Configuring CA Auth ID OTP (EMV-Compliant) Settings
This page describes configuring the Auth ID OTP (EMV-Compliant) settings for CA Strong Authentication.
aa813test
This page describes configuring the Auth ID OTP (EMV-Compliant) settings for CA Strong Authentication.
2
Configuring CA Auth ID OTP (EMV-Compliant) Issuance Profile
A CA Auth ID OTP-EMV profile can be used to specify the following attribute for CA Auth ID OTPs that are complaint with Europay, MasterCard, and VISA (EMV) protocol.
- Validity period: The period for which a CA Auth ID OTP-EMV is valid.
By configuring a CA Auth ID OTP-EMV profile and assigning it to one or more organizations, you can control the characteristics of CA Auth ID OTP-EMV credentials that are issued to users of those organizations. Use the CA Mobile OTP-EMV Profiles page to create CA Auth ID OTP-EMV credential profiles.
To configure a CA Auth ID OTP-EMV profile, you first create account types.
Follow these steps:
- Click the Services and Server Configurations tab on the main menu.
- Verify that the CA Strong Authentication tab in the submenu is active.
- Under the CA Auth ID OTP-EMV section, click the Issuance link to display the CA Auth ID OTP-EMV Profiles page.
- Edit the fields in the Profile Configurations section, as required.
- CreateTo create a new profile:
- Select the Create option.
- Specify the Configuration Name of the new profile in the field that appears.
Update- To update an existing profile, then select the profile that you want to update from the Select Configuration list that appears.
- Copy ConfigurationEnable this option if you want to create the profile by copying the configurations from an existing profile.Note: You can also copy from configurations that belong to other organizations that you have scope on.
- Available ConfigurationsSelect the profile from which the configurations are copied.
- Account TypeSpecify the account type that was used for creating the CA Auth ID OTP-EMV credential.
- Attribute For PAN SequenceSpecify the Primary Account Number (PAN) sequence that helps to differentiate two cards with the same PAN. For example, a card that is reissued after the expiry might have the same PAN but a different sequence number.To add PAN sequence, add custom attributes while configuring account types. See "Configuring the Account Type".To assign PAN sequence to a user in the organization, edit the user account to add values for custom attribute. See "Creating Account IDs". This value is included in the card string. The custom attribute value is not mandatory. If not provided, then 00 is used by default.
- Logo URLEnter the URL that contains the logo, which is displayed on the client device that uses EMV OTP for authenticating to CA Strong Authentication-protected applications.
- Display NameEnter the name that is used to display the EMV OTP on the client device. You can either enter a fixed string or pass the following user variables as $$(<variable>)$$:
- user name (userName)
- organization name (orgName)
- credential custom attributes
- user custom attributes
- Validity Start DateSet the date from when the issued CA Auth ID OTP credential is valid.The validity can start from either the date when this credential is created or you can specify a custom date.
- Validity End DateSet the date when the CA Auth ID OTP expires.You can use the following options to set the expiration date:
- Specify the duration
- Specify a custom date
- Choose Never Expires option if you want the CA Auth ID OTP not to expire.
- Expand theAdvanced Configurationssection by clicking the[+]sign.
- In theCustom Attributessection, specify any extra information in theName-Valuepair format. For example, the organization information that plug-ins can use.
- In theCustom Card Attributessection, specify the additional information that you want to add to the CA Auth ID OTP-EMV card.
- Set the following values in theUser Validationssection:
- Select theUser Activeoption if you want to verify the user status for the following operations involving the current credential:
- Create credential
- Reissue credential
- Reset credential
- Reset validity of the credential
- Select theUser Attributeoption if you want to verify whether the user attribute matches certain values. You can set the value for the following user attributes:
- Date when the user was created
- Date when the user details were modified
- Email address
- First name
- Middle name
- Last name
- User status
- Telephone number
- Unique user identifier
User attribute check feature is availableonlyif you are performing configurations at the organization-level.
- In theMultiple Credential Optionssection, enter the description to identify the purpose for which the EMV OTP is used in theUsage Typefield. For example, a user can have a temporary credential to perform a remote login to the network, the usage type for this credential can betemporary.
- ClickSaveto create or update the EMV OTP profile.
- Refreshalldeployed CA Strong Authentication Server instances.
Configuring CA Auth ID OTP (EMV-Compliant) Authentication Policy
A CA Auth ID OTP-EMV policy can be used to specify the following authentication-related attributes for CA Auth ID OTPs that are EMV-compliant:
- User status: The status of the user, which can be active or inactive.If the user status check is enabled, then the authentication for users in inactive state results in failure.
- Lockout criteria: The number of failed attempts after which the user credential is locked.
- Unlocking criteria:The number of hours after which a locked credential can be used again.
Follow these steps:
- Click the Services and Server Configurations tab on the main menu.
- Verify that the CA Strong Authentication tab in the submenu is active.
- Under the CA Mobile OTP-EMV section, click the Authentication link to display the CA Mobile OTP-EMV Authentication Policy page.
- Edit the fields in the Policy Configuration section, as required.
- CreateTo create a new policy:
- Select the Create option.
- Specify the Configuration Name of the new policy in the field that appears.
- UpdateTo update an existing policy, select the policy that you want to update from the Select Configuration list that appears.
- Copy ConfigurationEnable this option if you want to create the policy by copying the configurations from an existing policy.Note:You can also copy from configurations that belong to other organizations that you have scope on.
- Available ConfigurationsSelect the policy from which the configurations are copied.
- Authentication Look Ahead CountEnter the number of times the CA Auth ID OTP-EMV counter on the CA Strong Authentication Server is increased to verify the CA Auth ID OTP-EMV entered by the user. The CA Auth ID OTP-EMV entered by the user is compared with all the CA Auth ID OTPs that are generated from current count - Authentication Look Back Count to current count + Authentication Look Ahead Count on the server, and if the CA Auth ID OTP-EMV entered by the user matches, then the user is authenticated.Note: If the client and server CA Auth ID OTP-EMV matches, then that count is set as the current count on the server.
- Authentication Look Back CountEnter the number of times the CA Auth ID OTP-EMV counter on the CA Strong Authentication Server is decreased to verify the CA Auth ID OTP-EMV entered by the user.The CA Auth ID OTP-EMV entered by the user is compared with all the CA Auth ID OTPs that are generated from current count - Authentication Look Back Count to current count + Authentication Look Ahead Count on the server, and if the CA Auth ID OTP-EMV entered by the user matches, then the user is authenticated.Note: If the client and server CA Auth ID OTP-EMV matches, then that count is set as the current count on the server.
- Synchronization Look Ahead CountEnter the number of times the CA Auth ID OTP-EMV counter on the CA Strong Authentication Server is increased to synchronize with the CA Auth ID OTP-EMV counter on the client device.To synchronize the client and the server CA Auth ID OTPs, the user has to provide two consecutive CA Auth ID OTPs and if these CA Auth ID OTPs match with the consecutive server CA Auth ID OTPs in the lookup range (count - Synchronization Look Back Count to current count + Synchronization Look Ahead Count), then the server counter is synchronized with the count corresponding to the second CA Auth ID OTP-EMV entered by the user.
- Synchronization Look Back CountEnter the number of times the CA Auth ID OTP-EMV counter on the CA Strong Authentication Server is decreased to synchronize with the CA Auth ID OTP-EMV counter on the client device.To synchronize the client and the server CA Auth ID OTPs, the user has to provide two consecutive CA Auth ID OTPs and if these CA Auth ID OTPs match with the consecutive server CA Auth ID OTPs in the lookup range (count - Synchronization Look Back Count to current count + Synchronization Look Ahead Count), then the server counter is synchronized with the count corresponding to the second CA Auth ID OTP-EMV entered by the user.
- Lockout Credential AfterSpecify the number of failed attempts after which the CA Auth ID OTP-EMV is locked.
- Check User Status Before AuthenticationSelect this option if you want to verify whether the user status is active, before authenticating them.
- Expand theAdvanced Configurationssection by clicking the[+]sign.
- Edit the fields in the section, as required.
- Issue WarningSpecify the number of days before the warning is sent to the calling application about the user impending credential expiration.
- Allow Successful AuthenticationSpecify the number of days for which the users can use an expired credential to log in successfully.
- Enable Automatic Credential UnlockSelect this option if you want the credential to be automatically unlocked after the time you specify in the following field.This field is valid only if you specify the corresponding value in the Lockout Credential After field.
- Unlock AfterSpecify the number of hours after which a locked credential can be used again for authentication.
- Alternate Processing OptionsThe CA Strong Authentication Server acts as a proxy and passes the authentication requests to other authentication servers, based on the following conditions:
- User Not Found: If the user trying to authenticate is not present in the CA Strong Authentication database, then the request is passed to the other server.
- Credential Not Found: If the credential with which the user is trying to authenticate is not present in the CA Strong Authentication database, then the request is passed to the other server.
- Usage Type for VerificationIf you want the users to authenticate with the particular CA Auth ID OTP-EMV credential, then enter the name of its usage type in this field.If you do not specify the usage type, then the usage type that is mentioned in the default CA Auth ID OTP-EMV authentication policy is used.
- Click SaveRefreshalldeployed CA Strong Authentication Server instances.