed description of how to configure SNMP, hand-
ling MIB files and the IDENTIKEY Appliance System Monitoring feature, refer to Section 14. Health Check and the
IDENTIKEY Appliance Administrator Guide; for a list of the relevant field and file descriptions refer to the IDENTIKEY
Appliance Administrator Reference.

IDENTIKEY Appliance 3.18 – Product Guide 137

 13. Performance Monitoring

13. Performance Monitoring

Performance Monitoring allows you to monitor specific parts of IDENTIKEY Appliance processing to produce useful
performance statistics.

Performance Monitoring is disabled, enabled, and managed using the IDENTIKEY Appliance Configuration Tool.

IDENTIKEY Appliance uses Filters to define what to monitor; the different supported plugins are used to control how
to deliver that data. Filters are applied to all possible output plugins.

13.1. Filters

The Performance Monitoring tool uses filters to determine which specific parts of IDENTIKEY Appliance processing
should be monitored.

A filter must consist of the name of a performance transaction. You can specify a single performance transaction,
or you can use the asterisk (*) wildcard to identify a group of transactions.

IDENTIKEY Appliance 3.18 – Product Guide 138

 13. Performance Monitoring

Image 48: Adding Filter in Performance Monitoring

In the IDENTIKEY Authentication ServerConfiguration Utility click Add to define a filter. In the Transaction Filter box ,
a filter can be added by entering a pattern. This pattern must consist of the name of a performance transaction.

The positioning of the asterisk determines what performance transactions will be filtered. For example:

n *administration.logon -by placing the asterisk at the beginning , all performance transactions
that end in administration.logon will be monitored
n *administration* -by placing an asterisk at the beginning and at the end, everything related to
administration will be monitored
n identikey.scenario.signature* -by placing the asterisk at the end, all performance trans-
actions starting with identikey.scenario.signature will be monitored
n identikey*logon -by placing the asterisk in the middle, all performance transactions starting with
identikey and ending with logon will be monitored.

You can find a list of available performance transactions in the IDENTIKEY Appliance Administrator Reference.

IDENTIKEY Appliance 3.18 – Product Guide 139

 13. Performance Monitoring

13.2. Plugins

The Performance Monitoring tool uses several plugins in order to define its output.

CSV Plugin
The CSV Plugin allows you to define a comma-separated variable (.csv) file to write the results to. To enable
the CSV plugin, click Enable CSV Plugin in the Performance Monitoring Tool.

Counter Plugin
To enable the counter plugin, click Enable Counter Plugin in the Performance Monitoring Tool.

The Counter Plugin will generate data relating to the number of times certain transactions have been carried
out, and relevant timing information for those transactions. The SNMP server on which the Counter Plugin
enters the data is the one running on IDENTIKEY Authentication Server.

The counter data can be viewed using SNMP.

Note
For the counter plugin to work, SNMP must be enabled.

IDENTIKEY Appliance 3.18 – Product Guide 140

 14. Health Check

14. Health Check

IDENTIKEY Authentication Server offers a dedicated health check to monitor the VASCO IDENTIKEY Authentication
Server service and check if the service is available and working properly. The health check endpoint is enabled by
default using port 8889 and /health as URL extension. If you send an HTTP GET request to this endpoint, one of the
following HTTP status codes is returned in a log file, according to the service status:

n Succeeding health check request: HTTP 200

n Failed health check request: HTTP 503
n Non-supported URL: HTTP 404

IDENTIKEY Appliance 3.18 – Product Guide 141

 14. System Monitoring, Notifications, and OS Traps

14. System Monitoring, Notifications, and OS Traps

IDENTIKEY Authentication Server supports application level system monitoring with SNMP. This feature allows you
to monitor IDENTIKEY Appliance processing to provide notifications when specific events occur.

System Monitoring is performed based on the IDENTIKEY Authentication Serverand IDENTIKEY Appliance audit mes-
sages and their contents, and creates an alert when specified messages appear. These alerts, or targets, are sent
via text messages, e-mails, or SNMP traps. To apply system monitoring, the IDENTIKEY Authentication Server Sys-
tem Monitoring feature must be enabled. Use the IDENTIKEY Appliance configuration interfaces to configure,
enable, or disable system monitoring.

Filters help system administrators monitor critical events as they occur, rather than making them search through
an extensive list of audit logs to locate potentially critical system events.

14.1. Events to be Monitored and Data Sources

IDENTIKEY Appliance can monitor different types of events. VASCO recommends monitoring the following events:

n System OS events (produce OS traps)

n IDENTIKEY Appliance Configuration Tool events (produce notifications)
n IDENTIKEY Authentication Server events (produce system monitoring alerts)

For more information on system monitoring via SNMP, refer to the IDENTIKEY Appliance Administrator Guide.

14.1.1. System OS Events

Emergency alerts are sent for critical system OS events such as:

n Disk space status - a full disk, for instance, would prevent that additional audit logs are being written
n Memory status: a warning is produced if the system memory is filling
n SNMP status
n Certain processes are started or stopped

Note
The following emergency alerts sent by IDENTIKEY Appliance need to be attended in any case to ensure system
functionality:

n The IDENTIKEY Appliance hard disk drive is more than 90 percent full.
n A critical service is not running, e.g. IDENTIKEY Authentication Server, Syslog, Postgres.
n The swap memory is full.

IDENTIKEY Appliance 3.18 – Product Guide 142

 14. System Monitoring, Notifications, and OS Traps

14.1.1.1. System OS Events - Data Source

For critical system OS events, IDENTIKEY Appliance monitors audit messages that are generated when such critical
system OS events occur. Emergency alerts of this type can only be sent via SNMP traps and cannot be customized;
they can only be enabled or disabled for each SNMP version. Different types of SNMP alerts are available for the dif-
ferent SNMP versions. When enabled, all emergency alerts are sent to the SNMP server.

14.1.2. IDENTIKEY Appliance Configuration Tool Events - Data Source

IDENTIKEY Appliance monitors audit messages generated by the System Configtool source for all Configuration
Tool events.

14.1.3. IDENTIKEY Authentication Server Events - Data Source

IDENTIKEY Appliance monitors IDENTIKEY Authentication Server components via the audit messages generated by
the Identikey Server source and sends notifications via SMS, e-mail, or SNMP traps. You can configure which audit
messages are monitored via the source field of an audit message.

14.2. Filters

System Monitoring requires filters to specify which IDENTIKEY Appliance events / audit messages should be mon-
itored. Filter details must include a/an:

n Name
n Target, specifying which notification method is to be used
n Audit message type to monitor
n Specific field
n Condition
n Value for the specified field

14.3. Targets

The System Monitoring tool requires one or more targets to be defined to specify the output format. The available
target formats are:

n SMS
n E-mails
n SNMP-traps

The following table lists the different required information for each target.

IDENTIKEY Appliance 3.18 – Product Guide 143

 14. System Monitoring, Notifications, and OS Traps

Table 9: Target requirements

Target Required Information
SNMP ( Inform, TRAP) n a name
n SNMP type – Inform, TRAP
n Host IP address
n Security name for SNMPV3
n Authentication protocol type
n Authentication Secret
n Privacy type
n Privacy secret
n Engine ID - TRAP
SNMP (TRAPV2c) n Host IP address
n Community Name
n Engine ID
SMS n a name
n a mobile phone number
Email n a name
n a source email address
n a target email address
n a subject line

Note
When you configure SNMP targets, make sure to set both the Authentication type AND the Privacy type for a
complete trap configuration in the IDENTIKEY Appliance Configuration Tool, i.e. you cannot set a privacy
type without setting an authentication type.

Only the following combinations for SNMP communication are valid:

n Without authentication and privacy (both set to None).

n With authentication, but without privacy.
n With authentication and privacy.

14.3.1. Best Practices: System Monitoring with SNMP Targets

When using IDENTIKEY Authentication Server System Monitoring, OneSpan recommends defining SNMP targets for
the following IDENTIKEY Authentication Server events:

n IDENTIKEY Authentication Server Errors. For this type of events, OneSpan recommends defining an audit fil-
ter that extracts all error audit messages.
n Locked DIGIPASS users. For this type of events, a filter should be defined that extracts all audit messages
with the audit code ‘W-011003’.
n Failed administrative logons. For this type of events, a filter should be defined that extracts all audit mes-
sages with the audit code ‘F-004001’.
n Replication failures. For this type of events a filter should be defined that extracts all audit messages with
the audit code ‘F-003001’ or ‘F-003002’.

IDENTIKEY Appliance 3.18 – Product Guide 144

 14. System Monitoring, Notifications, and OS Traps

Generally, when SNMP notifications are defined, a VASCO-AXSGUARD-IDENTIFIER-MIB::vdsIaAuditNotification trap

is sent. The MIB-file contains the information about the notification and the variables in the MIB file . Refer to
VASCO-AXSGUARD-IDENTIFIER-MIB for more information. You can download this file in IDENTIKEY Appliance under
Settings > SNMP.

IDENTIKEY Appliance 3.18 – Product Guide 145

 15. IDENTIKEY Appliance Administration Web Interface: User Dashboard

15. IDENTIKEY Appliance Administration Web Interface: User

Dashboard
The User Dashboard of the IDENTIKEY Authentication Server Administration Web Interface allows you to easily man-
age, monitor, and troubleshoot DIGIPASS user accounts, with the Dashboard tab providing an overview of the most
important user settings in one place. The information shown in this tab includes general user settings, a list of
recent users and DIGIPASS activities, used clients, and assigned DIGIPASS authenticator for a selected user. To edit
these settings or view full details, switch to the corresponding tabs in the Administration Web Interface. For more
information, refer to 15.1. Working with the User Dashboard.

In addition, the User Dashboard facilitates user-specific report creation and provides easy access to audit mes-
sages for a single user or DIGIPASS activity record. For more information, refer to 15.1.7. Generating Reports via
the Dashboard Tab, 15.3. Generating Reports via the Reports Tab, and 15.2. View Audit Message Page.

15.1. Working with the User Dashboard

The Dashboard tab of the User Properties page in the Administration Web Interface provides an overview of the
most important settings for the selected user such as user information, assigned DIGIPASS, used clients, and
recent activity.

15.1.1. Account Overview

This section lists information about the user account:

n Last authentication
n Account status
n Expires
n Static password
n Administration privileges

To view all user account settings or to change settings, switch to the User Account tab of the User Properties page.

15.1.2. Policy Overrides

This section lists the policy override settings for the user:

n Local authentication
n Back-end authentication
n Offline authentication
n Max Days Between Authentications
n Virtual DIGIPASS
n Virtual signature

IDENTIKEY Appliance 3.18 – Product Guide 146

 15. IDENTIKEY Appliance Administration Web Interface: User Dashboard

To change the policy override settings, switch to the Policy Overrides tab of the User Properties page.

15.1.3. User Info

This section contains general user information:

n User name
n Phone
n Mobile
n Email address
n Description

To view all user info settings or to change settings, switch to the User Account tab of the User Properties page.

15.1.4. Assigned DIGIPASS

This section contains information about the five last used DIGIPASS assigned to the selected user, and includes the
following:

n Serial number
n DIGIPASS type
n Status
n Active applications
n Virtual Mobile Authenticator (VDP)

For a complete list of assigned DIGIPASS, switch to the Assigned DIGIPASS tab of the User Properties page.

15.1.5. Recent Activity

This section shows the most recent activity records for the user.

To view all recent activity records, switch to the Recent Activity tab of the User Properties page.

15.1.6. Used Clients

This section lists the five last client components used by the selected user, and includes the following:

Table 10: Dashboard Used Clients - Displayed Fields

Field Contents
Time The time at which the last activity for the relevant used client was recorded.

IDENTIKEY Appliance 3.18 – Product Guide 147

 15. IDENTIKEY Appliance Administration Web Interface: User Dashboard

Table 10: Dashboard Used Clients - Displayed Fields (continued)

Field Contents

Client Type States which type the used client is.

Click the client identifier to go to the Client Properties page for this client.
Policy ID The policy related to the used client.

Click the policy ID to go to the Policy Properties page for this policy.

To view all recently used clients, switch to the Recent Activity tab of the User Properties page.

15.1.7. Generating Reports via the Dashboard Tab

The QUICK REPORT button in the User Dashboard of the selected user allows an administrator to quickly generate
a user-specific report. By default, IDENTIKEY Authentication Server generates a Detailed Activity Summary report.

For more information about generating reports via the User Dashboard, refer to the IDENTIKEY Appliance Admin-
istrator Guide, Section "User Dashboard".

For more information about generating user-specific reports via the Reports tab in the User Properties page, refer
to 15.3. Generating Reports via the Reports Tab.

15.1.8. Recent User Activities

Recent user activities include results from various user operations and IDENTIKEY Authentication Server events:

n Authentication
n Authenticating a user
n EMV-CAP Authentication
n Authenticating using EMV-CAP
n Signature Validation
n Authenticating a signature
n Generating a virtual signature
n Provisioning
n Registering
n Activating
n Assigning
n Registering using DIGIPASS Software Advanced Provisioning Protocol (DSAPP)
n Activating using DIGIPASS Software Advanced Provisioning Protocol (DSAPP)
n Getting activation data using DIGIPASS Software Advanced Provisioning Protocol (DSAPP)
n Registering using Multi-Device Licensing (MDL)
n Adding a device using Multi-Device Licensing (MDL)
n Activating using Multi-Device Licensing (MDL)
n Administration
n Assigning a DIGIPASS authenticator
n Moving a user

IDENTIKEY Appliance 3.18 – Product Guide 148

 15. IDENTIKEY Appliance Administration Web Interface: User Dashboard

n Unassigning a DIGIPASS authenticator

n Disabling a user
n Enabling a user
n Unlocking a user
n Enabling offline authentication
n Disabling offline authentication
n Resetting the last authentication time
n Setting user expiration
n Updating a user
n Linking a user
n Setting a password
n Resetting a password
n Setting user permissions
n Creating user attributes
n Deleting user attributes
n Deleting offline data
n Events
n No DIGIPASS authenticator was found for Auto-Assignment.
n A user account has been locked.

When a client application is configured to use auto- unlock and the user account becomes
locked,the audit information also displays the date and time when the end user can authenticate
again to auto-unlock their user account.

The number of recent user activity records displayed can be restricted by time and number. This means that activ-
ity records older than a certain time threshold are excluded from the result. Furthermore, only a total number of
records are returned. The limits are configured in the global server configuration. This means that they apply to all
IDENTIKEY Authentication Server instances within a replicated environment.

15.1.9. Recent DIGIPASS Activities

Recent DIGIPASS activities include results from various DIGIPASS operations and IDENTIKEY Authentication Server
events:

n Authentication
n Authenticating a user
n EMV-CAP Authentication
n Authenticating using EMV-CAP
n Signature Validation
n Authenticating a signature
n Generating a virtual signature
n Provisioning
n Registering
n Activating
n Assigning
n Registering using DIGIPASS Software Advanced Provisioning Protocol (DSAPP)
n Activating using DIGIPASS Software Advanced Provisioning Protocol (DSAPP)

IDENTIKEY Appliance 3.18 – Product Guide 149

 15. IDENTIKEY Appliance Administration Web Interface: User Dashboard

n Getting activation data using DIGIPASS Software Advanced Provisioning Protocol (DSAPP)
n Registering using Multi-Device Licensing (MDL)
n Adding a device using Multi-Device Licensing (MDL)
n Activating using Multi-Device Licensing (MDL)
n Administration
n Assigning a DIGIPASS authenticator
n Moving a DIGIPASS authenticator
n Unassigning a DIGIPASS authenticator
n Resetting a PIN
n Forcing a PIN change
n Resetting a DIGIPASS Application
n Activating a DIGIPASS Application
n Deleting a DIGIPASS Application
n Resetting activation data
n Enabling a Server PIN
n Disabling a Server PIN
n Setting a DIGIPASS expiration
n Unbinding a device
n Updating a DIGIPASS authenticator (e.g. changing expiration, grace period, ...)
n Binding a device
n Deactivating a DIGIPASS Application
n Unlocking a DIGIPASS Application
n Testing an application
n Setting an event counter
n Events
n A Virtual Mobile Authenticator delivery failed.
n The quota of remaining uses for a Backup Virtual Mobile Authenticator has been spent.

The number of recent DIGIPASS activity records displayed can be restricted by time and number. This means that
activity records older than a certain time threshold are excluded from the result. Furthermore, only a total number
of records are returned. The limits are configured in the global server configuration. This means that they apply to
all IDENTIKEY Authentication Server instances within a replicated environment.

15.2. View Audit Message Page

The View Audit Message page displays the details of a single audit message for the user or DIGIPASS recent activity
on a single page and provides access to all relevant audit message fields. To view this page, the administrator
must have the View Audit Information administration privilege; if this applies, they can access the View Audit Mes-
sage page by selecting the relevant audit message code displayed in the Recent Activity page.

The number of audit records for recent user or DIGIPASS activities displayed can be restricted by time and number.
This means that audit records older than a certain time threshold are excluded from the result. Furthermore, only a
total number of records are returned. The limits are configured in the global server configuration. This means that
they apply to all IDENTIKEY Authentication Server instances within a replicated environment.

IDENTIKEY Appliance 3.18 – Product Guide 150

 15. IDENTIKEY Appliance Administration Web Interface: User Dashboard

15.3. Generating Reports via the Reports Tab

The Reports tab of the User Properties page provides a list of reports that can be run via this tab. That list is a sub-
set of the global list of reports in IDENTIKEY Authentication Server, where the currently viewed user is automatically
preselected in the run-time query definition. For a complete list of reports that are by default available in this tab,
refer to the IDENTIKEY Appliance Administrator Reference, Section "Reporting".

This subset can be retrieved from the global report set by filtering the reports according to different sets of defin-
ition criteria (see Table 11: Report Definition Criteria).

Table 11: Report Definition Criteria

Group Level Possible Report Type Data Source
User
DIGIPASS n List Analysis
n Detailed Analysis
n Distribution Analysis
Organizational Unit Users + audit
Organizational Unit n List Analysis DIGIPASS + audit

Using these criteria to create a customized report allows you to also include this report in the results list.

IDENTIKEY Appliance 3.18 – Product Guide 151

 16. Updating

16. Updating
OneSpan is constantly improving its products to solve problems or to address new needs. These improvements are
distributed to the IDENTIKEY Appliance through the updating process. Updating is included in IDENTIKEY Appliance
maintenance contracts.

Updating is managed through the IDENTIKEY Appliance Configuration Tool (see Section 9.3. Configuration Tool).

For more information about the updating procedure, refer to the IDENTIKEY Appliance Installation and Maintenance
Guide.

16.1. Updating Process

Updating is supported via an Update Wizard in the IDENTIKEY Appliance Configuration Tool.

Updates can be acquired:

n Offline using an update file. For more information, refer to www.vasco.com.

n Online using the VASCO Customer Portal. Available updates can be downloaded using the Update Wizard.

When completing an update using the Update Wizard (either online or offline), the IDENTIKEY Appliance restarts
automatically. During restart, services are temporarily unavailable. After restart you need to log on to the Con-
figuration Tool, where you can verify the update state on the Status page.

A fail-over system reverts the IDENTIKEY Appliance to the previous operational version if any error occurs during
updating, e.g. power failure.

If you encounter problems with IDENTIKEY Appliance after upgrading to a new version, you can revert the
IDENTIKEY Appliance operating system to the previous version.

For more information, refer to the IDENTIKEY Appliance Installation and Maintenance Guide.

16.2. Updating Infrastructure

The VASCO Customer Portal server handles licensing, updating, and remote support for the IDENTIKEY Appliance.

Online updating requires a connection secured using HTTPS between the IDENTIKEY Appliance and the
VASCO Customer Portal (see Section 2.14. VASCO Customer Portal).

Packages for offline updates can be downloaded from the VASCO Customer Portal: https://cp.onespan.com/

IDENTIKEY Appliance 3.18 – Product Guide 152

 17. Backup and Restore

17. Backup and Restore

Backup and restore means that administrators can keep reserve appliances and upload configuration settings,
which have previously been backed up to their network, onto a new appliance. Backup and restore is managed
through the IDENTIKEY Appliance Configuration Tool (see Section 9.3. Configuration Tool).

For more information about backup and restore, refer to the IDENTIKEY Appliance Installation and Maintenance
Guide.

Note
When copying, migrating, or backing up encrypted database files, ensure that the encryption key (and/or the
optional password key) is also backed up. Otherwise, you will not be able to read the data, as it will be encryp-
ted.

17.1. Backup

17.1.1. Backup Contents

Backups include all configurations of the Administration Web Interface and the Configuration Tool and all database
information, such as DIGIPASS run-time information.

Backups do not include audit and logging data. However, audit data can be backed up or exported (see Section
20.3. Exporting Auditing Information). Backup is possible using a replication setup, in which case audit data is rep-
licated to another IDENTIKEY Appliance (see Chapter 26. Replication).

For more information about configuring backups, refer to the IDENTIKEY Appliance Installation and Maintenance
Guide.

17.1.2. Backup Methods

Backup is configured in the Configuration Tool and can run:

n Manually
n Automatically (backup pushed from the IDENTIKEY Appliance)
n Scripted (backup pulled from another server)

Manual Backup
The Configuration Tool allows a backup to be created at any time via an update command.

IDENTIKEY Appliance 3.18 – Product Guide 153

 17. Backup and Restore

Automatic Backup
With automatic backups you can push a backup to a server using either the Secure File Transfer Protocol
(SFTP) or the File Transfer Protocol (FTP) protocol. SFTP authentication can use a static password or public-
key authentication. Public-key authentication allows connection to a remote server without sending a pass-
word over the Internet. Two keys are used: a private key which is stored securely on the IDENTIKEY Appliance
and cannot be downloaded. The public key is stored on the server to which access is required, usually by the
system administrator when the account is set up.

Automatic backups can be scheduled to run at certain times, for example, daily (e.g. each day at 01:30),
weekly (e.g. each Thursday at 01:30), monthly (e.g. each first of the month at 01:30), or annually (e.g. each
January 1, at 01:30).

Scripted Backup
You can write your own backup script or tool to request a backup from the IDENTIKEY Appliance. Static pass-
word authentication is used. The IP addresses of the network servers permitted to request a backup must be
configured in the IDENTIKEY Appliance Configuration Tool.

17.2. Backup Encryption

All backups (manual, automatic, and scripted) are encrypted by default. A custom encryption passphrase can be
configured; in this case, the passphrase needs to be entered to upload a backup.

17.3. Backup Restore

The restore function in the Configuration Tool allows you to upload configuration settings and data, which have
been backed up from the same or another appliance, to the IDENTIKEY Appliance internal database.

The file to be restored is first verified as a valid restore file. The IDENTIKEY Appliance needs to be restarted before
the restore is completed. When the file has been restored you can verify the restore state on the Status page.

If you restore a backup to the same appliance, e.g. to repair a configuration error or loss of data, the settings and
data overwrite those currently in the appliance. In this case, re-licensing is not necessary.

If you restore a backup to another appliance, you will get a warning message that the license was issued for a dif-
ferent appliance and will only be operational for a grace period of 30 days. In this case, a new license must be
acquired (see Chapter 11. Licensing).

Warning
The appliance to which a backup is restored should run the same product version as the appliance from which
the backup was made. Upgrade paths for all features may not be supported when restoring a backup to a more
recent version. If in doubt, contact your IDENTIKEY Appliance supplier, who will contact the appropriate OneSpan

IDENTIKEY Appliance 3.18 – Product Guide 154

 17. Backup and Restore

expert, if necessary.

IDENTIKEY Appliance 3.18 – Product Guide 155

 18. RAID

18. RAID
Note
The information in this section does not apply to IDENTIKEY Virtual Appliance!

The RAID option (for IDENTIKEY Appliance AG-7XXX models only) provides redundancy between two (hot swap-
pable) disks, supporting full services even when a disk fails or is being replaced. The two disks are continuously
synchronized (also known as RAID mirroring). If one disk fails, all information is still present on the other one.

The two disks are housed in two out of three available slots. The RAID is configured using a wizard, available via
the IDENTIKEY Appliance Configuration Tool whenever an action is required.

Note
Redundancy with the RAID configuration is at disk level. Replication at all levels is also possible between two
appliances and supports redundancy (see Chapter 26. Replication).

18.1. RAID Maintenance

RAID can be configured using a wizard. The Configuration Tool automatically provides a respective link with a
status message when an action is required.

The following actions are possible:

n Insert. A new disk needs to be physically inserted into an available slot in the IDENTIKEY Appliance AG-
7XXX. (Note that inserting is not the same as adding the disk to the RAID configuration for syn-
chronization).
n Add. A new disk already inserted into a slot in the IDENTIKEY Appliance AG-7XXX will be added by the
IDENTIKEY Appliance to the RAID configuration for synchronization.
n Replace. The synchronization of a disk to the RAID configuration will be stopped by the IDENTIKEY Appli-
ance. The disk needs to be physically removed from the respective slot in the IDENTIKEY Appliance AG-
7XXX and a new disk needs to be physically inserted. Afterwards, the wizard will offer to add the new disk
to the RAID configuration for synchronization.
n Re-add. This option is only offered for a disk which is physically present and recognized as having been
previously synced, but which is not currently added for synchronization and therefore considered as faulty.
A present disk which is not synchronized might have been physically removed and reinserted while the sys-
tem was running to mimic hardware failure and test fail-over. Re-add can then be used to add the disk to
the RAID configuration for synchronization again.

For more information, refer to the IDENTIKEY Appliance Installation and Maintenance Guide.

IDENTIKEY Appliance 3.18 – Product Guide 156

 19. System Logging

19. System Logging

Three sources of information are generated on IDENTIKEY Appliance:

Auditing
Auditing uses information generated about events in the IDENTIKEY Authentication Server , LDAP Synchronization
and Configuration Tool components as well as system and user actions. Auditing can be managed via the
IDENTIKEY Appliance Configuration Tool using the live audit viewer (see Chapter 9. Administration). It happens in
real-time, allowing administrators to view a limited number of recent events and includes amongst others, inform-
ation about administration events, authentication attempts and RADIUS accounting. For example, an event might
be: User successfully authenticated.

Note
Auditing information also includes RADIUS accounting data.

Tracing
IDENTIKEY Appliance trace files contain debugging and troubleshooting information. The content can help
OneSpan support engineers and experienced end-customers to troubleshoot specific issues.

For more information about configuring and using trace files, refer to the IDENTIKEY Appliance Administrator Guide.

Logging
Logging uses information generated about events in the IDENTIKEY Appliance Configuration Tool (see Section
2.6.2. What is the IDENTIKEY Appliance?) and includes information about operations such as updating, backup
and restore. For example, a log entry might be: Backup was created successfully.
Logging is based on the syslog utility which supports local and remote storage and processing of logs. Settings
can be configured in the Configuration Tool manually or using the Configuration Wizard (see Chapter 10.
Installation Configuration).

IDENTIKEY Appliance 3.18 – Product Guide 157

 19. System Logging

19.1. Logging Infrastructure

Image 49: Data Transmission from the Syslog Utitilty to the Live Log Viewer and Remote Syslog

Each component of the Configuration Tool on the IDENTIKEY Appliance sends information to syslog, i.e. a standard
log message system on a Linux server that can forward log messages in an IP network. The syslog utility handles
the information, which can be stored locally or remotely. Both is possible at the same time. Local logging is always
active and cannot be disabled. Syslog data is made available in the live log viewer. Remote syslog can be activ-
ated and requires configuration.

The syslog audit levels are configured with the IDENTIKEY Appliance Configuration Tool (see Section 19.4. Log
Levels).

19.2. Managing Log Files

A live log viewer in the IDENTIKEY Appliance Configuration Tool allows monitoring of Configuration Tool events.
Live log views can be filtered using log levels and / or words (see Image 50: Live Log Viewer).

Logged events are accumulated on the disk in files of up to 80,000 lines. Then a new log file is created. Log files
are rotated to limit the disk space used. The number of files kept before deleting the oldest file can be configured.

IDENTIKEY Appliance 3.18 – Product Guide 158

 19. System Logging

For more information, refer to the IDENTIKEY Appliance Administrator Guide.

Image 50: Live Log Viewer

19.3. Remote Syslog

Remote syslog must be activated in the IDENTIKEY Appliance Configuration Tool and requires configuration of:

n The IP address of the remote syslog server to send data to

n The syslog level of information to send

A syslog-compliant application can then use the data for log viewing.

19.4. Log Levels

The log system can be configured to generate log information at different levels.

Table 12: Log Levels

Type Description
Critical A system-critical warning that services may not be running (see Section 37. Support Procedure).
Error An error occurred that requires action, although services may still be running.
Warning Not an error, but an error may occur if no action is taken.

IDENTIKEY Appliance 3.18 – Product Guide 159

 19. System Logging

Table 12: Log Levels (continued)

Type Description

Notice Events that are unusual, but not errors. No immediate action required.
Informational Normal operational messages, may be collected for reporting or other purposes. No action required.
Debug Information useful to debug error conditions. Not useful during productive operation.

IDENTIKEY Appliance 3.18 – Product Guide 160

 20. Auditing

20. Auditing
Three sources of information are generated on IDENTIKEY Appliance:

Auditing
Auditing uses information generated about events in the IDENTIKEY Authentication Server , LDAP Synchronization
and Configuration Tool components as well as system and user actions. Auditing can be managed via the
IDENTIKEY Appliance Configuration Tool using the live audit viewer (see Chapter 9. Administration). It happens in
real-time, allowing administrators to view a limited number of recent events and includes amongst others, inform-
ation about administration events, authentication attempts and RADIUS accounting. For example, an event might
be: User successfully authenticated.

Note
Auditing information also includes RADIUS accounting data.

Tracing
IDENTIKEY Appliance trace files contain debugging and troubleshooting information. The content can help
OneSpan support engineers and experienced end-customers to troubleshoot specific issues.

For more information about configuring and using trace files, refer to the IDENTIKEY Appliance Administrator Guide.

Logging
Logging uses information generated about events in the IDENTIKEY Appliance Configuration Tool (see Section
2.6.2. What is the IDENTIKEY Appliance?) and includes information about operations such as updating, backup
and restore. For example, a log entry might be: Backup was created successfully.
Logging is based on the syslog utility which supports local and remote storage and processing of logs. Settings
can be configured in the Configuration Tool manually or using the Configuration Wizard (see Chapter 10.
Installation Configuration).

20.1. Audit Settings

To configure the settings for auditing IDENTIKEY Authentication Server, navigate to Authentication Server > Audit
Settings in the IDENTIKEY Appliance Configuration Tool.

Via the IDENTIKEY Authentication Server audit settings, you can:

n Specify which message type is sent to the syslog

n Enable the Remote Audit Viewer and its associated settings
n Enable SSL connections for the Audit Viewer, select the level of the used SSL cipher suite, download a
server certificate and set a password for the certificate
n Configure the verification Certificate Authority certificate file for the SSL client certificate and associated
settings.

IDENTIKEY Appliance 3.18 – Product Guide 161

 20. Auditing

For more information on the audit settings and a detailed description of each setting, refer to the IDENTIKEY Appli-
ance Administrator Guide and the IDENTIKEY Appliance Administrator Reference.

20.2. Managing Audit Files

Individual audit records can be viewed in the live audit viewer (see Image 51: Live Audit Viewer), filtered, and
exported (see Section 20.3. Exporting Auditing Information) in the IDENTIKEY Appliance Configuration Tool.

Events generated by the IDENTIKEY Authentication Server component for auditing are stored in the internal data-
base and moved to an audit database on a monthly basis or until a maximum audit data size of 500 MB is reached.
When this limit is exceeded, new audit data is stored in a new database part.

Parts of the database can be downloaded and deleted via the IDENTIKEY Appliance Configuration Tool. Down-
loading is the same as the exporting, but uses a format compatible with IDENTIKEY Authentication Server (see Sec-
tion 20.3. Exporting Auditing Information) ).

For more informationc on auditing, refer to the IDENTIKEY Appliance Product Guide.

Image 51: Live Audit Viewer

20.2.1. Audit Message Types

IDENTIKEY Appliance logs the following types of audit messages:

Table 13: Audit Message Types

Type Description
Error The message contains details about a system, configuration, licensing or some internal error. Errors do not include
normal processing events such as failed logins.
Warning Warning messages contain details about potential problems within the system. This could include details such as a
failed connection attempt to a database
Information Informational messages provide details about events within the system that need to be recorded but do not indic-
ate errors or potential errors.
Success Success messages contain details about processing events that were correctly processed. This may include suc-
cessful authentications or successful administration commands.

IDENTIKEY Appliance 3.18 – Product Guide 162

 20. Auditing

Table 13: Audit Message Types (continued)

Type Description
Failure Failure messages contain details about processing events that failed. This may include rejected authentications, or
administration actions that failed.
RADIUS RADIUS accounting message.

For a list of audit messages, refer to the IDENTIKEY Appliance Administrator Reference.

20.3. Exporting Auditing Information

Exporting auditing information is useful if:

n One reporting system is used for all servers on a network.

n Auditing information needs to be kept for a long time.

You can use filters to define which data should be exported.

Export data can be formatted:

n Compatible with IDENTIKEY Authentication Server. This allows the exported data to be imported to an
IDENTIKEY Authentication Server instance acting as dedicated reporting server in a setup with multiple
IDENTIKEY Authentication Server and/or IDENTIKEY Appliance instances.
n As comma-separated values (.csv). This format is commonly used and allows to import the data by other
auditing systems.

Note
The export file created with the .csv option uses tabulators as separator character, not a comma (although it is
still called comma-separated values).

20.4. Secure Auditing

An option is available to enable Secure Auditing during the installation of IDENTIKEY Appliance.

Secure Auditing provides the following:

Integrity protection
With Secure Auditing, IDENTIKEY Appliance uses a non-viewable encrypted signature added to each line of an
audit file, or each row of an audit data store. This prevents any operator from making untraceable manual
changes to the audit file.

Independent verification
Each audit file or data store can be verified using the Secure Auditing Verification Tool.

IDENTIKEY Appliance 3.18 – Product Guide 163

 20. Auditing

Non-repudiation
Secure Auditing verifies audit data by comparing each signed line or row of audit data with the previous and
subsequent entries in the audit data.

Secure Auditing can also work with a Hardware Security Module (HSM) (see 8.2. Licensing and Configuration).

20.4.1. How Secure Auditing Works

Secure Auditing adds a cryptographic signature to each audit message written to the output. The cryptographic sig-
nature relates each message entry to the previous and subsequent entries. External auditors can cryptographically
verify each signature and verify that no lines have been manually deleted or added from the audit information; the
relationship between the entries is verifiable using the Secure Auditing Verification Tool.

Each audit message entry belongs to an epoch, which is a period delimited either by time or by number of audit
messages. At the end of each epoch the encryption key is changed. A message is written to the audit file to indic-
ate that an epoch has ended, and another message is written to indicate that a new epoch has begun. The length
of processing for each epoch is defined during initial configuration. A new epoch always begins at midnight. A mes-
sage is written to the output to indicate the beginning and end of an epoch. Each epoch message contains inform-
ation required by the Secure Auditing Verification Tool to decrypt the signatures for that epoch. This information is
located at the start of each epoch message.

IDENTIKEY Appliance 3.18 – Product Guide 164

 21. Tracing

21. Tracing
Three sources of information are generated on IDENTIKEY Appliance:

Auditing
Auditing uses information generated about events in the IDENTIKEY Authentication Server , LDAP Synchronization
and Configuration Tool components as well as system and user actions. Auditing can be managed via the
IDENTIKEY Appliance Configuration Tool using the live audit viewer (see Chapter 9. Administration). It happens in
real-time, allowing administrators to view a limited number of recent events and includes amongst others, inform-
ation about administration events, authentication attempts and RADIUS accounting. For example, an event might
be: User successfully authenticated.

Note
Auditing information also includes RADIUS accounting data.

Tracing
IDENTIKEY Appliance trace files contain debugging and troubleshooting information. The content can help
OneSpan support engineers and experienced end-customers to troubleshoot specific issues.

For more information about configuring and using trace files, refer to the IDENTIKEY Appliance Administrator Guide.

Logging
Logging uses information generated about events in the IDENTIKEY Appliance Configuration Tool (see Section
2.6.2. What is the IDENTIKEY Appliance?) and includes information about operations such as updating, backup
and restore. For example, a log entry might be: Backup was created successfully.
Logging is based on the syslog utility which supports local and remote storage and processing of logs. Settings
can be configured in the Configuration Tool manually or using the Configuration Wizard (see Chapter 10.
Installation Configuration).

21.1. Types of Trace Files

IDENTIKEY Appliance creates three types of trace files:

n Message Delivery Component trace files (see Chapter 23. Message Delivery Component)
n IDENTIKEY Authentication Server trace files. These files record actions performed in the Administration
Web Interface and services such as authentication, electronic signatures, and provisioning.
n LDAP Synchronization trace files (see Chapter 25. LDAP User Synchronization).

21.2. Trace File Options

Trace files can be accessed in the Configuration Tool.

IDENTIKEY Appliance 3.18 – Product Guide 165

 21. Tracing

Tracing can be set to various tracing levels:

n None
n Basic
n Full
n Debug (Only to be used when specifically requested by OneSpan Customer Support)

Message Delivery Component trace files and IDENTIKEY Authentication Server trace files can be configured for
trace file rotation. After a specified amount of time (number of days) or if the trace file exceeds a specified size
limit, the trace file is copied to another (optionally compressed) archive file and a new trace file is created. The
number of files kept before deleting the oldest file can be configured.

21.3. Managing Trace Files

Trace files can be viewed, downloaded, and deleted in the Configuration Tool.

Downloading trace files is useful if a OneSpan support engineer needs to troubleshoot a problem, but cannot use
the remote support function. In this case, the system administrator needs to activate tracing in the Configuration
Tool, download the trace file and forward it to support (see Section 24.2. Remote Support).

For more information, refer to the IDENTIKEY Appliance Administrator Guide.

IDENTIKEY Appliance 3.18 – Product Guide 166

 22. Statistics

22. Statistics
Statistics present information in visual charts and graphs about the system usage over time. This information is
available via the IDENTIKEY Appliance Configuration Tool (see Section 9.3. Configuration Tool).

22.1. System Information Available

Statistics are available on the IDENTIKEY Appliance, the services, the disk, memory and interfaces.

For example:

n Processes and threads

n Disk usage
n CPU time
n Interface

22.2. Statistics Filtering

It is also possible to filter specific information from some of the statistics data.

IDENTIKEY Appliance 3.18 – Product Guide 167

 23. Message Delivery Component

23. Message Delivery Component

The Message Delivery Component (MDC) is necessary to support Virtual Mobile Authenticator authentication (see
Section 2.4.2.4. Virtual Mobile Authenticator).

MDC interfaces with an SMS, email, voice, or Push Notification gateway to send a one-time password (OTP) or
other message to a user’s phone or email address. MDC acts as a service, accepting messages from the
IDENTIKEY Appliance, which are then forwarded to an SMS, email, voice, or Push Notification gateway.

IDENTIKEY Appliance also supports exporting and importing gateway definition settings to and from XML.

Procedure 5: Virtual Mobile Authenticator Process Using IDENTIKEY Appliance MDC

1. User accesses remote application and requests Virtual Mobile Authenticator login.
2. Remote application server forwards the authentication request.
3. IDENTIKEY Appliance checks whether the user is allowed to use a Virtual Mobile Authenticator.
4. Message Delivery Component of IDENTIKEY Appliance sends an OTP to the SMS or email gateway.
5. Gateway server forwards the OTP as a text message to the user's mobile phone or as an email.
6. User enters the OTP from the message or e-mail into the remote application.

Warning
If your organization is impacted by the General Data Protection Regulation (GDPR), note that if the Email Delivery
option is selected, ensure that the gateway server is configured to use SSL and TLS encryption.

For more information on GDPR, refer to the IDENTIKEY Appliance General Data Protection Regulation Compliance
Guide.

IDENTIKEY Appliance 3.18 – Product Guide 168

 23. Message Delivery Component

Image 52: Virtual Mobile Authenticator Process Using IDENTIKEY Appliance MDC

IDENTIKEY Appliance trace files contain debugging and troubleshooting information. The content can help
OneSpan support engineers and experienced end-customers to troubleshoot specific issues. An MDC-specific trace
file can be accessed in the IDENTIKEY Appliance Configuration Tool (see Chapter 21. Tracing).

Since every gateway uses different submission parameters, certain settings are required, which can be configured
through the IDENTIKEY Appliance Configuration Tool. For more information, refer to the IDENTIKEY Appliance Admin-
istrator Guide.

IDENTIKEY Appliance 3.18 – Product Guide 169

 24. Remote Support

24. Remote Support

24.1. Support Procedure

OneSpan's support procedure is described in section 37. Support Procedure.

Remote support and access to your IDENTIKEY Appliance are achieved through the VASCO Customer Portal (see
Section 2.14. VASCO Customer Portal).

24.2. Remote Support

If necessary, OneSpan experts can access the IDENTIKEY Appliance remotely to solve any problems. Remote sup-
port requires a connection between the VASCO Customer Portal and the IDENTIKEY Appliance (see Section 2.14.
VASCO Customer Portal). System administrators can activate this connection through the Configuration Tool.

Connection to the VASCO Customer Portal is not possible, however, until a support certificate has been uploaded
to the IDENTIKEY Appliance. This certificate is available for use after successful licensing (see Chapter 11. Licens-
ing) of the IDENTIKEY Appliance and is activated via the VASCO Customer Portal.

For more information about how to download and activate the support certificate and how to connect to the
VASCO Customer Portal, refer to the IDENTIKEY Appliance Installation and Maintenance Guide.

IDENTIKEY Appliance 3.18 – Product Guide 170

 25. LDAP User Synchronization

25. LDAP User Synchronization

LDAP user synchronization is the process of synchronizing records from an LDAP Server, not the process of authen-
ticating with an LDAP back-end server.

Replication is the process of replicating data between separate instances of IDENTIKEY Appliance (see 26. Rep-
lication).

LDAP user synchronization can be configured in the Configuration Tool and supports automatic creation and updat-
ing of user accounts on the IDENTIKEY Appliance from records stored on an LDAP server. Other methods of creating
user accounts using the Administration Web Interface include creating user accounts manually, importing user
accounts, and Dynamic User Registration (see 27. DIGIPASS User Accounts).

LDAP user synchronization is not server-specific and must be configured particularly for different LDAP servers, e.g.
for Microsoft Active Directory 2008 or for NetIQ eDirectory. For more information, refer to the IDENTIKEY Appliance
Administrator Guide.

25.1. LDAP Synchronization Profiles

To set up a synchronization requires:

n configuration of the general synchronization settings

n creating a filter to retrieve the source user accounts to be synchronized
n mapping of (source) LDAP user account attributes to the appropriate (destination) IDENTIKEY Appliance
user account properties.

These configurations define the Synchronization Profile in the Configuration Tool.

LDAP synchronization profiles define:

n where the source LDAP server is located

n which user accounts from the source need to be synchronized (filtering)
n whether existing user accounts on the IDENTIKEY Appliance can be updated with data from the source
LDAP server (using the Update Users option)
n the destination for the new or updated user accounts on the IDENTIKEY Appliance
n the frequency of synchronizations
n how to map LDAP server user account attributes to IDENTIKEY Appliance properties. (Please note that user
account settings are called source attributes on the LDAP server and destination properties in the
IDENTIKEY Appliance.)

For a full listing and explanations of the fields for LDAP synchronization profiles, please refer to the IDENTIKEY Appli-
ance Administrator Guide, Section Configuration Tool: Field Listings.

Example mappings of LDAP server user account attributes to IDENTIKEY Appliance user account properties are lis-
ted in the IDENTIKEY Appliance Administrator Guide.

IDENTIKEY Appliance 3.18 – Product Guide 171

 25. LDAP User Synchronization

Note
For most LDAP servers, the LDAP user password attribute cannot be mapped to an IDENTIKEY Appliance user
account password, due to security settings on the LDAP server.

Once the appropriate settings and mappings have been configured, synchronization is automatic. LDAP syn-
chronization of user accounts is from the LDAP server (source) towards the IDENTIKEY Appliance (destination), and
is not bidirectional.

25.2. Identifying Synchronized Users

The Distinguished Name attribute is used to track the source status of a user account, i.e. whether the user
account was created through a synchronization or by another method. User accounts created or updated by a syn-
chronization profile have the Distinguished Name attribute (from the LDAP user account) added to their IDENTIKEY
Appliance user account. The specific IDENTIKEY Appliance user account properties, which are updated or created
by the synchronization, depend on the Attribute Mapping entries in the synchronization profile.

The User Attributes tab in the IDENTIKEY Appliance (see Image 53: User Attributes in Administration Web Interface)
identifies user accounts which have been synchronized from an LDAP server. For more information about user
attributes, see Section 27.3. User Attributes.

Example
In the example shown in the image below, the user account 'axsguard' has been synchronized.

Image 53: User Attributes in Administration Web Interface

IDENTIKEY Appliance 3.18 – Product Guide 172

 25. LDAP User Synchronization

25.3. Creating and Updating User Accounts

Synchronization involves searching in the LDAP server for user accounts which match the filter definitions and are
located at the search base defined in the synchronization profile. User accounts and the attributes listed for map-
ping in the profile are retrieved from the LDAP server. For retrieved user accounts, the synchronization process may
identify one of the following possibilities on the IDENTIKEY Appliance (see Image 54: LDAP Synchronization to
Create or Update an IDENTIKEY Appliance User Account):

1. The user account exists on the IDENTIKEY Appliance in the destination domain and organizational unit:
n With the Distinguished Name attribute. In this case the user account is updated.

n Without the Distinguished Name attribute. In this case, synchronization behavior depends on the syn-
chronization profile Update Users setting. The following settings are possible:
n None: existing users are not updated during synchronization; the status of the Distinguished
Name attribute also remains unchanged.
n All: all existing users are updated during synchronization, if necessary; the Distinguished Name
attribute is created for all users who so far did not have this attribute.
n Created by LDAP Synchronization only: only user records previously created by
LDAP synchronization are updated; the Distinguished Name attribute is not created, because dur-
ing LDAP synchronization only users who already have this attribute are handled.
n Not created by LDAP Synchronization: only user records that were not created previously by LDAP
synchronization are updated; the Distinguished Name attribute is created for all users who so far
did not have this attribute.

2. The user account exists on the IDENTIKEY Appliance in the destination domain but in a different organ-
izational unit:
n With the Distinguished Name attribute. In this case the user account is moved and the properties
are updated.
n Without the Distinguished Name attribute. In this case, no account is created and an error is
logged. User accounts must be unique within a domain in the IDENTIKEY Appliance (see Chapter
35. Organization).
3. The user account does not exist on the IDENTIKEY Appliance. In this case the user account is created and
the value for the Distinguished Name attribute added.

IDENTIKEY Appliance 3.18 – Product Guide 173

 25. LDAP User Synchronization

Image 54: LDAP Synchronization to Create or Update an IDENTIKEY Appliance User Account

Note
1. Missing LDAP attributes and LDAP attributes with empty values initiate different synchronization behaviors. If a
mapped attribute is missing on the LDAP server, the IDENTIKEY Appliance property is not updated (i.e. the exist-
ing value remains). If a mapped attribute is present on the LDAP server with an empty value, the IDENTIKEY Appli-
ance property is updated with the empty value, (i.e. any existing value is overwritten).

2. If an IDENTIKEY Appliance user account has a Distinguished Name attribute, any manual changes made by the
administrator to properties which are mapped to LDAP attributes in the profile are overwritten during syn-
chronization.

IDENTIKEY Appliance 3.18 – Product Guide 174

 25. LDAP User Synchronization

25.4. Deleting User Accounts

An activated synchronization profile deletes a user account on the IDENTIKEY Appliance if it has the Distinguished
Name attribute, but the corresponding user account cannot be found on the LDAP server. This may occur under the
following circumstances:

n the user account has been removed from the LDAP server
n the user account on the LDAP server has been moved from the search base defined in the profile
n the user account on the LDAP server has been changed and no longer matches the profile's filter
n synchronization profile settings have been changed, e.g. the search base or filter entries.

25.5. Synchronization Frequency

Synchronization frequency can be configured up to 24 times per day and happens at 14 minutes past the hour (at
intervals depending on the frequency setting). The IDENTIKEY Appliancealso checks at five- minute intervals
whether any synchronization profiles have been changed and, if so, initiates a synchronization immediately.

25.6. LDAP Synchronization Access Rights

The minimal rights for a BIND DN user account should permit reading all user information in the configured search
base.

25.7. Multiple Synchronization Profiles

Multiple synchronization profiles can be configured. This has three purposes:

1. To manage synchronizations from multiple LDAP Servers to different domains on a single IDENTIKEY Appli-
ance.
2. To filter user accounts on more than one value of a particular LDAP server attribute, e.g. to synchronize
user accounts for which the email address attribute matches both able.be or skynet.be endings. Entering
both these specifications for a filter match in a single synchronization profile would only retrieve accounts
which had both values for the email address attribute. Retrieving accounts which have one or the other
value therefore requires two profiles.
3. To help manage source and destination organizational hierarchies (see next section).

With multiple synchronization profiles, synchronizations are completed in series, i.e. not simultaneously, and are
grouped according to their LDAP server and Bind DN to optimize re-use of connections and authentications.

If a server cannot be contacted, further synchronizations from the same server are skipped until the next sched-
uled synchronization.

IDENTIKEY Appliance 3.18 – Product Guide 175

 25. LDAP User Synchronization

More than one synchronization profile can be applied to a particular user account record, although this is not recom-
mended, because it may cause user account properties on the IDENTIKEY Appliance to alternate between different
values synchronized from the different profiles.

25.8. Managing Source and Destination Hierarchies

LDAP Synchronization of user accounts can either synchronize user accounts to a flat name space as specified, or
mirror the organizational unit structure on the source LDAP server.

If configured not to mirror the source structure,user accounts from the search base in the LDAP server hierarchy are
synchronized to a single destination address in the IDENTIKEY Appliance hierarchy as defined in the syn-
chronization profile. The synchronization profile can be configured to either synchronize all user accounts at and
below the search base (Profile 1 in the examples below), or only user accounts at the level of the search base (Pro-
file 2 in the examples below).

If the synchronization profile is configured to mirror the source structure and create missing organizational units,
synchronization creates an organizational structure on the destination IDENTIKEY Appliance to match the structure
on the LDAP server. If the LDAP structure differs from the existing IDENTIKEY Appliance structure, missing organ-
izational units which have users in them on the source server are created on the IDENTIKEY Appliance(Profile 3 in
the examples below). If the Create missing OU's option is not configured, organizational units not already existing
on the IDENTIKEY Appliance are not created, so that these parts of the hierarchy will be missing (Profile 4 in the
examples below).

Options which define the structure and synchronization in the IDENTIKEY Appliance are explained in the table
below.

Table 14: Options for defining synchronization structures

Option Description
Search Base The Search Base settings in a synchronization profile can be used to restrict synchronization to part of the LDAP
structure; they define the starting point for searches in the LDAP server.
Destination The Destination field defines the domain and optionally the organizational unit on the IDENTIKEY Appliance
where the user accounts will be created or updated. The Destination field therefore defines the root of the rep-
licated organizational structure.
Mirror OU Structure, Create These options define whether the synchronization matches the source LDAP structure.
Missing OUs, Include
LDAP Children, Return Refer to the IDENTIKEY Appliance Administrator Guide for a detailed description of these options.
DIGIPASS to Parent OU on
Move/Delete
Update Users The Update Users option defines whether existing user accounts on the IDENTIKEY Appliance are updated dur-
ing the synchronization. Refer to Section 25.3. Creating and Updating User Accounts and the IDENTIKEY Appli-
ance Administrator Reference for more details on the available sub-options .

User accounts can be synchronized to different destination domains and/or organizational units in the IDENTIKEY
Appliance through separate definitions of synchronization profiles using the above options as shown in the
examples below.

IDENTIKEY Appliance 3.18 – Product Guide 176

 25. LDAP User Synchronization

Example
Synchronization Profiles 1 and 2 in the image below are both configured to synchronize from the LDAP server
search base 'Domain A, Organizational Unit A1', to the IDENTIKEY Appliance destination address 'Domain A,
Organizational Unit A1'.

With Profile 1, the option to synchronize all user accounts at and below the search base is configured. Users 1 to
9 are synchronized to the single destination address in the IDENTIKEY Appliance hierarchy. No sub-organizational
units are created below the organizational unit A1 at the destination.

With Profile 2, the option to synchronize only user accounts at the level of the search base is configured. Users 1
to 3 are synchronized to the single destination address at in the IDENTIKEY Appliance. Users 4 to 9 are not syn-
chronized and no sub-organizational units are created below the organizational unit A1 at the destination.

Synchronization Profiles 3 and 4 in the image below are both configured to synchronize from the LDAP server
search base 'Domain A, Organizational Unit: DIGIPASS users', to the IDENTIKEY Appliance destination address
'Domain B, Organizational Unit: DIGIPASS users'.

With Profile 3, the options to synchronize all user accounts at and below the search base, to mirror the organ-
izational unit structure and create missing organizational units are selected. The structure of the LDAP server is
replicated in the IDENTIKEY Appliance.

With Profile 4, the options to synchronize all user accounts at and below the search base and to mirror the organ-
izational unit structure are selected. The structure of the LDAP server is replicated in the IDENTIKEY Appliance,
but the sub-organizational units A1 and A2 are not created because the option to create missing organizational
units has not been selected.

IDENTIKEY Appliance 3.18 – Product Guide 177

 25. LDAP User Synchronization

Image 55: Synchronization Including LDAP Children

Image 56: Synchronization to Mirror LDAP Server Structure

Note
Parent and child organizational unit naming

Although parent and child organizational units in an LDAP hierarchy can have the same names, this is not pos-
sible in the IDENTIKEY Appliance. User synchronization will fail, therefore, if the LDAP structure includes the same
names for parent and child organizational units.

25.9. Tracing and Audit Information

There are two sources of information recorded for LDAP user synchronization:

n Audit files for general information. An audit file is created when a service is started, containing basic
information such as the start and end time of the synchronization, records found in the source LDAP
server, records created or updated in the destination IDENTIKEY Appliance and any error messages or
warnings. For more information about audit files, refer to Chapter 20. Auditing).
n Trace files for troubleshooting. Trace files contain detailed debugging or troubleshooting information. The
content may be cryptic, but helps OneSpan support engineers and experienced end-customers to
troubleshoot specific issues. A trace file specifically for LDAP user synchronization can be accessed in the
Configuration Tool. For more information about trace files, refer to Chapter 21. Tracing.

IDENTIKEY Appliance 3.18 – Product Guide 178

 26. Replication

26. Replication
Two instances of IDENTIKEY Appliance can be configured to synchronize data changes between each other. This
process is called replication, and can be set up using the Replication Wizard. The replication process ensures that
each database is up-to-date with the latest modified data changes.

This chapter intends to provide information on which data is replicated, common replication configurations, the
Replication Wizard, the replication process, and how it is monitored.

For information on the Replication Wizard and configuring replication, refer to the IDENTIKEY Appliance Admin-
istrator Guide.

For more information on the fields available for configuring replication, refer to the IDENTIKEY Appliance Admin-
istrator Reference.

26.1. What Is Replicated?

Data which are replicated between appliances in a replication setup include:

n Administration Web Interface settings.

n Audit information (optional; see Chapter 20. Auditing).

Note
Audit records are copied, but changes are not synchronized. For example, deleting audit records on one system
does not delete the records on another system.

Data which are not replicated between appliances in a replication setup include:

n Logging. However, the remote syslog function allows consolidation and/or backup of logging information
(see Chapter 19. System Logging).
n Configuration Tool settings. This allows the activation of different services (e.g. authentication, signature
and/or provisioning) on IDENTIKEY Appliances within a replication setup. However, this also means that
some settings, such as enabling LDAP Active Directory back-end authentication, need to be configured
manually on each replication peer.

26.2. Common Replications

26.2.1. Primary and Backup IDENTIKEY Appliance

The most common, and most basic, replication setup is used when a company has two IDENTIKEY Appliances,
allowing a redundant setup in case of hardware failure. Following initial synchronization, all services are identical
on both IDENTIKEY Appliances with modified data replicated in both directions.

IDENTIKEY Appliance 3.18 – Product Guide 179

 26. Replication

Image 57: Replication Between Primary and Backup IDENTIKEY Appliance

26.2.2. Primary, Backup and Disaster Recovers IDENTIKEY Appliances

This scenario is often used when a company requires an off-site disaster recovery IDENTIKEY Appliance and data-
base.

IDENTIKEY Appliance 3.18 – Product Guide 180

 26. Replication

Image 58: Replication Between Primary, Backup, and Disaster Recovery IDENTIKEY Appliance

26.3. Replication Wizard

Replication is configured using a wizard in the IDENTIKEY Appliance Configuration Tool. IP addresses of the source
and target IDENTIKEY Appliances need to be specified in both: all further configuration is automated with the target
becoming a replication of the source IDENTIKEY Appliance. Following synchronization, all services are identical on
both IDENTIKEY Appliances with modified data replicated in both directions.

Note
Auditing data are copied, they are not replicated. For more information on audit log copying, refer to the
IDENTIKEY Appliance Administrator Guide.

The host name specified in the Configuration Tool during the first-time Configuration Wizard or manually (see
Chapter 10. Installation Configuration) is used to identify the correct IDENTIKEY Appliance in the replication setup.
This host name is used:

n for selecting the correct IDENTIKEY Appliance to log on to using the Administration Web Interface
n as an identifier in the logging to determine the source of the log line (see Chapter 19. System Logging).

The procedure of how to complete the Replication Wizard is explained in the IDENTIKEY Appliance Administrator
Guide.

Note
1. Only the authentication setup can be replicated. Audit logs can be copied between two systems in a rep-
lication setup.
2. Replication between different major versions of IDENTIKEY Appliance is not possible.

IDENTIKEY Appliance 3.18 – Product Guide 181

 26. Replication

3. During most upgrades, replication links that are present on the instance of IDENTIKEY Appliance are
removed.

26.4. Replication and Firewalls

Replication and replication setup between two or more appliances is performed using three separate TCP con-
nections:

n copying audit data

n replicating configuration and runtime data
n one-time replication setup using the Configuration Wizard

These connections need to be permitted if replicating appliances are separated by a company firewall.

For more information about the ports used by IDENTIKEY Appliance, refer to the IDENTIKEY Appliance Administrator
Reference.

26.5. Replication Process

Replication consists of two separate processes: it involves writing a data update to the replication queue (creating
a replication entry) and sending a replication entry to another IDENTIKEY Appliance.

IDENTIKEY Appliance 3.18 – Product Guide 182

 26. Replication

Image 59: Writing to Replication Queue

n Writing to the replication queue: the process which writes to the replication queue is run before any data
changes are committed to the database. If the data change cannot be written to the replication queue –
usually because the replication queue file has exceeded the maximum size allowed – the data change will
not be committed to the database.

IDENTIKEY Appliance 3.18 – Product Guide 183

 26. Replication

Image 60: Sending Replication Queue Entry

26.5.1. Forwarding Replication Entries

Replication forwarding is required and activated automatically where more than two IDENTIKEY Appliance
instances are replicating. The ID of the source IDENTIKEY Appliance and the target IDENTIKEY Appliance(s) to which
the source is sending the information are added to the replication entry. This allows the receiving IDENTIKEY Appli-
ance to check which other IDENTIKEY Appliance the replication entry has already been sent. It will forward the
entry only to those IDENTIKEY Appliance instances not listed.

26.5.2. Multiple changes to a Single Data Record

The replication method used by the IDENTIKEY Appliance involves replication of entire records, for example all set-
tings of a specific DIGIPASS user account, rather than an individual user account setting, such as a password. This

IDENTIKEY Appliance 3.18 – Product Guide 184

 26. Replication

means that data clashes can occur when a single record is updated at the same time from different sources. If this
occurs, the later change is written to the database and earlier changes are ignored.

26.5.3. Connection Handling

26.6. Replication Monitoring

26.6.0.1. Replication Auditing

Replication audit messages – viewable in the live audit viewer of the Configuration Tool (see Chapter 20. Audit-
ing) – are recorded when:

26.7. Replication Status

The replication status, viewable in the System tab in the Administration Web Interface (see Image 61:
'System' Tab in the Administration Web Interface), shows the current status of replication for an IDENTIKEY Appli-
ance and the number of entries currently in the replication queue (see Image 62: Replication Status Screen in the
Administration Web Interface).

Image 61: 'System' Tab in the Administration Web Interface

IDENTIKEY Appliance 3.18 – Product Guide 185

 26. Replication

Image 62: Replication Status Screen in the Administration Web Interface

IDENTIKEY Appliance 3.18 – Product Guide 186

 27. DIGIPASS User Accounts

27. DIGIPASS User Accounts

All users requiring authentication by IDENTIKEY Appliance must have user records registered in IDENTIKEY Appli-
ance in order to:

n Assign DIGIPASS authenticators to users

n Store user-specific parameters
n Store user attributes
n Assign privileges
n Overrule policy settings at user level

User accounts can be created, managed, and searched for using the Administration Web Interface (see 9.4. Admin-
istration Web Interface).

27.1. Creating DIGIPASS User Accounts

A DIGIPASS user account can be created using the Administration Web Interface in the following ways:

n Importing users from a file, single records or in bulk. For more information, refer to the Administration Web
Interface Help, "How To Import Users".
n Manually creating user records using Create User in the Administration Web Interface. For more inform-
ation, refer to the Administration Web Interface Help, "How To Create a User".
n Dynamically during authentication processing (if Dynamic User Registration is enabled).
n Via LDAP synchronization. User information on IDENTIKEY Appliance can be synchronized with external
LDAP databases by using the LDAP Synchronization Tool. For more information, refer to the LDAP Syn-
chronization Tool Guide.
n By synchronizing with LDAP servers (see 25. LDAP User Synchronization).

Warning
If your organization is impacted by the General Data Protection Regulation (GDPR), note that LDAP Syn-
chronization Tool is used to synchronize user information from any LDAP data store with any IDENTIKEY
Authentication Server data store. To be GDPR-compliant, the following requirements must be met:

n Secure version of LDAP (LDAPS) is used.

For more information on GDPR, refer to the IDENTIKEY ApplianceGeneral Data Protection Regulation Com-
pliance Guide.

27.1.1. Creating Users Manually

Users can be created manually by the system administrator. The following records need to be defined to create a
user:

n user ID, domain and optionally an organizational unit (see 35. Organization)
n static password (optional)

IDENTIKEY Appliance 3.18 – Product Guide 187

 27. DIGIPASS User Accounts

n local and back-end authentication settings

n whether the account is enabled and/or locked

Further management possibilities with user accounts are listed below. For more information about the user prop-
erty fields, refer to the IDENTIKEY Appliance Administrator Reference.

27.1.2. Importing User Records

Multiple user accounts can be imported into the IDENTIKEY Appliance in a comma separated values (.csv) text file
through the User/Import screen of the Administration Web Interface.

For more information about structuring comma separated values within a text file, refer to the IDENTIKEY Appliance
Administrator Reference, Section "Importing users using Comma Separated Value Files".

27.1.3. Creating a DIGIPASS User Account Using Dynamic User Registration (DUR)

When IDENTIKEY Appliance receives an authentication request for a user without a DIGIPASS user account, it can
check the credentials with the back-end server (e.g. RADIUS). If back-end authentication is successful, IDENTIKEY
Appliance can create a DIGIPASS user account automatically for the user. This process is called Dynamic User Regis-
tration (DUR) and can be enabled via policy. For more information about Dynamic User Registration, see 3.5.4.
Dynamic User Registration.

Dynamic User Registration (DUR)

Dynamic User Registration (DUR) allows to create a DIGIPASS user account automatically when the user cre-
dentials are validated using back-end authentication. The correct static password is sufficient to permit a
DIGIPASS user account to be created.

DUR is commonly used together with Auto-Assignment; with this combination, new accounts are immediately
assigned to a DIGIPASS. For more information about Auto-Assignment, see 28.3.2. Auto-Assignment.

DUR user information synchronization

DUR user information synchronization allows IDENTIKEY Appliance to retrieve user information when a
DIGIPASS user account is created using DUR with an LDAP back-end server, by synchronizing the data from
the LDAP back-end server to the respective DIGIPASS user account data fields. The user information that can
be retrieved includes the user display name and contact data, such as the mobile phone number and the
email address. The LDAP attributes used to query the respective user information are configurable.

By default, DUR user information synchronization is disabled. To enable and configure it, you need to change
the applicable policy accordingly.

IDENTIKEY Appliance 3.18 – Product Guide 188

 27. DIGIPASS User Accounts

27.1.4. Creating a DIGIPASS User Account Using LDAP User Synchronization

LDAP user synchronization supports automatic creation and updating of user accounts on the IDENTIKEY Appliance
from records stored on one or more LDAP servers. Synchronization needs to be configured in the Configuration
Tool, by defining a synchronization profile for your specific LDAP server(s).

For more information, see 25. LDAP User Synchronization.

27.2. User Account Settings

User Account settings which can be managed through the Administration Web Interface include:

n the user ID, the domain and possibly organizational unit they belong to, are defined on creation; users can
also be moved from one organizational unit to another, but cannot be moved between domains (see Sec-
tion 35.3. Moving DIGIPASS User Accounts and DIGIPASS)
n the account status can be enabled, disabled, locked or deleted
n a static password can be enabled and set (see Section 27.5. DIGIPASS User Account Static Password)
n whether policy settings for local or back-end authentication may be overruled for a user can be specified
n DIGIPASS records can be assigned to or unassigned from a user
n parameters, such as a user's mobile phone number for using a Virtual Mobile Authenticator, can be stored
n user and RADIUS attributes, which may need returning to applications when requested, can be stored (see
Section 27.3. User Attributes)
n privileges can be assigned to a user, e.g. for administration (see Section 27.7. Administration Privileges )

27.3. User Attributes

User attributes are used by the IDENTIKEY Appliance for:

n identifying that a user account's static password has been randomized (see Section 6.5. Password Ran-
domization)
n storing attributes which may need to be returned to applications when requested
n storing RADIUS attributes (see Section 27.3.1. RADIUS Attribute Settings)
n identifying that a user account has been created and is updated through LDAP user synchronization (see
Section 25.2. Identifying Synchronized Users)

RADIUS and custom user attributes can be configured and modified in the Administration Web Interface , as
explained in the following sections.

IDENTIKEY Appliance 3.18 – Product Guide 189

 27. DIGIPASS User Accounts

27.3.1. RADIUS Attribute Settings

RADIUS reply attributes can be returned with an Access-Accept when handling authentication requests from
a RADIUS Client. The attributes may include authentication parameters or authorization settings.

Image 63: RADIUS Attributes Overview

Acceptable RADIUS attribute names for use with IDENTIKEY Appliance can be uploaded via the Configuration Tool.
For more information, refer to the IDENTIKEY Appliance Administrator Guide.

Attribute Group
For RADIUS attributes, one or more attribute groups are specified in the policy used for the specific client.

Usage
Not currently in use for RADIUS attributes.

Value
The required value of the RADIUS attribute.

27.3.2. Custom User Attribute Settings

Custom attributes can be used with OneSpan Plug-Ins and DIGIPASS Authentication Modules.

IDENTIKEY Appliance 3.18 – Product Guide 190

 27. DIGIPASS User Accounts

Image 64: Custom User Attributes Overview

Attribute Group
An attribute group is specified by the client component as a parameter in the authentication request. When
multiple client components are using custom user attributes, the specified attribute group ensures that only
attributes required by the specific client are returned.

Name
A name for the attribute as expected by the client component.

Usage
n Basic indicates that the attribute is for use by DIGIPASS Authentication for IIS Basic for Basic
Authentication.
n Return indicates an SBR return attribute
n Check indicates an SBR check attribute

Value
The required value of the named attribute.

27.4. Searching for User Accounts

The Administration Web Interface allows you to search for user account records in a number of ways:

n You can search directly by entering the user ID

n You can search for a user who holds a DIGIPASS device by searching for theDIGIPASS and double clicking
on the user on theDIGIPASS details screen
n You can enter the first few characters of the user ID, followed by a wild card (*). A list of results is presen-
ted, from which you can select the user you require.

27.5. DIGIPASS User Account Static Password

The DIGIPASS user account has one static password field which can be used in different ways:

IDENTIKEY Appliance 3.18 – Product Guide 191

 27. DIGIPASS User Accounts

n local static password verification for users who do not have a DIGIPASS device (see Section 3.6.3.
Authentication without DIGIPASS) or if the local authentication mode in the relevant policy is set to
DIGIPASS or Password (see Section 3.6. Local Authentication)
n during Challenge/Response authentication, as request method (see Section 3.6.2.9. Request Method and
Keyword)
n when using Virtual Mobile Authenticator as request method (see Section 3.6.2.9. Request Method and Key-
word)
n for password replacement and auto-learn (see Section 3.7. Back-End Authentication)
n for back-end authentication, e.g. for retrieval of RADIUS attributes (see Section 3.7. Back-End Authentic-
ation)
n for static password authentication during the grace period (see Section 3.5. Looking Up and Checking the
DIGIPASS User Account) or if the local authentication mode in the relevant policy is set to DIGIPASS or Pass-
word (see Section 3.6. Local Authentication)

There are four mechanisms to set and update static passwords:

n by the administrator in the Administration Web Interface

n by the user using Password Autolearn (see Section3.7.3. Password Autolearn)
n via Password Synchronization Manager: the password is automatically updated when modified in a
Microsoft domain environment (see Section 2.12. Static Password Management)
n via password randomization: the static password is replaced with a random value unknown to the user,
preventing further use of the static password on the network after successful OTP and back-end authen-
tication (see Section 6.5. Password Randomization)

27.6. Password Strength

27.6.1. What Are Password Strength Rules?

You can customize password strength rules to enhance password security. These rules control the required format-
ting of passwords. Password strength rules are configurable in the policy associated with the IDENTIKEY Authentic-
ation Server component. The password strength rules can be configured via the User tab in the Administration Web
Interface policy administration page. Different password complexity rules can be applied for administrators and
users.

n Administrators. IDENTIKEY Authentication Server supports password complexity rules through the server
policy. There is a client component entry per server in the database, which has a policy assigned. The
effective policy values for password complexity rules are applied for administrator users.
n Users. When applying password complexity rules to users (i.e. no administrative privileges assigned), only
the values defined in the base policy of the server policy are applied, instead of the effective settings.

By default, password complexity rules are only defined in the base policy, i.e. a default installation of IDENTIKEY
Authentication Server will have to be adapted accordingly.

Note
The user password strength rules for administrative programs or clients that will connect to IDENTIKEY

IDENTIKEY Appliance 3.18 – Product Guide 192

 27. DIGIPASS User Accounts

Authentication Server are defined in the server policy. Password policies only apply to static passwords when
they need to be created or updated. They do not apply to the passwords used by the following:

n First administrator
n SSL certificates
n Security configuration for the initial SNMPv3 user

For these the default password rules apply.

The variables that can be configured are:

n Minimum password length

n Minimum number of lower case characters
n Minimum number of upper case characters
n Minimum number of numeric characters
n Minimum number of symbols
n Password different from the number of passwords previously used
n Specify the number of passwords that must be used before you can reuse a password
n No inclusion of part of the user ID
n Whether or not the user ID (or parts thereof) may be used in the password

Note
IDENTIKEY Authentication Server supports Unicode in passwords, however support of characters can be
limited by the back-end server, should one have been configured to be used in the respective context.

27.6.2. Password Strength Rules Enforcement

Password strength rules are ALWAYS enforced in the following circumstances:

n During the first installation of an ODBC system.

n If a user is created or updated, or if a password is set using the Administration Web Interface or the Tcl
Command-Line Administration tool.

The default password strength rules will be applied to the first administrator password. The default password
strength rules are:

n At least 7 characters long

n Contains at least 1 lowercase character
n Contains at least 1 uppercase character
n Contains at least 1 numeric character

Password strength rules are NOT enforced for users in Active Directory installations.

Password strength rules are NOT enforced in the following circumstances:

n For users in Active Directory installations

n Where back-end authentication is used (password rules for the back end are used in this case)

IDENTIKEY Appliance 3.18 – Product Guide 193

 27. DIGIPASS User Accounts

n When using the Dynamic User Registration facility

For back-end authentication with ODBC, the password policy of both IDENTIKEY Appliance and back end should be
identical. If there are multiple back ends with each one having different password policies, the IDENTIKEY Appli-
ance should be either less strict or just as strict as the least strict password policy among all the back ends.

27.6.3. Static Password Expiration (Local Password)

Another factor contributing to password strength is the expiration of the static password as this ensures that end
users change their static password at adequate intervals. In IDENTIKEY Authentication Server the end user's local
static password continuously expires at the interval that has been specified, and if the local authentication mode
DIGIPASS or Password has been selected in the effective policy. For more information about this authentication
mode, see 3.6. Local Authentication.

Note that this type of password expiration applies to the static password locally stored in IDENTIKEY Authentication
Server. If you change the local static password, it is not synchronized with the static password in a possible back-
end system. That means that if you are using back-end authentication, the local static password and the back-end
password will be different, for example, after changing the local password via the Administration Web Interface.

Note
You should not use local static password expiration when using back-end authentication, but rely on the back-
end system to enforce password expiration (see 27.6.4. Static Password Expiration (Back-End Password)).

If Days to Notify before Expiration has been set in the effective policy, the user will receive a notification in
IDENTIKEY Authentication Server and/or OneSpan User Websites that the static password is about to expire with
the exact expiration date indicated.

Web Administration Service allows users to set their passwords when they are notified and have the respective
administrative privileges (Set User Password).

27.6.4. Static Password Expiration (Back-End Password)

Usually you can configure your back-end passwords to expire to force users to change their back-end passwords
regularly. This is preferred to using local password expiration (see 27.6.3. Static Password Expiration (Local Pass-
word)).

If you configure your static back-end passwords to expire after a certain time, you can allow users who log on to
the Administration Web Interface to change their password right from the login page. This means that whenever a
user attempts to log on to the Administration Web Interface and the back-end password has expired or has been
set to be changed at next logon, the user is automatically redirected to a change password page.

In order to set a new back-end password, the user needs to authenticate first using either the current back-end
password or a one-time password (OTP) generated by an authenticator assigned to the user. In the former case,
the user is automatically logged on after successfully setting a new back-end password; in the latter case, the
user is redirected to the login page again.

IDENTIKEY Appliance 3.18 – Product Guide 194

 27. DIGIPASS User Accounts

Changing expired back-end passwords at the login page requires the following:

n The authentication scenario must be enabled.

n The effective policy must have back-end authentication set to Always.

n If you have enabled Stored Password Proxy in the policy to use the stored password for back-end authen-
tication, you must enable Password Autolearn as well. Otherwise, the stored password and the effective
back-end password will differ after changing an expired back-end password and logon will no longer
work.

27.7. Administration Privileges

Only DIGIPASS user accounts with administrative permissions can use the Administration Web Interface to con-
figure the IDENTIKEY Appliance. Administrative privileges are assigned to DIGIPASS user accounts and therefore a
DIGIPASS user account is needed for each administrator. For more information about the default administrative
accounts, refer to Section 9.1. Default Administrative Users. For more information about creating more secure
administrative accounts using DIGIPASS OTP authentication, refer to Section 9.2. Creating a New System Admin-
istrator. Creation of more secure administrative accounts requires the assignment of privileges, as explained here.

Administrative permissions may be assigned based on:

n Type of permission (e.g. Read, Create)

n Type of object (e.g. DIGIPASS, policy)

The domain and organizational unit in which the administrator account is located will determine their range of
administration access:

n If the account belongs to an organizational unit, the administrator will be able to administer user accounts
and DIGIPASS records belonging to that organizational unit.
n If the account does not belong to an organizational unit, the administrator will be able to administer all
DIGIPASS records and user accounts in the domain to which they belong.
n If the account belongs to the Master Domain, the administrator may be able to administer all DIGIPASS
records and user accounts in the database. This depends on the Access Data in All Domains privilege,
which is only available to administrators in the Master Domain.

For more information, refer to Section 35.1. Domains and Organizational Units.

Note
Copy Admin Privileges From does not copy the domain scope along with the Administrative Privileges. Domain
scope values must be set per administrator.

IDENTIKEY Appliance 3.18 – Product Guide 195

 27. DIGIPASS User Accounts

27.8. DIGIPASS User Account Auto-Unlock

A DIGIPASS user account can become locked after a specified number of unsuccessful authentication attempts.
Unlocking a locked DIGIPASS user account usually requires assistance from an administrator.

To ease unlock effort and reduce support incidents, you can allow users to unlock a locked DIGIPASS user account
themselves without administrative assistance using user auto-unlock.

27.8.1. Basic Concepts

The user auto-unlock mechanism allows a user to implicitly unlock a locked DIGIPASS user account during regular
authentication or signature validation. It is enabled and configured using policies.

Note
For security reasons user auto-unlock works only, if the DIGIPASS user account has been locked after too many
consecutively failed authentication attempts. A DIGIPASS user account that has been explicitly locked by an
administrator cannot be unlocked by the user auto-unlock mechanism.

When a DIGIPASS user account becomes locked, it remains locked for a specified time span, i.e. the lock duration.
After that time span the user may try to authenticate again. If authentication succeeds the DIGIPASS user account
is unlocked at the same time. If authentication fails the DIGIPASS user account remains locked. The number of
maximum unlock attempts is limited; if no more unlock attempts are left, the DIGIPASS user account remains
locked and can only be unlocked by an administrator.

After each unsuccessful unlock attempt the effective lock duration is increased by a specified multiplier, thus
increasing the time span before the user may try to unlock the DIGIPASS user account again. Note that the effective
lock duration is considered to begin from the last authentication request. Attempting to unlock by authenticating
(even with a valid password or OTP) before the lock duration has elapsed does not count as unlock attempt (and
does not unlock the DIGIPASS user account). However, since it is considered an (unsuccessful) authentication
request, the last authentication request time is updated, meaning that the lock duration begins again.

27.8.2. Configuration

By default, user auto-unlock is disabled. To enable and configure it, you need to change the applicable policy
accordingly. A default policy prepared to support user auto-unlock is included in the set of pre-loaded policies, i.e.
IDENTIKEY Local Authentication with Auto-Unlock . For more information, refer to the IDENTIKEY Authentication
Server Administrator Guide, section "DIGIPASS User Account Locking".

IDENTIKEY Appliance 3.18 – Product Guide 196

 28. DIGIPASS

28. DIGIPASS
A DIGIPASS authenticator is a device providing one-time password and digital signatures to a user, and is used to
enable secure access for a specific person within an organization. For more information, refer to Section 2.4.
DIGIPASS Authenticator Types.

Each DIGIPASS authenticator need to be registered in IDENTIKEY Appliance to support authentication requests
which use a one-time password generated by the DIGIPASS authenticator.

Some DIGIPASS settings are pre-programmed into the devices during manufacture, some are assigned through
policies and others can be assigned specifically to a DIGIPASS authenticator using DIGIPASS records. Both, policies
and DIGIPASS records, are configurable in the Administration Web Interface.

The Administration Web Interface supports DIGIPASS management including:

n Importing DIGIPASS records

n Assigning DIGIPASS records to user accounts
n Searching DIGIPASS records
n Viewing run-time information
n Various DIGIPASS operations

28.1. DIGIPASS Client PIN

A DIGIPASS (client) PIN is a digit-based secret, known by the user, which needs to be entered into the DIGIPASS
device for a one-time password (OTP) to be generated. This implies 2-factor authentication: the person logging in
must be in possession of the DIGIPASS device (something you have) and know the DIGIPASS PIN (something you
know) to generate an OTP.

This option requires a DIGIPASS device with a keypad for the PIN to be entered, and is therefore not possible with
one-button DIGIPASS models. An alternative solution for 2-factor authentication with a one-button DIGIPASS model
is explained in the next section.

PIN change can be offered to users through pre-programmed PIN modification settings (see specific DIGIPASS
model user guides):

n An initial PIN can be set for a DIGIPASS device. This PIN must then be sent to the user of the DIGIPASS, typ-
ically separate from the DIGIPASS delivery.
n First Use PIN Modification requires a PIN change from the user upon the first use of the DIGIPASS device.
n PIN Change allows a user to change their PIN as desired.
n The PIN length can be set for a DIGIPASS device.
n DIGIPASS Lock sets the number of consecutive faulty PIN entries allowed before the DIGIPASS device is
locked.

Note
The DIGIPASS client PIN is not possible with one-button models (i.e. the DIGIPASS GO range models). The Server

IDENTIKEY Appliance 3.18 – Product Guide 197

 28. DIGIPASS

PIN is an alternative solution for two-factor authentication only available with one-button DIGIPASS models. Refer
to Section 3.6.2.1. Server PIN for more information on the server PIN.

Also, each DIGIPASS authenticator may be given a grace period when it is assigned to a DIGIPASS user account. For
more information on this, refer to Section 3.6.2.2. Grace Period.

28.2. Importing DIGIPASS

DIGIPASS records may be imported into IDENTIKEY Appliance via the Administration Web Interface. DIGIPASS can be
imported either individually or in bulk.

The DIGIPASS Import Wizard guides you through the steps of importing DIGIPASS from the .dpx file. You can specify
the applications that will be available with the imported DIGIPASS, and whether the imported DIGIPASS will be set
as Active or Inactive on import. You can also specify if existing DIGIPASS will be updated with the data from the
.dpx import file.

28.3. Assigning DIGIPASS to Users

DIGIPASS may be assigned to users in a number of ways, depending on the requirements of your company. For
example, a company with only a few user accounts may use Manual Assignment. A larger company needing to dis-
tribute large numbers of DIGIPASS may find it easier to simply distribute the DIGIPASS and require each user to go
through Self-Assignment.

For both assignment modes, a grace period is typically set, which allows a number of days in which the user may
still log in using only their static password. After the grace period has expired, depending on the Local Authentic-
ation settings in the relevant policy, users can then either continue to use both their static password or their
DIGIPASS authenticator (DIGIPASS or Password), or must only use the authenticator (DIGIPASS/Password during
Grace Period or Digipass Only) to log in. The grace period automatically expires the first time an OTP is used to log
in, i.e. after the OTP has been successfully validated (if it has not been set manually to expire prior to that in the rel-
evant policy). Refer to Sections 3.6. Local Authentication and 3.6.2.2. Grace Period for more information.

Note
DIGIPASS records must be imported into the data store before being assigned to users.

Resetting the Server PIN is also possible during DIGIPASS assignment. When using the DIGIPASS Self-Assignment or
Auto-Assignment feature of IDENTIKEY Appliance, the user can reset their Server PIN. When the Assignment Mode
is set to Self-Assignment-Pin-Reset or Auto-Assignment-Pin-Reset, the user's Server PIN is automatically reset.
This is an optional feature and does not require any administrator action, once the option has been enabled in the
DIGIPASS properties and/or the relevant policy settings have been set accordingly.

IDENTIKEY Appliance 3.18 – Product Guide 198

 28. DIGIPASS

28.3.1. Self-Assignment

Users can assign a DIGIPASS device themselves via Self-Assignment. With this process, the user must log in and
include the serial number, static password, and one-time password. This informs the IDENTIKEY Appliance of the
assignment; provided that the user enters the details correctly, IDENTIKEY Appliance will link the DIGIPASS record
and the user account. A grace period is not used for this method.

Procedure 6: Self-Assignment Process

1. DIGIPASS user account is created manually by an administrator, or automatically by IDENTIKEY Appliance

during Dynamic User Registration.
2. The DIGIPASS is sent to the user.
3. User receives the DIGIPASS.
4. User logs in using:
n DIGIPASS serial number
n Static password
n one-time password
5. IDENTIKEY Appliance recognizes Self-Assignment login.
6. IDENTIKEY Appliance verifies DIGIPASS serial number, static password, and one-time password.
7. IDENTIKEY Appliance assigns the DIGIPASS with the corresponding serial number to the user.

28.3.2. Auto-Assignment

With Dynamic User Registration, IDENTIKEY Appliance performs Auto-Assignment, where IDENTIKEY Appliance will
select a random DIGIPASS authenticator and assign it to the new DIGIPASS user account as it is created. The
DIGIPASS authenticator will then be delivered to the user.

Note
When maker–checker authorization is enabled, assigning a DIGIPASS authenticator requires the approval of a
checker administrator. In that case, Auto-Assignment is not available.

Procedure 7: Auto-Assignment Process

1. DIGIPASS user account is created automatically by IDENTIKEY Appliance during Dynamic User Registration.
2. IDENTIKEY Appliance selects a random available DIGIPASS authenticator to prevent collisions during par-
allel assignment of DIGIPASS authenticators.
3. IDENTIKEY Appliance assigns this DIGIPASS authenticator.
4. IDENTIKEY Appliance sets a grace period.
5. DIGIPASS is sent to the user.
6. User logs in with the static password during the grace period.
7. User receives the DIGIPASS.
8. User logs in with one-time password.
9. Grace period automatically ends.

IDENTIKEY Appliance 3.18 – Product Guide 199

 28. DIGIPASS

28.3.3. Manual Assignment

With Manual Assignment, selected DIGIPASS devices are manually assigned to specific DIGIPASS user accounts.
The DIGIPASS must then be sent to the users.

Procedure 8: Manual Assignment Process

1. DIGIPASS user account is created manually by an Administrator, or automatically by IDENTIKEY Appliance

during Dynamic User Registration.
2. The Administrator assigns a DIGIPASS to the user and sets a grace period.
3. DIGIPASS is sent to the user.
4. User logs in with static password during the grace period.
5. User receives DIGIPASS.
6. User logs in with one-time password.
7. Grace period is automatically ended.

28.4. DIGIPASS Record Functions

A number of functions are available to administer DIGIPASS records. These are typically required for
maintenance; for example, if a user has forgotten their Server PIN, or if a DIGIPASS has been locked.

28.4.1. Reset Application

A DIGIPASS Application may need to be reset if the time difference between the application and the server
needs to be recalculated. This would typically be for time-based Response-Only DIGIPASS after a very long
period of inactivity. The 'reset' widens the allowable time window for the next login, allowing the user to log
in and the IDENTIKEY Appliance to calculate the current time shift.

28.4.2. Set Event Counter

If the event count for an event-based application has become unsynchronized between the DIGIPASS and the
server, this function can be used to set the server event count to the event count on the DIGIPASS.

28.4.3. Enable/Disable Server PIN

An administrator may enable or disable use of a Server PIN with a specific DIGIPASS authenticator, or with mul-
tiple authenticators. If Server PIN is enabled, the user must include their Server PIN when logging in. If Server
PIN is disabled, the user must not include a Server PIN.

IDENTIKEY Appliance 3.18 – Product Guide 200

 28. DIGIPASS

28.4.4. Reset PIN

If a user’s Server PIN needs to be changed – usually because the user has forgotten it – then it can be reset,
and the user can create a new Server PIN when they next log in. This may be done when unassigning or re-
assigning a DIGIPASS.

28.4.5. Force PIN Change

This function can be used when an administrator wants a user to change their Server PIN on their next login.
This may be desirable as a security measure.

28.4.6. Set PIN

A user’s Server PIN can be set to a specific value and communicated to the user.

28.4.7. Unlock DIGIPASS

If a user incorrectly enters their DIGIPASS PIN into their DIGIPASS a predetermined number of times, the
DIGIPASS will become locked. Once locked, the assistance of an administrator will be required to unlock it.
This function allows an administrator to provide the user with an Unlock Code to enter into their
DIGIPASS.

28.4.8. Reset Application Lock Count

If a user has attempted to log in with incorrect details too many times, the DIGIPASS Application used may be
locked, depending on policy settings. This function can be used to reset the record status for the DIGIPASS
Application to the unlocked status. This differs from user locking, as the user may still log in with a different
DIGIPASS.

28.4.9. Test a DIGIPASS Application

Use this function to check that a DIGIPASS Application is working as expected. This works for either one-time
passwords or Electronic Signatures. There is also a function to test the Backup Virtual Mobile Authenticator
functionality.

Use this function to reset the Event Counter, Activation time and Activation Location on a DIGIPASS.

IDENTIKEY Appliance 3.18 – Product Guide 201

 28. DIGIPASS

DIGIPASS Start Time

28.5. DIGIPASS Reports

IDENTIKEY Appliance comes with a wide variety of pre-set reports useful for managing and analyzing DIGIPASS
activity. These reports are available via the Administration Web Interface, and can track the following statistics
(among others):

n Assignment actions per user, organizational unit and domain

n Available DIGIPASS, sorted by type
n DIGIPASS deployment trends
n Breakdown of the number of deployed DIGIPASS per DIGIPASS type, sorted by organizational unit
n List of all DIGIPASS devices, and the last time they were used
n Inactive DIGIPASS (i.e. DIGIPASS that have not been used for more than six months)

For more information about reports, refer to Section 33. Reporting.

28.6. DIGIPASS Programming

This section enumerates the different DIGIPASS settings that can affect common administrative tasks.

28.6.1. Time/Event-Based DIGIPASS Applications

The following table describes the time-based and event-based modes of different DIGIPASS Applications.

Table 15: Time-and event-based modes of DIGIPASS Application

DIGIPASS Application Time-Based Mode Event-Based Mode

Response-Only Changes the displayed OTP based on the current time. Displays a new OTP each time a request for an
The common time step used is 36 seconds: this means OTP is made.
that the OTP to be displayed will change every 36
seconds, whether or not an OTP has been requested
from the DIGIPASS.
Challenge/Response Generate an OTP based on the challenge given and the Generates an OTP based only on the challenge
current time. The common time step used is 9 hours ( given.
'slow challenge'). This would mean that if the exact same
challenge were given to a DIGIPASS within a 9- hour
period, the DIGIPASS Application will generate the same
OTP. However, challenges are very rarely repeated within
such a time period.
Signature Generates a different signature for the same input data at Contains a numeric counter that increases every
different times. time a signature is generated.

IDENTIKEY Appliance 3.18 – Product Guide 202

 28. DIGIPASS

A Signature DIGIPASS Application can also be neither time- nor event-based. Such DIGIPASS Applications will
always produce the same signature for the same input. There is no difference between real-time and deferred
time with such signatures.

28.6.2. OTP Length

This setting refers to the length of the one-time password generated by the DIGIPASS for Response-Only and Chal-
lenge/Response DIGIPASS Application.

Check Digit
A check digit may be added to each OTP. This is generated from the response and allows for faster inval-
idation of incorrect OTPs.

The OTP Length setting does not count the check digit.

28.6.3. Challenge Length

This setting refers to the length of the challenge which should be expected by the DIGIPASS. This is used by the
Challenge/Response DIGIPASS Application.

Check Digit
A check digit may be expected with each challenge. This is generated by the server from the challenge and
allows the DIGIPASS to reject most invalid challenges.

The Challenge Length does not count the check digit.

28.7. DIGIPASS Record Settings

These settings are kept in the record for a DIGIPASS Application, and affect which OTP is expected by the
IDENTIKEY Appliance.

28.7.1. Time/Event-Based DIGIPASS Record Settings

Time Step Used

The time step used by the DIGIPASS Application (see Section28.6.1. Time/Event-Based DIGIPASS Applications
).

IDENTIKEY Appliance 3.18 – Product Guide 203

 28. DIGIPASS

Last Time Shift

Time Shift records any misalignments between the time recorded on the DIGIPASS and the time recorded on
the server each time a user logs in. This ensures that if either clock drifts from the correct time, an allowance
can be made by the IDENTIKEY Appliance; the user will then still be able to log in. If the time drift goes beyond
the allowable time window between user logins, the DIGIPASS record will have to be reset (this allows for
recalculation of the time drift).

Example
Time window may be 5 steps in either direction.

This means that 11 OTPs would be considered valid – the exact OTP for that time, and the OTPs for the 5
time steps either side of the exact time. If the OTP given is for a different time step, the time shift for that
DIGIPASS will be recorded. The next time the user logs in, the expected OTP will be calculated based on that
time shift.

Last Time Used

This records the time when the DIGIPASS Application was last used. If the amount of time lapsed between
authentications is greater than the expected time drift for the DIGIPASS, the time window is widened to allow
a greater number of one-time passwords to be accepted.

Last Event Value

The current number of uses of the DIGIPASS Application, according to the DIGIPASS. This can get out of sync
with the number of uses recorded by the IDENTIKEY Appliance when:

n Login failures occur for other reasons than incorrect OTP

n The DIGIPASS has been used without a login (eg. children have been playing with it)
n The DIGIPASS is being used to log in to two separate systems

The purpose of this setting is similar to that of Last Time Shift setting: it allows IDENTIKEY Appliance to track
any shifts between the event count recorded by itself and the DIGIPASS.

28.7.2. Policy and DIGIPASS Settings

Several settings dictate how a user can use the Backup Virtual Mobile Authenticator feature. These settings are:

n Enable or disable Backup Virtual Mobile Authenticator and enable method (i.e. Required).
n Time limit/expiry (applies to Time Limited enable only)
n Maximum number of times a user may make use of the Backup Virtual Mobile Authenticator.

The above settings may be set both at the policy level and at the DIGIPASS record level. Individual settings override
policy settings for an individual DIGIPASS, but some policy settings (see below) may be used to automatically set
DIGIPASS settings which are blank when the Backup Virtual Mobile Authenticator is first utilized by the user.

IDENTIKEY Appliance 3.18 – Product Guide 204

 28. DIGIPASS

28.7.3. Time Limit and Maximum Users per User

The following table lists Backup Virtual Mobile Authenticator policy settings and DIGIPASS settings relating to time
limits and maximum users:

Table 16: Backup Virtual Mobile Authenticator Policy/ DIGIPASS Settings

Policy Settings DIGIPASS Settings
Time Limit Enabled Until
Max. Uses/User Uses Remaining

If Backup Virtual Mobile Authenticator is enabled for a DIGIPASS and set to Time Limited, and the Enabled Until
field in the DIGIPASS property sheet is blank on their first use of the Backup Virtual Mobile Authenticator, the time
limit will begin counting on the user's first usage of the feature. The expiry date (today’s date + time limit) will
then be displayed in the Enabled Until field.

If a Max. Uses/User is set for the relevant policy and a DIGIPASS record's Uses Remaining field in their user property
sheet is blank on their first use of the Backup Virtual Mobile Authenticator, a number (Max Uses/User) will be auto-
matically entered into the user's Uses Remaining field and immediately decremented by 1.

Note
If a user has Backup Virtual Mobile Authenticator enabled with Enabled Until date set and their Uses Remaining
has been set (automatically or manually), whichever of these expires first will disable Backup Virtual Mobile
Authenticator for the user.

Example
Backup Virtual Mobile Authenticator is enabled for a user as Time Limited, and the server Time Limit setting is 3
days. The Max. Uses/User policy setting is 5. When the user first makes use of the Backup Virtual Mobile
Authenticator, his Enabled Until is set to a date 3 days hence and their Uses Remaining to 4.

During the next 48 hours, the user logs in 4 more times.

Although the user’s time limit does not run out for another 24 hours, their Uses Remaining is now 0, thereby dis-
abling Backup Virtual Mobile Authenticator .

The following is a list of factors to consider when planning to integrate Virtual Mobile Authenticator into an authen-
tication service.

28.8. DIGIPASS Assignment Options

With the introduction of Virtual Mobile Authenticator, there are several different assignment combinations that can
be used. The first option in the table below does not utilize Virtual Mobile Authenticator. The others include a

IDENTIKEY Appliance 3.18 – Product Guide 205

 28. DIGIPASS

Virtual Mobile Authenticator in either a Backup or Primary mode.

Table 17: DIGIPASS Options

Primary Backup Description
DIGIPASS None User must log in using a DIGIPASS.
DIGIPASS Backup Virtual User usually logs in using a DIGIPASS, but may utilize the Backup Virtual Mobile Authenticator
Mobile Authenticator feature where required. Usage of the feature may be limited.
DIGIPASS (tem- Backup Virtual User must log in using the Backup Virtual Mobile Authenticator feature. This might be used
porarily disallowed) Mobile Authenticator while a user’s DIGIPASS is lost, until the DIGIPASS is recovered.
Primary Virtual N/A User is assigned a Virtual Mobile Authenticator and must log in using it.
Mobile Authenticator

28.9. Cost

Your company will probably need to pay an amount for each text message sent. In some countries, mobile phone
owners might need to pay an amount for each text message received on their mobile phone. This will need to be
taken into consideration when deciding how to implement Virtual Mobile Authenticator functionality.

28.10. Security

The level of security provided by hardware DIGIPASS devices is higher than that of Virtual Mobile Authenticator. This
needs to be weighed against other considerations before deciding whether your company will implement Virtual
Mobile Authenticator, and if so, how it will be implemented.

28.11. Convenience

Virtual Mobile Authenticator is more convenient than a hardware DIGIPASS for many users. Virtual Mobile Authentic-
ator uses ordinary mobile phones (of which most users already own); there are no extra devices required. users
who do not habitually carry their mobile phone with them, though, are likely to find a DIGIPASS GO3 or DIGIPASS
GO1 easier to transport.

For users with Backup Virtual Mobile Authenticator enabled, it might be the difference between going to work to
pick up a forgotten DIGIPASS and getting important work done at home.

28.12. Gateway and account

Your company will need the use of an SMS gateway and an account with the gateway. The Message Delivery Com-
ponent will need configuration information for the gateway and the username and password for the account. Your
OneSpan supplier can assist with this process.

IDENTIKEY Appliance 3.18 – Product Guide 206

 28. DIGIPASS

28.13. Limiting Usage of Virtual Mobile Authenticator

Use of Virtual Mobile Authenticator may be limited by:

n Using Backup Virtual Mobile Authenticator only.

n Minimizing the number of users assigned a Primary Virtual Mobile Authenticator.

A user’s Primary Virtual Mobile Authenticator usage cannot be limited.

The Backup Virtual Mobile Authenticator feature may be enabled as an emergency backup for users who have left
their primary DIGIPASS at home, or for other reasons do not have access to their primary DIGIPASS. Use of this fea-
ture can be limited for each DIGIPASS by:

Time period
User access to Backup Virtual Mobile Authenticator can be set during a specific time period. After this period
expires, any Virtual Mobile Authenticator requests from the user will be rejected. If the user is still unable to
use their DIGIPASS, the time period must then be extended by an administrator. Once a user starts using their
DIGIPASS again, the administrator must reset the time period if the user is to be allowed to use Backup Virtual
Mobile Authenticator again.

Number of Uses
Set a maximum number of times a user may request an OTP using the Backup Virtual Mobile Authenticator
feature. When the user has reached this number of uses, any further OTP requests from the user will be rejec-
ted. This must be reset by an administrator if further use of the Backup Virtual Mobile Authenticator is
required for the user.

Global and Individual Backup Virtual Mobile Authenticator settings

Backup Virtual Mobile Authenticator options can be set globally or individually to allow a standard policy for all
DIGIPASS with exceptions made where necessary. Global settings will affect all DIGIPASS whose individual
option is set to Default.

Global options are defined in the policy that controls authentication. As such, using multiple policies provides
you with additional flexibility.

28.14. Backup Virtual Mobile Authenticator Usage Guidelines

The following questions will need to be answered in line with developing Backup Virtual Mobile Authenticator
usage guidelines:

n Will any users have access to Backup Virtual Mobile Authenticator?

n If so, will all users have access to Backup Virtual Mobile Authenticator?

IDENTIKEY Appliance 3.18 – Product Guide 207

 28. DIGIPASS

n Will usage of Backup Virtual Mobile Authenticator be limited? If so, how?

n Time-limited?
n Limited number of uses?
Table 18: Backup Virtual Mobile Authenticator Sample Guidelines
Guideline Pro Con
Backup Virtual Mobile Authenticator disabled for all by default, Low text message Manual enable for each user and circumstance. Poss-
enabled for individual users as required. costs ible heavy administration load.
Backup Virtual Mobile Authenticator enabled for all, either Predictable text Administrator may need to reset limits frequently –
time/number of usage limit set. message costs medium administration load.
Backup Virtual Mobile Authenticator enabled for all - no limits set. Lighter admin- Possible high text message costs.
istration load

28.15. Resetting Virtual Mobile Authenticator

When a user reaches their limit of Virtual Mobile Authenticator use, an administrator must reset that user's limit.

28.16. Virtual Mobile Authenticator Login Options

A decision must be made as to how users will log in using Virtual Mobile Authenticator. In particular, users with a
hardware DIGIPASS and the Backup Virtual Mobile Authenticator enabled must be able to request an OTP to be sent
to their mobile when required, but to login using the hardware DIGIPASS at other times.

The simplest method for the user is to allow a 2-step login process, where the user enters their user ID and pass-
word only, triggering an OTP request, and are redirected to a second login page to enter the OTP sent to them. To
use this method, though, your system must be set up to allow 2-step logins. Check with your system administrator
if unsure.

Alternatives to the 2-step login are a sequence of two 1-step logins or the use of a specific web page to request an
OTP, separate from the login page screen.

For more information, refer to the Login Permutations section of the IDENTIKEY Authentication Server Administrator
Reference.

For information on possible login permutation, see the IDENTIKEY Appliance Administrator Reference.

IDENTIKEY Appliance 3.18 – Product Guide 208

 29. Task Scheduling

29. Task Scheduling

IDENTIKEY Appliance allows you to schedule selected tasks to run at specific times. Certain tasks can be sched-
uled to run either immediately, or on a specified time and date. You can also schedule recurring tasks for running
reports. These can be scheduled to recur on a daily or monthly basis.

The configuration wizards in the Administration Web Interface feature a Schedule Task page. This page allows you
to define this schedule for each task and to set a task schedule as a recurring event.

For each scheduled task, you can set the required time and date; details for scheduled tasks are kept in the data
store. The tasks will run at the scheduled date and time, and audit messages are generated for the relevant start,
end, and result transactions. You can also configure your preferred notification method: IDENTIKEY Appliance can
send you a text message or an e-mail notification when the scheduled task is completed.

The Task Scheduling page in the Administration Web Interface lists all scheduled tasks. To view and edit sched-
uled tasks, you need the View Task administrative privilege.

29.1. How Does Task Scheduling Work?

The following sections provide information about which tasks can be scheduled, the available scheduling func-
tions, scheduling restrictions, and the result notification after the scheduled task is completed.

29.1.1. Tasks that Can Be Scheduled

The following tasks can be scheduled to run at a definable time:

n User import
n Reports
n DIGIPASS.dpx file import (with restrictions)
n Cryptographic key rotations
n Delete audit data

A scheduled, recurring event can be configured on a daily or monthly basis. In addition, you can also schedule a
task to run on:

n specific day/s of every week (e.g. every Monday, Wednesday, and Friday)
n a specific day of selected months (e.g. the 15th day of the months January, April, and July)

29.1.2. Available Functions

The Task Management pages feature the following functions:

n Edit
n Delete

IDENTIKEY Appliance 3.18 – Product Guide 209

 29. Task Scheduling

n Disable
n Enable
n Cancel (running tasks only)

29.1.3. Restrictions

The following restrictions apply to task scheduling:

n The DIGIPASS Import task can only be run immediately and cannot be scheduled for a later date.

29.1.4. Result Notification

When the scheduled task is completed, the results are communicated to the task owner via text message or e-
mail, if desired. The result notification method is configured in the task scheduling pages.

29.2. Managing Scheduled Tasks

The Task Scheduling page in the Administration Web Interface lists all scheduled tasks. To view and edit sched-
uled tasks, you need the View Task administrative privilege.

Procedure 9: Viewing a scheduled task

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface.

2. In the Administration Web Interface, select Servers > Task Management. A list of scheduled tasks is dis-
played.
3. Click on any scheduled task to view or edit details.

Procedure 10: Editing a scheduled task

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface.

2. In the Administration Web Interface, select Servers > Task Management. A list of scheduled tasks is dis-
played.
3. Click on the scheduled task you wish to edit.
4. Click the appropriate button to perform any of the following functions:
n Cancel
n Delete
n Disable
n Enable
n Edit

The Edit button allows you to change the options and schedule of a task. After editing a task, click Save.

IDENTIKEY Appliance 3.18 – Product Guide 210

 29. Task Scheduling

29.3. Task Scheduling Options

Different options are available to run and/or schedule tasks; the availability of these options varies, depending on
the task to be run. The options are:

n Run immediately
n Run in background - scheduled tasks

29.3.1. Run Tasks Immediately

If you select the option Run Immediately, the task is run in the foreground. This option blocks the Administration
Web Interface session until the task is complete.

Note
These tasks are stopped if the VASCO IDENTIKEY Authentication Server service is restarted.

29.3.2. Schedule Tasks

Select the option Run in Background to schedule tasks; this frees the Administration Web Interface session to per-
form other tasks. The following scheduling options are available:

n Scheduled, with specified time and date - the task runs on the scheduled time and date.
n Scheduled, reoccurring - the task is scheduled to recur on a daily or monthly basis.
n Scheduled, no time specified - the task is run immediately, but in the background.

Note
Scheduled tasks are automatically restarted if the VASCO IDENTIKEY Authentication Server service is restarted.

The Schedule Task page in the Administration Web Interface offers the following options for scheduled tasks:

n Notify Me of Completion by: select Email or SMS

n Attach report to notification: only available, if you select Email as notification type. Select this check box to
receive the report with your e-mail notification.
n Select Scheduled: No to run the task immediately in the background.
n Select Scheduled: Yes to run the task in the background as scheduled. To run the task at a scheduled
time, enter the time and date as required in the corresponding fields. If you want to schedule the task to
recur on a daily or monthly basis, select the relevant option from the Recurrence Settings:
n Daily: Select one or more days. These tasks will recur on the selected week day(s) on a weekly
basis.
n Monthly: Select the day of the month for the task to be run.

IDENTIKEY Appliance 3.18 – Product Guide 211

 30. Client Components

30. Client Components

Each application in the network which needs to access IDENTIKEY Appliance services, must be registered on the
IDENTIKEY Appliance as a client component for access to be allowed. Client component registration also specifies
the applicable policy for handling a request.

The Administration Web Interface allows:

n Creating client records

n Managing client records
n Deleting client records
n Assigning permissions for authentication requests from a client to be handled
n Assigning policies to be applied to authentication requests
n Assigning secrets to be shared between RADIUS clients and IDENTIKEY Appliance

This chapter describes the client components necessary for the administration program, the RADIUS client, and the
OneSpan IIS module.

For more information, refer to Chapter 3.1. IDENTIKEY Appliance Authentication Process

30.1. Standard Component Properties

Four properties common to all client components are:

n Application type (explained below)

n Location: the source of the request
n Protocol: communication protocol to use
n Policy: the applicable policy for handling a request

There are seven client application types which interact with IDENTIKEY Appliance:

n RADIUS Authentication
n IIS Authentication
n Administration Program: an administration program client component record is added by default for the
Administration Web Interface. This component record includes a policy to allow connections from this pro-
gram.
n SOAP Authentication
n DIGIPASS Software Provisioning
n Electronic Signature Validation
n DIGIPASS Authentication for Windows Logon

Warning
Modifying the IP address of the IDENTIKEY Appliance in the Configuration Tool results in the creation of a new
administration program client component record. The older records can be erased: however, do not erase the cli-
ent component configured for the current IP address, because this prevents access to the Administration Web
Interface.

IDENTIKEY Appliance 3.18 – Product Guide 212

 30. Client Components

30.2. Client Component Types

30.2.1. SOAP Client Programs

SOAP client programs are not called 'SOAP clients'. The program itself specifies the type as a parameter to each
request. A client component record must exist for this type at the location (IP address) where the application runs.
The policy in the component record will be used for all processing of requests from this client.

30.2.2. Administration Program

Creating a component record for a OneSpan administration program (e.g. Administration Web Interface or Audit
Viewer) allows a policy to be set for connections from that program.

A component record must exist for each Administration Web Interface or any other administration program using
SOAP and SEAL.

30.2.3. IDENTIKEY User Websites

IDENTIKEY User Websites is a pre-defined SOAP-based client component used for OneSpan User Websites clients.
The client component record will be checked whenever the OneSpan User Websites client sends request to
IDENTIKEY Appliance.

One client component record must exist for each OneSpan User Websites client installed at different locations
(IP address). Each client component record requires a valid license key.

30.2.4. RADIUS Client

A RADIUS client component record is required when clients will be sending authentication requests to IDENTIKEY
Appliance using the RADIUS protocol. The IDENTIKEY Appliance will check the component record to find:

n the shared secret to use for communicating with the RADIUS client
n the policy to apply to the authentication request

A default RADIUS client component record is automatically created during installation of IDENTIKEY Appliance. This
can be deleted and specific records created for each location.

Note
The default RADIUS client created during installation will be given a shared secret by default.

IDENTIKEY Appliance 3.18 – Product Guide 213

 30. Client Components

30.2.5. DIGIPASS Authentication Module

A component record is required for any DIGIPASS Authentication Module used with IDENTIKEY Appliance. The com-
ponent record will be checked whenever the DIGIPASS Authentication Module sends an authentication request to
the IDENTIKEY Appliance. The IDENTIKEY Appliance will check:

n that the component record contains a valid license key for a client module
n which policy to apply to the authentication request

The following client types fall into this category:

n Citrix Web Interface (DIGIPASS Authentication for Citrix Web Interface)

n Outlook Web Access (DIGIPASS Authentication for OWA Basic and DIGIPASS Authentication for OWA Forms)
n IIS Module (DIGIPASS Authentication for IIS Basic)
n Windows Remote Desktop Web (DIGIPASS Authentication for Remote Desktop Web Access)
n SBR Plug-In (DIGIPASS Authentication for Steel-Belted RADIUS Server)
n Citrix Storefront (DIGIPASS Authentication for Citrix StoreFront)
n Microsoft ADFS (DIGIPASS Authentication for Microsoft ADFS)
n Epic Hyperspace (DIGIPASS Authentication for Epic Hyperspace)

30.2.6. DIGIPASS Authentication for Windows Logon

There are two pre-defined client components for DIGIPASS Authentication for Windows Logon:

n DIGIPASS Authentication for Windows Logon is a pre-defined SOAP-based client component used for
DIGIPASS Authentication for Windows Logon 2.x. Client component records of this type require a valid cli-
ent component license.

Client component records of this type are required for all client IP addresses used to log on to Windows via
DIGIPASS Authentication for Windows Logon 2.x. However, unlike DIGIPASS Authentication for Windows
Logon 1.x, you can define client component records to cover IP address ranges instead of individual client
component records for each individual IP address.

n Identikey Windows Logon Client is a pre- defined SEAL- based client component used for DIGIPASS
Authentication for Windows Logon 1.x. Client component records of this type do not require a client com-
ponent license

A client component record of this type is required for each client IP address used to log on to Windows via
DIGIPASS Authentication for Windows Logon 1.x. DIGIPASS Authentication for Windows Logon 1.x uses
Dynamic Component Registration (DCR) to ensure that the correct client component record is available
when required (see 6.4. Dynamic Component Registration (DCR)).

Dynamic Component Registration (DCR) must be enabled in the Windows Logon policy.

IDENTIKEY Appliance 3.18 – Product Guide 214

 30. Client Components

Warning
If your organization is impacted by the General Data Protection Regulation (GDPR), note that for being GDPR-com-
pliant, DIGIPASS Authentication for Windows Logon requires the Verify server SSL certificate box to be checked in
the DIGIPASS Authentication for Windows Logon Configuration Center.

For more information on GDPR, refer to the IDENTIKEY Appliance General Data Protection Regulation Compliance
Guide.

30.2.7. IDENTIKEY Federation Server

An IDENTIKEY Federation Server client component record for IDENTIKEY Authentication Server is required when
IDENTIKEY Federation Server is used for authentication to different Web applications. IDENTIKEY Federation Server
communicates with IDENTIKEY Authentication Server via the SEAL protocol. For more information about the func-
tionalities of and settings for IDENTIKEY Federation Server, refer to the IDENTIKEY Federation Server Product Guide.

Note
If you register IDENTIKEY Federation Server as a client, IDENTIKEY Authentication Server will require you to upload
a valid IDENTIKEY Federation Server license.

30.3. Client Component Licensing

Some client components require licenses to be operational, e.g. DIGIPASS Authentication Modules.

Client component licenses can be uploaded and viewed through the Administration Web Interface client com-
ponent records. For more information about client component licensing, see section 2.13. License Types .

For more information about creating a component record and installing a license for DIGIPASS Authentication Mod-
ules, refer to the IDENTIKEY Appliance Administrator Guide.

IDENTIKEY Appliance 3.18 – Product Guide 215

 31. Server Components

31. Server Components

Each IDENTIKEY Appliance in your setup needs to be licensed to be operational. To verify whether a valid license
exists, a server component needs to be registered for the IDENTIKEY Appliance to which its license can be
assigned.

The Administration Web Interface (see Section 9.4. Administration Web Interface) allows:

n Registering server components

n Managing server components
n Viewing server components
n Adding server components
n Viewing detailed license information

31.1. Automatic Server Component Creation

31.1.1. Licensing Process

During the licensing process in the IDENTIKEY Appliance Configuration Tool (see Section 9.3. Configuration Tool), a
server component record including a valid license is automatically created. Whenever the IP address is changed in
the Configuration Tool, a new license is mandatory (see Section 11.2.1. Changing the IP Address).

Warning
Do not modify the policy assigned to the server record as this may cause problems during installation of IIS mod-
ules in your setup (see Section30.2.5. DIGIPASS Authentication Module). This setting should only be modified by
OneSpan experts.

Tip
The old server component is not erased automatically allowing re-use of the old IP address without the need to
re-license, since the license is still stored in the record.

31.1.2. Replication

A component record is created for each IDENTIKEY Appliance in a replication setup. This is automatically configured
through the Replication Wizard. For more information about replication, refer to Chapter 26. Replication.

31.2. Licenses

A Server Component record holds the License Key for a specific IDENTIKEY Appliance instance. This component
record will be checked for a valid license when the IDENTIKEY Appliance is started. If the license key is missing,

IDENTIKEY Appliance 3.18 – Product Guide 216

 31. Server Components

invalid or expired, the Configuration Tool and Administration Web Interface are accessible for configuration and
management, but no services, such as authentication, are available.

Licenses can only be viewed in the server component record through the System tab in the Administration Web
Interface. For more information about modifying a license, refer to Section 11.1. First Time Licensing. For more
information on license types, refer to Section 2.13. License Types .

IDENTIKEY Appliance 3.18 – Product Guide 217

 32. Policies

32. Policies
Policies specify various settings that affect all request handling processes. Each request is handled according to a
policy identified by the applicable client and server records.

Policies may be set up in a hierarchy, where a policy will inherit most of its attributes from a parent policy, but with
some modifications for a slightly different scenario. At the top of this hierarchy is a given parent or base policy - not
necessarily the default IDENTIKEY Authentication Server Base Policy - which does not inherit any attributes from
any other policies (i.e. parentless policies).

The Administration Web Interface (see Section 9.4. Administration Web Interface) allows:

n Editing policies
n Copying policies
n Deleting policies

This chapter describes policy properties, the concept of policy inheritance, and provides example settings for the
IDENTIKEY Appliance RADIUS Self-Assignment policy.

32.1. Policy Properties

There are many policy settings which can be defined through the Administration Web Interface:

n General policy settings, such as:

n whether local authentication requires an OTP generated from a DIGIPASS device, or whether a
password (or both) is required (see 3.6. Local Authentication)
n whether back-end authentication is to be used (never, always or if needed), and if so the back-
end protocol, e.g. RADIUS, NetIQ eDirectory or Microsoft Active Directory (see 3.7. Back-End
Authentication)
n User policy settings, such as whether Dynamic User Registration is permitted, Password Autolearn and
Stored Password Proxy (see 3.5.4. Dynamic User Registration and 3.6.3. Authentication without DIGIPASS)
n DIGIPASS policy settings, such as whether auto- or self-assignment is possible and the grace period (see
3.6.3. Authentication without DIGIPASS)
n Application settings for 1- and 2-step Challenge/Response authentication and for Virtual Mobile Authentic-
ator and Backup Virtual Mobile Authenticator
n Policy settings for DIGIPASS Authentication for Windows Logon, e.g. offline authentication settings (see 6.
DIGIPASS Authentication for Windows Logon)

Some policy properties can be overruled in user or DIGIPASS records (see 27. DIGIPASS User Accounts and 28.
DIGIPASS). For more information about all fields available for configuring policies, refer to the IDENTIKEY Appliance
Administrator Reference.

IDENTIKEY Appliance 3.18 – Product Guide 218

 32. Policies

32.2. Policies

Policies may be set up in a hierarchy, where a policy will inherit most of its attributes from a parent policy, but with
some modifications for a slightly different scenario. At the top of this hierarchy is a given parent or base policy - not
necessarily the default IDENTIKEY Authentication Server Base Policy - which does not inherit any attributes from
any other policies (i.e. parentless policies).

IDENTIKEY Appliance 3.18 – Product Guide 219

 32. Policies

Image 65: Policy Inheritance Example

In the example above, all attributes are inherited from the parent policy. The attributes shown in the child policies
above are explicitly set, which make the policy different from the parent policy. The explicitly set attributes in the
child policies override those of the parent policies.

32.2.1. Show Effective Settings

As the various levels of settings in policy inheritance can get confusing, functionality is available which allows you
to view the settings effective for a selected policy, taking inherited settings into account. The text below shows the
effective settings for the IDENTIKEY Appliance RADIUS self-assignment policy:
Effective Policy Settings
[Local/back-end authentication]
Local Authentication : DIGIPASS/Password during Grace Period
back-end authentication : Always
Back-End Protocol : RADIUS

User Accounts]
Dynamic User Registration : Yes
Password Autolearn : Yes
Stored Password Proxy : Yes
Default Domain: (none)
User Lock Threshold : 3

[Windows Group Check]

Group Check Option : No Check
Group List: (none)

[DIGIPASS Assignment]
Assignment Mode : Self-Assignment
Grace Period (days) : 0
Serial No. Separator : |
Search up Organizational Unit Hierarchy : Yes

[DIGIPASS Settings]
Application Names
Application Type : No Restriction
DIGIPASS Types
PIN Changed Allowed : Yes

[1-Step Challenge Response]

Enabled : No
Challenge Length : 0

IDENTIKEY Appliance 3.18 – Product Guide 220

 32. Policies

Challenge Check Digit : No

[2-Step Challenge Response]

Request Method : Keyword
Request Keyword

[Primary Virtual Mobile Authenticator]

Request Method : Password
Request Keyword

[Backup Virtual Mobile Authenticator]

Enabled : No
Maximum Days : 0
Maximum Uses : 0
Request Method : KeywordPassword
Request Keyword : otp

The settings listed here include those set in policies from which the IDENTIKEY Appliance RADIUS Self-Assignment
policy inherits.

32.3. Pre-Loaded Policies

Pre-loaded policies are created for IDENTIKEY Appliance during installation and provide useful policy examples for
typical environments.

IDENTIKEY Appliance 3.18 – Product Guide 221

 32. Policies

Table 19: Pre-Loaded Policies

Policy Name Parent Policy Description Fields with settings which are different
from the parent policy

Base Policy - Globally applicable settings. In User Lock Threshold=3

general, all other Policies should
inherit from this, directly or indir- PIN Change Allowed=Yes
ectly.
Challenge Request Method=Keyword

Primary VDP Request Method=Password

Backup VDP Request Method=Keyword

Password Backup VDP Request Key-

word=otp

Identification Time Window=20

Check Challenge Mode=1

Event Window=20

Sync Window=6

Online Signature Level= 0

Identification Threshold=0

Local Authentication=None

Back-End Authentication=None

DUR=No

Password Autolearn=No

Stored Password Proxy=No

Group Check Mode=No

Check Assignment Mode=Neither

Search Up OU Path=No

Application Types=No Restriction

1-Step Challenge/Response=No

1-Step Challenge Check Digit=No

Backup VDP Enabled=No

IDENTIKEY Appliance 3.18 – Product Guide 222

 32. Policies

Table 19: Pre-Loaded Policies (continued)

Policy Name Parent Policy Description Fields with settings which are different
from the parent policy

IDENTIKEY Administration Base Policy Settings for an administration Local Authentication=DIGIPASS/Password

Logon logon including Audit Viewer during Grace Period
live connection. Separated from
the main authentication policies User Lock Threshold=0
to avoid accidental interference.
Locking is off to reduce the
chance of a lock-out.

IDENTIKEY Local Authentic- Base Policy Settings applicable to all Local Authentication=DIGIPASS/Password
ation IDENTIKEY Appliance authen- during Grace Period
tication Policies, including local
authentication. In general, all
other IDENTIKEY Appliance
Policies using local authen-
tication should inherit from this,
directly or indirectly.

IDENTIKEY Windows Pass- IDENTIKEY Local IDENTIKEY Appliance model for Back-End Authentication=Always
word Replacement Authentication password replacement and
Dynamic User Registration, Back-End Protocol=Windows
using Windows back-end
authentication. DUR=Yes

Assignment Mode=Neither

Password Autolearn=Yes

Stored Password Proxy=Yes

IDENTIKEY Microsoft AD Pass- IDENTIKEY Local IDENTIKEY Appliance model for Local Auth=Default
word Replacement Authentication password replacement with
Microsoft Active Directory (LDAP Backend Auth=Always
connection).
Backend Protocol=Microsoft AD

DUR=Yes

Password Autolearn=Yes

Stored Password Proxy=Yes

IDENTIKEY Appliance 3.18 – Product Guide 223

 32. Policies

Table 19: Pre-Loaded Policies (continued)

Policy Name Parent Policy Description Fields with settings which are different
from the parent policy

IDENTIKEY Novell eDirectory IDENTIKEY Local IDENTIKEY Appliance model for Local Auth=Default
Password Replacement Authentication password replacement with
NetIQ eDirectory (formerly Novell Backend Auth=Always
eDirectory) (LDAP connection).
Backend Protocol=Novell eDirectory

DUR=Yes

Password Autolearn=Yes

Stored Password Proxy=Yes

IDENTIKEY Windows Auto- IDENTIKEY Win- IDENTIKEY Appliance model for Assignment Mode=Auto-Assignment
Assignment dows Password Auto-Assignment based on the
Replacement Windows password replace- Search Up OU Path=Yes
ment model.
Grace Period=7

IDENTIKEY Microsoft AD Auto IDENTIKEY Local IDENTIKEY Appliance model for Local Auth=Default
Assignment Authentication Auto Assignment for Microsoft
Active Directory Backend Auth=If Needed

Backend Protocol=Microsoft AD

Assignment Mode=Auto-Assignment

Search-Up-OU-Path=Yes

IDENTIKEY Windows Self- IDENTIKEY Win- IDENTIKEY Appliance model for Assignment Mode=Self-Assignment
Assignment dows Password Self-Assignment based on the
Replacement Windows password replace- Search Up OU Path=Yes
ment model.
Self Assignment Separator=|

IDENTIKEY Microsoft AD Self IDENTIKEY Appliance model for Local Auth = Default
Assignment Self-Assignment for AD Pass-
word Replacement Backend Auth = Always

Backend Protocol = Microsoft AD

Assignment Mode = Self-Assignment

Search-Up-OU-Path = Yes

IDENTIKEY Novell eDirectory IDENTIKEY Novell IDENTIKEY Appliance model for Local Auth = Default
Self-Assignment eDirectory Pass- self-assignment for NetIQ eDir-
word Replace- ectory (formerly Novell eDir- Backend Auth = Always
ment ectory).
Backend Protocol = Novell eDirectory

Assignment Mode = Self-Assignment

Search-Up-OU-Path = Yes

IDENTIKEY Appliance 3.18 – Product Guide 224

 32. Policies

Table 19: Pre-Loaded Policies (continued)

Policy Name Parent Policy Description Fields with settings which are different
from the parent policy

IDENTIKEY RADIUS Pass- IDENTIKEY Local IDENTIKEY Appliance model for Backend Authentication=Always
word Replacement Authentication password replacement and
Dynamic Component Regis- Backend Protocol=RADIUS
tration using a RADIUS server for
back-end authentication. Password Autolearn=Yes

Stored Password Proxy=Yes

IDENTIKEY RADIUS Auto- IDENTIKEY Local IDENTIKEY Appliance model for Grace Period=7
Assignment Authentication Auto-Assignment based on the
RADIUS password replacement Search Up OU Path=Yes
model.
Assignment Mode=Self-Assignment

IDENTIKEY RADIUS Self- IDENTIKEY Local IDENTIKEY Appliance model for Search Up OU Path=Yes
Assignment Authentication Self-Assignment based on the
RADIUS password replacement Assignment Mode=Self-Assignment
model.
Self Assignment Separator=|

IDENTIKEY Back End Base Policy IDENTIKEY Appliance model for Backend Protocol=RADIUS
Authentication only back-end authentication.
Change the back-end protocol to Backend Authentication=Always
the one required.

IDENTIKEY DP110 Pro- Base Policy DIGIPASS for Web provisioning Local Auth=DIGIPASS/Password during
visioning 1 model scenario 1 - Activation Grace Period
codes are encrypted with pre-
loaded static passwords. 1-Step Challenge/Response=Yes-Any chal-
lenge

IDENTIKEY DP110 Pro- Base Policy IDENTIKEY DP110 Provisioning Local Auth = DIGIPASS/Password during
visioning 2 model scenario 2 - Dynamic Grace Period
Registration using back-end sys-
tem. Change the back-end pro- Back-End Authentication = Always
tocol to the one required.
1-Step Challenge/Response=Yes – Any chal-
lenge

IDENTIKEY DP4Mobile Pro- Base Policy IDENTIKEY DIGIPASS for Mobile-

visioning 1 provisioning model scenario 1

IDENTIKEY Appliance 3.18 – Product Guide 225

 32. Policies

Table 19: Pre-Loaded Policies (continued)

Policy Name Parent Policy Description Fields with settings which are different
from the parent policy

IDENTIKEY DP4Mobile Prov- Base Policy IDENTIKEY DIGIPASS for Mobile- Local Authentication = DIGIPASS/Password
sioning 2 provisioning model scenario 2 during Grace Period

Backend authentication= NONE

DIGIPASS type:

'Mob30'

IDENTIKEY DP4Mobile Prov- Base Policy IDENTIKEY DIGIPASS for Mobile- Local Authentication = DIGIPASS/Password
sioning 3 provisioning model scenario 3 during Grace Period

Backend authentication= IF NEEDED

DIGIPASS type:

'Mob30'

IDENTIKEY DP4Web Pro- Base Policy IDENTIKEY DIGIPASS for WebPro-

visioning 1 visioning model scenario 1 -
Activation codes are encrypted
with pre-loaded static pass-
words.

IDENTIKEY DP4Web Pro- Base Policy IDENTIKEY DIGIPASS for WebPro- Local Auth = DIGIPASS/Password during
visioning 2 visioning model scenario 2 - pre- Grace Period
loaded user accounts and static
passwords.

IDENTIKEY DP4Web Pro- Base Policy IDENTIKEY DIGIPASS for WebPro- Local Auth = DIGIPASS/Password during
visioning 3 visioning model scenario 3 - Grace Period
Dynamic Registration using
back-end system. Change the DUR=Yes
back-end protocol to the one
required.

IDENTIKEY Deferred Time sig- Base Policy Deferred time signature veri- Signature Time Window = 24
nature Verfication fication settings: Time based.

IDENTIKEY Real-Time sig- Base Policy Real-time signature verification Online signature level = 1 - Multiple Sig-
nature verfication 1 settings: Time-based, several natures allowed in same Time Step
signatures are allowed in the
same timestep but 2 identical
successive signatures will be
rejected.

IDENTIKEY Real-Time sig- Base Policy Real-time signature verification Online signature level = 2 - Only 1 Sig-
nature verfication 2 settings: Time-based, one sig- nature/Time Step allowed
nature allowed per timestep.

IDENTIKEY Appliance 3.18 – Product Guide 226

 32. Policies

Table 19: Pre-Loaded Policies (continued)

Policy Name Parent Policy Description Fields with settings which are different
from the parent policy

IDENTIKEY Real-Time sig- Base Policy Deferred time signature veri- Signature Time Window = 24
nature verfication 3 fication settings: Event based,
off-line mode.

Windows logon online authen- IDENTIKEY Local Windows Logon with Windows Back-End Authentication = Always
tication - Windows Back-End Authentication back end
Back-End Protocol = Windows

Dynamic Component Registration = Yes

Enable Random Password = No

Client Group List =

Client Group Mode = No check

Offline Authentication = No

Windows logon online authen- IDENTIKEY Local Windows Logon for LDAP AD Back-End Authentication = Always
tication - LDAP AD Back-End Authentication back end
Back-End Protocol = Microsoft AD

Dynamic Component Registration = Yes

Enable Random Password = No

Client Group List =

Client Group Mode = No check

Offline Authentication = No

Windows logon online and off- Windows logon Windows logon online and offline OfflineOffline Authentication = Yes
line authentication – Win- online authen- authentication for Windows back
dows Back-End tication - Win- end Offline Time Window (days) = 21
dows Back-End
Offline Event Window = 300

Windows logon online and off- Windows logon Windows logon online and offline Offline Authentication = Yes
line authentication – LDAP AD online authen- authentication settings for LDAP
Back-End tication - LDAP AD AD back end Offline Time Window (days) = 21
Back-End
Offline Event Window = 300

IDENTIKEY Appliance 3.18 – Product Guide 227

 33. Reporting

33. Reporting
IDENTIKEY Appliance allows you to define and run a wide range of detailed reports. Reporting aspects include
desired fields, runtime query options, permissions, templates and scheduling. You can use pre-defined standard
reports, which can be edited, or you can define elements to create your own customized reports. Reports are man-
aged via the Administration Web Interface.

For detailed instructions on reporting tasks, refer to the Reporting chapter in the IDENTIKEY Authentication Server
Administrator Guide.

For a list of factors to consider when configuring reporting, refer to the IDENTIKEY Appliance Administrator Refer-
ence, section "Considerations for Reporting and Auditing".

33.1. Reporting Features and Settings

Reports are created by collecting and manipulating data from a variety of sources. The principle concepts and fea-
tures behind reporting in IDENTIKEY Appliance are described in the following sections.

33.1.1. Report Type

There are four general types of IDENTIKEY Appliance reports:

n List Analysis. Lists all items that match the criteria specified in the report definition, e.g. a list of users with
no DIGIPASS assigned.
n Detailed Analysis. Shows detail of the events specified in the report definition, e.g. a detailed list of failed
authentications for a user.
n Distribution Analysis. Shows a count of events and objects, e.g. the number of failed authentications for a
domain.
n Trend Analysis. Shows a trend over a period of time for the objects specified in the report definition. For
Trend Analysis reports, there is an extra parameter: the period of time for which the data needs to be
extracted must be specified by hour, day, month, and year.

All reports, whether standard or custom, are based on these report types. Each report type retrieves information
from either the audit data, the data store, or both.

33.1.2. Grouping Level

The grouping level specifies how the data in the report will be grouped:

n Client. If a report has set grouping level to Client, each (physical) client connected will be represented indi-
vidually.
n Domain.

IDENTIKEY Appliance 3.18 – Product Guide 228

 33. Reporting

n Organizational Unit. If a detailed or list report has set grouping level to Organizational Unit, the data for all
the users in that organizational unit will be added together and represented only once under the organ-
izational unit.
n User. If a detailed or list report has set at grouping level to User, each user will be represented individually.
n Digipass.

33.1.3. Data Source

Each report is generated from data existing on IDENTIKEY Appliance:

n Users. Generates the report based on the user information from the IDENTIKEY Appliance data store.
n Users + Audit Data. Generates the report based on the user information mentioned above, and the audit
data from IDENTIKEY Appliance.
n Digipass. Generates the report based on the authenticator information from the IDENTIKEY Appliance data
store.
n Digipass + Audit Data. Generates the report based on the authenticator information mentioned above,
and the audit data from IDENTIKEY Appliance.
n Audit Data. Generates the report based on the audit data only. This means that the results are grouped by
the distinct grouping objects, e.g. client components, found in the audit data for the selected reporting
time period, whether they currently exist in the IDENTIKEY Appliance database or not.
n Users + Digipass. Generates the report based on the user and authenticator information from the
IDENTIKEY Appliance data store. This option can be used for list or detailed analysis reports only.

33.1.4. Administrative Scope of Reports

The administrative scope of reports allows to define for which part of the organizational structure the report is to
be generated and run. Via this administrative scope it is possible to determine which users, DIGIPASS authen-
ticators, organizational units, and domains are to be included in the report processing and the relevant output.

n ODBC Storage
n All domains. Running the report is initiated by a Master Domain administrator; objects are pro-
cessed over all domains, including the Master Domain.
n Single domain. Running the report is initiated by a single domain administrator; objects which are
part of that same domain are processed.
n Multiple domains. Running the report is initiated by a multiple domain administrator; objects
which are part of those domains for which the administrator has the relevant permissions are pro-
cessed.
n Org unit and all child org units. Running the report is initiated by an organizational unit
administrator; objects which are part of that organizational unit and all its child organizational
units are processed.

Note
The administrative scope is not applicable to reports on client applications.

IDENTIKEY Appliance 3.18 – Product Guide 229

 33. Reporting

33.1.5. Time Zone

When configuring report settings, you can specify a time zone. This selected time zone will be used for:

n The report's specified time period

n All logs in the report (if any)

33.1.6. Fields

You can filter report data at a field level, but only if:

n The report type is Detailed Analysis or List Analysis reports

n The data is selected from the Audit data source

If no specific fields are selected, then all fields are included in the report. For example, your report could display
the number of session times over one hour within the past week.

33.1.7. Query

You can further customize reporting data by setting one or more Queries.

For example, to generate a report for a specific audit message, e.g. Authentication, you can specify the fol-
lowing line in your query:
Audit Message = 'Authentication'

You will then only receive information on Authentication audit messages in your report.

You can use multiple queries to gain even finer-grained control of data. For example, the Authentication Activity by
Client report includes the following query data:
Audit:Category equals Authentication,
Audit:Type equals success,
Audit:Code equals S-002001,
Audit:Code equals S-010001

The Query value field can also recognize free text for time values. For example:
Audit:Timestamp + is greater than + “6 months ago”

IDENTIKEY Appliance 3.18 – Product Guide 230

 33. Reporting

33.1.8. Permissions

Each report definition has an owner. The owner is usually the administrator that created the report, but ownership
can be transferred to another administrator in the same domain. Permissions associated with each report determ-
ine:

n Who can run the report. Use can be restricted to the report owner, or it can be granted to other admin-
istrators.
n Who can change the report definitions. The ability to change the report format and details can be restric-
ted to the report owner, or it can be granted to other administrators.
n Who can view the report.

Usage Permissions
There are three types of usage permissions:

n Private. Only the owner can view and run the report.
n Domain. The report can be run and viewed only by administrators that belong to the domain where the
report was defined.
n Public. All administrators in all domains can view and run the report.

Change Permissions
There are three types of change permissions:

n Private. Only the owner can change the report.

n Domain. The report can be changed only by administrators that belong to the domain where the report
was defined.
n Public. All administrators in all domains can change the report.

Permissions for Standard Reports

Standard reports have private permissions relating to changing the reports, and public permissions relating to
running and viewing the reports.

33.1.9. Templates

Reports can be generated in XML, HTML or PDF format. When defining a report, you can either:

n use the default XML or PDF templates, or

n provide your own custom template definition.

Templates are defined when creating a report, and are then selected from a list when running the report. Each
report definition can have more than one formatting template.

IDENTIKEY Appliance 3.18 – Product Guide 231

 33. Reporting

XML and HTML Reports

IDENTIKEY Appliance supports XSLT transformation to produce desired reporting output. The result of the SQL
query and the report type are then combined into an XML report. The XML report and the report format tem-
plate are combined to produce the finished report in the required format (XML or HTML).

PDF
The XML data is run through a PDF generator to produce a basic PDF report. This is then combined with the
template data (including header, footer and logo data), to provide a finished PDF with bookmarked headline
sections. The PDF header, footer and logo data can be customized, or use the standard template.

Note
Only PDF reports can be run from the background. As such, running a report with XML or HTML outputs will lock
the Administration Web Interface until the reporting task is completed.

33.1.10. Report Retrieval

Saved PDF reports can be retrieved using the System tab of the Administration Web Interface . The PDF report may
be opened directly from the Administration Web Interface, or it may be saved.

IDENTIKEY Appliance 3.18 – Product Guide 232

 34. Wireless RADIUS

34. Wireless RADIUS

IDENTIKEY Appliance supports authentication over a wireless connection via the RADIUS protocol.

Image 66: Wireless RADIUS Components

34.1. Wireless RADIUS Terminology Used

An authentication service using wireless RADIUS has the following components:

n Supplicant: The machine from which a wireless access request originates.

n Authenticator: The machine to which the Wireless Access Point passes authentication requests.

34.2. Wireless Network Encryption

The Wireless Access Point must be configured to use one of the following wireless protocols:

n WPA Enterprise
n WPA2 Enterprise
Warning
OneSpan does not recommend the use of the TKIP encryption algorithm on wireless networks due to inherent
security issues. Configure your WAP(s) to use the AES algorithm.

34.3. Fast Reconnect

Wireless sessions may be renewed at regular intervals by using Fast Reconnect.

When a one-time password authentication is performed, a session ID is assigned to the wireless connection. Fast
Reconnect uses this session ID to automatically re-authenticate the wireless connection rather than requiring user
ID and one-time password input from the user.

IDENTIKEY Appliance 3.18 – Product Guide 233

 34. Wireless RADIUS

Image 67: Fast reconnect Overview

Image 68: Fast Reconnect Authentication Process

Users are considered to be 'roaming' where:

n Multiple wireless access points are available, and

n The user may connect to more than one wireless access point, and
n The user will be moving from the range of one wireless access point to another.

A change from one wireless access point to the next can be made without inconvenience to the user when Fast
Reconnect can be used between the access points.

Note
Roaming connections are not supported over multiple instances of IDENTIKEY Appliance.

IDENTIKEY Appliance 3.18 – Product Guide 234

 34. Wireless RADIUS

Fast reconnect will only work for roaming wireless connections where:

n All wireless access points are sending authentication requests to the same IDENTIKEY Appliance instance
n All component records for the wireless access points are using the same policy
n All wireless access points are configured to use the same SSID

Image 69: Roaming Wireless Fast Reconnection

34.4. Multiple Roaming Zones

Multiple roaming zones – where roaming wireless connections are not permitted between zones - may be estab-
lished by assigning different SSIDs to wireless access points in different zones, and using different policies for com-
ponents in each zone. The following diagram illustrates how Fast Reconnect works with an environment with
multiple roaming zones.

IDENTIKEY Appliance 3.18 – Product Guide 235

 34. Wireless RADIUS

Image 70: Roaming Wireless Fast Reconnection – Roaming Zones

IDENTIKEY Appliance 3.18 – Product Guide 236

 35. Organization

35. Organization
User accounts and DIGIPASS records can be grouped in the IDENTIKEY Appliance using two structures: domains and
organizational units, which are managed using the Administration Web Interface.

This chapter describes IDENTIKEY Appliance domains and organizational units, their similarities and differences,
the Master Domain concept and its usage, how to move DIGIPASS user accounts, and the location of DIGIPASS
records, including some typical DIGIPASS location models.

35.1. Domains and Organizational Units

Image 71: Domains and Organizational Units

Domains and Organizational Units are included in the internal database in a way that mirrors the hierarchical organ-
ization of your company.

Domains and Organizational Units are included in the internal database in a way that mirrors the hierarchical organ-
ization of your company.

Domains and Organizational Units are used to:

n separate users and/or groups

n limit administrator activities to the administrator's own domain (delegated administration) or to an organ-
izational unit

IDENTIKEY Appliance 3.18 – Product Guide 237

 35. Organization

n to allocate DIGIPASS records to different domains or organizational units, for example to mirror the geo-
graphic location of the devices.

However, there are two differences between domains and organizational units:

AllDIGIPASS user accounts and DIGIPASS records must belong to a domain. DIGIPASS user accounts and records do
not have to belong to an organizational unit.

The domain is used to identify user accounts, whereas organizational units are not (as explained below). As a con-
sequence, two user accounts with the same name can only exist if they are in different domains.

35.2. Master Domain and Practical Uses

35.2.1. Master Domain Concepts

When theIDENTIKEY Appliance is installed, a single domain is created in the database, the Master Domain. By
default, all new DIGIPASS user accounts and DIGIPASS records are created in the Master Domain.

The Master Domain serves three important purposes:

n for initial access and configuration of the IDENTIKEY Appliance. Two system administrators exist on the
Master Domain, one for system operation, which should never be removed, and one for the IDENTIKEY
Appliance system administrator (see Section 9.1. Default Administrative Users).
n all DIGIPASS instances are imported by default into the Master Domain although different domains or
organizational units can be chosen during importation. For example relocation models, refer to Section
35.5. Typical DIGIPASS Location Models for ODBC.
n for whenever a domain cannot be found for an authentication request (explained below).

If a separate domain field is provided on login, this is used with the user ID. If a separate domain field is not
provided, but the user name is in the form userid@domain, and there is a domain with the given domain name,
that domain is used. In this case, the user name has the '@domain' part removed. Otherwise, the user name
remains as userid@domain and no domain is identified.

If no domain is identified, the applicable policy is checked for a Default Domain. The default domain is used if it is
specified in the policy. Otherwise, the Master Domain is used as a default (see image below).

IDENTIKEY Appliance 3.18 – Product Guide 238

 35. Organization

Image 72: User ID and Domain Resolution

You can change the Master Domain name, allowing you to set the company/organization domain as the master
domain. This will enable authentication via user ID alone without having to configure a default domain.

Configuring the Master Domain is done via the IDENTIKEY Authentication Server setup wizard. For more inform-
ation, refer to the IDENTIKEY Appliance Installation and Maintenance Guide.

35.3. Moving DIGIPASS User Accounts and DIGIPASS

(1 )A domain must be chosen for a DIGIPASS user account when it is created, as the domain makes up part of the
identification for the account. A DIGIPASS record assigned to a DIGIPASS user account must belong to the same
domain as the account. You therefore need to ensure that the correct numbers of DIGIPASS records are allocated to
the different domains.

IDENTIKEY Appliance 3.18 – Product Guide 239

 35. Organization

(2) A DIGIPASS record assigned to a DIGIPASS user account must belong to the same organizational unit as the user
account. If a DIGIPASS record is assigned to a user account in another organizational unit, it is moved there auto-
matically.

(3) A DIGIPASS user account may not be moved to a different domain. It must be deleted and recreated in the
required domain.

(4) Unassigned DIGIPASS records may be moved to the required domain after importation.

(5) A DIGIPASS record assigned to a user cannot be moved. DIGIPASS user accounts can be moved between organ-
izational units within the same domain whenever required, in which case the assigned DIGIPASS records are auto-
matically moved with them.

Image 73: Possibilities for Moving User Accounts and DIGIPASS (OU = Organizational Unit)

Note
When a user account is moved to an organizational unit, all DIGIPASS records assigned to it are also moved.

A DIGIPASS record assigned to a user cannot be moved - the user account must be moved.

IDENTIKEY Appliance 3.18 – Product Guide 240

 35. Organization

35.4. DIGIPASS Records Location

When looking for an available DIGIPASS record for a device to assign to a user, the IDENTIKEY Appliance will first
look in the same organizational unit as the specific user account, if the user account belongs to an organizational
unit. The Search Upwards in Organizational Unit hierarchy option, when enabled, allows the IDENTIKEY Appliance
to search in parent organizational units and the DIGIPASS pool container. This option may be set at the policy level
for system searches (i.e. Auto-Assignment and Self-Assignment (see Section 28.3.2. Auto-Assignment and Section
28.3.1. Self-Assignment) or at the time of the search for manual assignment.

Note
The IDENTIKEY Appliance will always find or assign the closest available DIGIPASS record to the selected user
record(s).

If the user account being assigned a DIGIPASS record does not belong to an organizational unit, the IDENTIKEY
Appliance will look for an available DIGIPASS record which does not belong to an organizational unit, i.e. for an
available record stored directly in the domain.

35.5. Typical DIGIPASS Location Models for ODBC

35.5.0.1. Domain Root

DIGIPASS records may be stored in the domain root while unassigned.

This option allows a centralized point of access for assignment of DIGIPASS records. It also requires less calculation
and high-level administration - DIGIPASS records are all stored in one area and there is no need to manually move
records or calculate the exact number of DIGIPASS required for each organizational unit or group of units. Admin-
istrators must belong to the domain only (not an organizational unit) to assign DIGIPASS from the domain root.

IDENTIKEY Appliance 3.18 – Product Guide 241

 35. Organization

Image 74: DIGIPASS Record Locations – Domain Root

In the diagram above, the IDENTIKEY Appliance searches upwards through the organizational unit structure for
available DIGIPASS record to assign to a DIGIPASS user in the organizational unit B1. Because no available
DIGIPASS records are found in B1, it searches in B, then in the domain root.

The administrator account manually assigning the DIGIPASS records must be located in the domain root (no organ-
izational unit) in order for this model to work successfully.

Note
The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly.

This option is simplified if an organizational unit structure is not used in the database. User accounts and DIGIPASS
records may all be stored in the domain root. The Search Upwards in Organizational Unit hierarchy option does not
need to be enabled in this case.

35.5.0.2. Parent Organizational Units

Unassigned DIGIPASS records can be kept in key organizational units, and made available to their lower level
organizational units.

IDENTIKEY Appliance 3.18 – Product Guide 242

 35. Organization

Image 75: DIGIPASS Record Location – Parent Organizational Unit

In the diagram above, the IDENTIKEY Appliance can search in the parent organizational unit for available DIGIPASS
records.

The administrator account manually assigning the DIGIPASS records must belong to the parent organizational unit.

Note
The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly.

35.5.0.3. Individual Organizational Units

DIGIPASS records can be loaded or moved into each organizational unit where and when they are required. If all
DIGIPASS in the organizational unit are assigned, more DIGIPASS records will need to be moved in manually by a
domain administrator before they can be assigned.

IDENTIKEY Appliance 3.18 – Product Guide 243

 35. Organization

Image 76: DIGIPASS Record Locations – Individual Organizational Units

In the diagram above, unassigned DIGIPASS records are stored in the exact organizational units in which they will
be assigned.

Administrator accounts belonging to the organizational units A1 and A2 have administration privileges in their own
organizational unit only.

Note
The Search Upwards in Organizational Unit hierarchy option does not need to be enabled for this model.

35.5.1. Combination of models

DIGIPASS records may be stored in the domain root as well as some or all organizational units. If no unassigned
DIGIPASS records are found in the organizational unit, and the Search Upwards in Organization Unit hierarchy
option is enabled, then IDENTIKEY Appliance will search upwards to the domain root and search in the DIGIPASS
Pool for an available, unassigned DIGIPASS record.

IDENTIKEY Appliance 3.18 – Product Guide 244

 36. Rescue Tool

36. Rescue Tool

The Rescue Tool allows administrators to access a limited number of settings through a command line menu.

Note
The Rescue Tool is not the DIGIPASS Command Line Administration (DPCLA). DPCLA is an extension of the Tcl 8.4
scripting language, which allows interactive command-line and scripted administration of DIGIPASS-related data.
The DPCLA is only accessible to OneSpan support engineers.

36.1. Accessing the Rescue Tool

To access the Rescue Tool, use the logon user name rescue. No password is required when using the default
logon options. However, you can specify several user/password combinations and require a minimum number of
successful logins before granting access. For example, you can have five possible user/password combinations,
and a user will need to supply at least three of these to access the Rescue Tool. For more information, refer to the
IDENTIKEY Appliance Administrator Reference, Section "Authentication Settings".

You can access the Rescue Tool using one of the following methods:

n If using IDENTIKEY Virtual Appliance, switch to the console view in your hypervisor software and log on.

n Connecting a screen and keyboard directly to the IDENTIKEY Appliance, and logging on in a command-line
prompt.

This does not apply to IDENTIKEY Virtual Appliance!

n Connecting a workstation or laptop computer to the IDENTIKEY Appliance using a serial null modem cable
plugged into a serial port on both devices. This requires configuration specific to the operating system of
the workstation or laptop computer.

This does not apply to IDENTIKEY Virtual Appliance!

For more information about using the Rescue Tool, refer to the IDENTIKEY Appliance Installation and Maintenance
Guide.

36.2. Functions

The Rescue Tool can be used to:

n Reset IDENTIKEY Appliance configuration settings to factory default settings. This means that licenses are
removed, configuration data is lost and even network settings are re-set. The same conditions apply as
with first time installation (refer to Chapter10. Installation Configuration).
n Ping other IP addresses to determine if connection can be established.
n Reset the sysadmin user account. If the Rescue Tool is used to reset the default sysadmin user account
for the Configuration Tool, it resets the password to the factory default, sysadmin, enables the sysadmin

IDENTIKEY Appliance 3.18 – Product Guide 245

 36. Rescue Tool

user, and logs out of the Configuration Tool. When theIDENTIKEY Appliance is accessed, the Configuration
Wizard detects that the sysadmin password needs to be changed and presents this page of the Con-
figuration Wizard for completion. The Configuration Tool is not accessible until the password has been
changed.
n Reset the access settings for the Configuration Tool, allowing access from any client computer. This fea-
ture effectively resets the Limit Access to Networks setting.
n Change and view network settings, e.g. changing the IDENTIKEY Appliance IP address. After the Rescue
Tool has been used to change the IP address, the same conditions apply as described in Section11.2.1.
Changing the IP Address.
n reboot or shut down the IDENTIKEY Appliance.

When the Rescue Tool is started a support connection will be established. This will enable a support technician to
access your IDENTIKEY Appliance if you need support when the Configuration Tool is unavailable.

Image 77: Rescue Tool Start Menu

IDENTIKEY Appliance 3.18 – Product Guide 246

 36. Rescue Tool

Image 78: Rescue Tool Network Menu

IDENTIKEY Appliance 3.18 – Product Guide 247

 37. Support Procedure

37. Support Procedure

If you have problems with or questions about a OneSpan product, follow the steps below:

1. Check if your problem has been resolved in the online knowledge base at http://www.vasco.com/support.
2. If you are unable to solve your problem with the Knowledge Base, please contact the company which sold
you the OneSpan product.
3. If your supplier is unable to solve your query, they will automatically contact the appropriate VASCO expert.
If necessary OneSpan experts can access your IDENTIKEY Appliance remotely to solve any problems.
Remote support and access to your IDENTIKEY Appliance are achieved through the VASCO Customer
Portal.

For more information about remote support, refer to Section 24.2. Remote Support.

For more information about the VASCO Customer Portal, refer to Section 2.14. VASCO Customer Portal.

IDENTIKEY Appliance 3.18 – Product Guide 248

 38. Appendix: IDENTIKEY Virtual Appliance OS Hardening - Guidelines

38. Appendix: IDENTIKEY Virtual Appliance OS Hardening -

Guidelines
This section provides tips and techniques for hardening your IDENTIKEY Virtual Appliance. Please note that the fol-
lowing list of guidelines is by no means exhaustive.

38.1. Securing the Virtual Machine Host

Before installing any software, ensure that the installation source of your host operating system and other soft-
ware that you intend to install on it comes from a trusted source.

38.1.1. Hardening a Microsoft Environment

n Servers should be connected to a trusted network during the installation and hardening processes.
n Use the Windows file system NTFS only; it offers access controls and protections that are not available
with FAT32 file system.
n Update the system after the base installation; install all current service packs. Make sure the system stays
updated at all times.
n Rename the built-in administrator account. This account is the primary point for attacks.
n Use a strong password for the renamed administrator account. See 27.6. Password Strength and 38.2.
Password Guidelines for more information about password guidelines.
n Disable the guest account.
n Configure an account lockout policy to counter brute-force attacks.
n Disable all unnecessary services and file shares. Configure appropriate Access Control Lists (ACL) for ser-
vices and file shares that are necessary for day-to-day operations.
n Install anti-virus software and implement processes to keep it up-to-date so that your host is shielded
against the latest virus threats.
n Install and use an intrusion detection system (IDS).

38.1.2. Hardening a Linux Environment

n Servers should be connected to a trusted network during the installation and hardening processes.
n Use separate disk partitions. The following file systems should be mounted on separate partitions:
n /usr
n /home
n /var
n /var/tmp
n /tmp
n Disable unwanted SUID and SGID binaries; every local or remote user can use such binaries.
n Keep the Linux kernel and other installed software up-to-date.
n Make sure that no non-root accounts have their UID set to 0.

IDENTIKEY Appliance 3.18 – Product Guide 249

 38. Appendix: IDENTIKEY Virtual Appliance OS Hardening - Guidelines

n Disable the root login for remote administration.

n Use Linux security extensions where possible.
n Make sure you have a good and strong password policy. See 27.6. Password Strength and 38.2. Password
Guidelines for more information about password guidelines.
n Lock user accounts after successive login failures.
n Disable unwanted services and listening network ports. Configure appropriate Access Control Lists (ACL)
for services and file shares that are necessary for day-to-day operations.
n Install and use an Intrusion Detection System (IDS).

38.1.3. Securing IDENTIKEY Appliance

To secure IDENTIKEY Appliance, the following steps are recommended:

Procedure 11: System Hardening - Configuration Tool

n Once IDENTIKEY Appliance is configured, create one or more dedicated users with system administrator
privileges using DIGIPASS authentication.
n Disable the factory sysadmin user.
n Enforce authentication for access to the Rescue tool.
n Create a strong passphrase to encrypt your backups. See 38.2. Password Guidelines for more information
about password guidelines.
n Keep IDENTIKEY Appliance up-to-date. Make sure your are always running the latest version.

Procedure 12: Hardening the IDENTIKEY Authentication Server Administration Web Interface

n Create one or more dedicated users with system administrator privileges using DIGIPASS authentication.
n Configure your authentication policies to exclude administrative logins. This avoids unwanted admin-
istrator account lockouts.
n If you are using static passwords, OneSpan recommends using strong static passwords; this lowers the
overall risk of a security breach. Make sure to update your password policy accordingly.
n Disable inactive user accounts. IDENTIKEY Authentication Server policies can be configured so that inactive
accounts are automatically disabled after a certain period of inactivity.
n Use SOAP over SSL to secure communications between your Web applications and IDENTIKEY Authentic-
ation Server. Mutual authentication is optional, but improves security considerably .
n Use a Hardware Security Module (HSM) to protect the system's cryptographic information and its pro-
cessing of authentication requests.

38.2. Password Guidelines

To minimize the risk of compromised passwords and increase protection against brute-force attacks, enforce pass-
word guidelines. Recommendations for safe passwords include but are not limited to the following measures:

Do not use personal information. Never use any information personally related to yourself or any other individual
such as names, birth dates, addresses, telephone numbers etc. as a part of your password. It is very easy for
attackers to guess your last name, your pet's name, the birthday of your child, and similar details.

IDENTIKEY Appliance 3.18 – Product Guide 250

 38. Appendix: IDENTIKEY Virtual Appliance OS Hardening - Guidelines

Do not use ordinary words or phrases. Attackers attempt to crack your password by executing programs that use
multilingual wordlists and data structures (rainbow tables), similar to a dictionary (dictionary attack).

Mix different character types. Mix different types of characters. Use combinations of uppercase and lowercase let-
ters, numbers, and special characters such as & or %.

Use at least 16 characters. The greater the length of the password, the longer an attempted brute-force attack will
take and the more difficult it is to crack the password. A password length of 16 characters equals 96 bits, which is
well beyond the cracking capabilities of regular computers.

Use a passphrase. Rather than trying to remember a password created by using various character types which do
not form a word from the dictionary, you can use a passphrase. Think up a sentence or a line from a song or poem
that you like and create a password using the first letter of each word.

IDENTIKEY Appliance 3.18 – Product Guide 251

 Index

Index

A Challenge/Response
1-Step 64
Activation Code 88, 93 1-Step Challenge/Response 64, 222
activation completed notification 90 2-Step 64
activation delayed notification 90 2-Step Challenge/Response 64
Active Directory challenge generation 64
Back-End Authentication, site awareness 74 time/event-based 202
administration interfaces 31 types of DIGIPASS 20
Administration Web Interface 127 CHAP 33, 74, 79-80, 122
ADUCE 75, 98 Check Digit 203, 221-222
application service provider 17 Citrix Web Interface 19, 38, 48, 66, 214
Audit Viewer 52, 161, 213, 223 Classless Inter-Domain Routing (CIDR) notation 48, 85, 92
auditing 127 client
Authentication RADIUS 19
RADIUS 32 client component 128
SEAL IIS 32 communication protocols 32
SOAP 32 Configuration Tool 127
authentication process 47 Configuration Wizard 131
Auto-Assignment connection handling 185
and maker-checker authorization 54, 199 creating users via dynamic user registration (DUR) 188
overview 199 cryptographic signature
auto-unlock 196 Secure Auditing 164
Autolearn CSV
Password Autolearn 72-73, 80, 192, 195, 218, 220, 222 plugin 140

B D
back-end authentication data fields 20, 82, 121, 188
back-end server 128 Data Migration Tool 19, 132
Back-End Authentication 71 default domain processing 50
DP110 Provisioning Scenarios 109 Deferred Signature Validation 83
Grace Period 63 delayed activation 89
LDAP protocol and Active Directory, site awareness 74 activation completed notification 90
Password Autolearn 73 activation delayed notification 90
provisioning 95 delayed activation period 89
Software DIGIPASS Registration 93 delivery of Software DIGIPASS 88
Stored Static Password 72 dictionary attack 251
back-end protocol 53, 71, 96, 101, 107, 218, 220, 223
back-end server
RADIUS server 36
record 73
backup and restore 127
Backup Virtual DIGIPASS 26
Usage Guidelines 207

C
challenge
Access-Challenge mechanism 36
generating a challenge 64

IDENTIKEY Appliance 3.18 – Product Guide

 Index

Index

DIGIPASS reporting permissions 231

activation completed notification 90 DP110
activation delayed notification 90 Provisioning 109
auto-assignment and maker-checker authorization 54, 199 Scenarios 109
delayed activation 89 DUR user information synchronization 188
delayed activation period 89 Dynamic User Registration
deploying 128 provisioning 95
instance 27-28 dynamic user registration (DUR) 54, 128, 188
master activation application 28 creating users 188
Multi-Device Activation 27 DUR user information synchronization 188
Multi-Device Licensing 27
overview 19 E
provisioning 95
EAP 36, 79-80
Secure Channel 29
effective settings 192, 220
self-assignment 128
electronic signatures 16, 32
Software DIGIPASS
EMV-CAP 23, 42-43, 120-121, 148-149
delivery 88
Evaluation License 135
registration 91
event-based 84, 114, 200, 202-203
start time 89
Event-based DIGIPASS Applications 202
types of 20
event counter 84-85, 87, 150, 200
user account 128
event value 204
User Account Lookup and Checks 50, 85
expiration, static back-end password 194
User Accounts 187
expiration, static local password 194
Virtual DIGIPASS 26
DIGIPASS 110 109 F
DIGIPASS App
Definition 25 factory default 136
push–notification-based authentication 25, 30, 65 Fail-over strategy
DIGIPASS Applications Back-End Server records 73
time/event-based 202 filter 19
DIGIPASS Authentication for Windows Logon 19, 32 filters
DIGIPASS Authentication Modules 19 performance monitoring 138
DIGIPASS authenticators first time setup 130
authenticators with keypad 21 forwarding
authenticators without keypad 22 Replication 184
DIGIPASS card readers 23
software DIGIPASS authenticators 24 G
virtual DIGIPASS authenticators 26
DIGIPASS Gateway General Data Protection Regulation (GDPR)
push-notification-based authentication 65 securing connections, Caution notice 119, 168
DIGIPASS start time 89 securing RADIUS connections, Caution
DIGIPASS user account notice 41, 113, 116, 187, 215
auto-unlock 196 Grace Period 63
digital signatures 21, 197 Group Check 51, 54, 57, 71, 86, 92, 117, 220, 222
domain 128
Back-End servers, domain-specific 74
domain root
ODBC 241
overview (ODBC) 237

IDENTIKEY Appliance 3.18 – Product Guide

 Index

Index

H Microsoft Windows
authenticating 19
Hardware Security Module (HSM) 120, 122-123, 164, 250 monitoring
EMV-CAP 120 filters 138
Load Balancing and Failover 123 performance 138
supported models 122 Performance Monitoring tool 138, 140
host code 16 plugins 140
HTTP Basic Authentication 66, 81 Replication 185
system monitoring 137, 142-144
I Multi-Mode 20, 25, 59
types of DIGIPASS 20
IDENTIKEY Appliance 30-31
IDENTIKEY Appliance Administration Web Interface 32 O
IDENTIKEY Appliance Configuration Tool 31
IDENTIKEY Appliance Rescue Tool 32 ODBC
IDENTIKEY Virtual Appliance 33 domain root 241
IIS module 32, 212 domains and organizational units 237
inheritance 218, 220 Offline Delivery 88
installation 127 One-time password 16
international character support one-time passwords (OTP) 19
limitations 81 organizational unit 128
Internet Information Services 39 out-of-band (OOB) authentication
push notification 65
L Outlook Web Access 48, 59, 71-73, 128, 214
LDAP P
site awareness 74
LDAP user synchronization 127 PAP 33, 74, 79
license key 43, 213, 216 Parent Organizational Units
licenses ODBC 242
upgrading 136 password
licensing 15, 19, 27, 29, 31, 43, 45, 58, 69, 83, 93, 95, 100, 102, supported protocols 33
120, 122, 127, 130, 133-134, 148, 150, 152, 154, 162, Password
170, 215-216 expiration, back-end password 194
Licensing expiration, local password 194
EMV-CAP 120 password strength 192
Load Balancing and Failover Policy 194, 250
Hardware Security Modules 123 RADIUS password protocols (limitations) 80
Local Authentication 57 password guidelines
Grace Period 63 dictionary attack 251
provisioning 95 rainbow tables 251
Software DIGIPASS Registration 92 password replacement 128
Login Permutations 208 Password Synchronization Manager 43
PCI-DSS 46
M PEAP 36
performance monitoring 138
manual configuration 132
master domain 50, 126
Message Delivery Component 127, 168
Microsoft Point-to-Point Encryption (MPPE) 74, 79

IDENTIKEY Appliance 3.18 – Product Guide

 Index

Index

PIN S
DIGIPASS authenticators with keypads 21
Server PIN 60 Secure Auditing 163-164
plugins Self-Assignment 199
performance monitoring 140 serial number 17, 27, 45, 70, 86, 101-102, 104, 111, 133, 147,
policy 128 199
Policy server component 128
base policy vs. Base Policy, definition 218-219 Server PIN 60
parentless policy 218-219 Server PIN reset 60
Primary Account Number 121 Server PIN reset, Auto-Assignment and Self-Assign-
Primary Virtual DIGIPASS 26 ment 60, 70, 198
protocols Signature
RADIUS (supported) 79 time/event-based 202
provisioning 95 types of DIGIPASS 20
Provisioning simple name resolution 50
DP110 109 site awareness, Active Directory back-end authentication 74
proxy server 46 SOAP 128
Push Notification Software DIGIPASS 24
authentication method 30 delivery 88
DIGIPASS App 25 DP110 109
DIGIPASS Gateway 65 registration 91
software provisioning 32
R static password 128
static passwords 32, 37, 40, 42, 90, 96, 103, 128, 192-193, 225,
RADIUS 33, 128
250
as a back-end server 36
statistics 127
Attributes 33
Stored Static Password 72
limitations 80
strength, password 192
securing connections 41, 113, 116, 187, 215
sysadmin
supported protocols 79
resetting 129
rainbow tables 251
resetting password 127
recent DIGIPASS activity 149
system action 127
recent user activity 148
restart 127
registration of Software DIGIPASS 91
shut down 127
remote support 127
System Monitoring
replication 127
configuration via configuration interfaces 142
Replication
events to be monitored 144
forwarding entries 184
filters 142
monitoring 185
process 182 T
queue 183
reporting 128 Time-based DIGIPASS Applications 202
features and settings 228
Rescue Tool 128 U
Response-Only
time/event-based 202 update 127
types of DIGIPASS 20 upgrading licenses 136
User Account
DIGIPASS 187
User Account Lookup and Checks 85

IDENTIKEY Appliance 3.18 – Product Guide

 Index

Index

user authentication
overview 47
User Dashboard 146
UTF-8
encoding 81

V
VACMAN Controller 16
Verification Tool
Secure Auditing 163-164
view audit information 150
Virtual DIGIPASS 26
Backup Virtual DIGIPASS Usage Guidelines 207
limiting usage 207
login options 208
Primary and Backup 26

W
Web Basic Authentication 81
Windows Group Check 51, 54, 57, 71, 86, 92, 117, 220
wireless RADIUS 35, 233

IDENTIKEY Appliance 3.18 – Product Guide