Configuring CA Auth ID OTP (OATH-Compliant) Settings

This page describes how to configure the CA Auth ID OTP (OATH-Compliant) settings in CA Strong Authentication.
aa82test
This page describes how to configure the CA Auth ID OTP (OATH-Compliant) settings in CA Strong Authentication.
Configuring CA Auth ID OTP (OATH-Compliant) Issuance Profile
A CA Auth ID OTP-OATH profile can be used to specify the following attributes for CA Auth ID OTPs that are complaint with OATH standards.
  • Length
    : The length of the CA Auth ID OTP
  • Validity period
    : The period for which a CA Auth ID OTP is valid.
By configuring a CA Auth ID OTP-OATH profile and assigning it to one or more organizations, you can control the characteristics of CA Auth ID OTP credentials that are issued their users. Use the CA MobileOTP Profiles page to create CA MobileOTP credential profiles.
Follow these steps:
  1. Click the Services and Server Configurations tab on the main menu.
  2. Verify that the CA Strong Authentication tab in the submenu is active.
  3. Under the CA Mobile OTP-OATH section, click the Issuance link to display the CA Mobile OTP-OATH Profiles page.
  4. Edit the fields in the Profile Configurations section, as required.
    • Create
      To create a new profile:
      • Select the Create option.
      • Specify the Configuration Name of the new profile in the field that appears.
    • Update
      To update an existing profile, select the profile to update from the Select Configuration list that appears.
    • Copy Configuration
      Enable this option if you want to create the profile by copying the configurations from an existing profile.
      Note: 
      You can also copy from configurations that belong to other organizations that you have scope on.
    • Available Configurations
      Select the profile from which the configurations are copied.
    • Token Type
      Select the type of CA Auth ID OTP that must be created for the user. HOTP represents counter-based tokens and TOTP represents time-based tokens.
    • Length
      Set the length of a CA Auth ID OTP.
      The minimum length can be six (the default) and the maximum length can be eight characters.
    • Time Step
      The time interval, in seconds, during which the OTP generated by the client is the same as the OTP generated by the server. A larger time step allows the two OTPs to match for a longer period. In other words, a larger time step can accommodate a longer delay in receipt of the OTP from the client.
      You can enter any value from 1 to 300. The default is 30.
      Note: 
      This option is applicable only for OTP-based CA Auth ID OTPs.
    • Logo URL
      Enter the URL that contains the logo to display on your client device which uses CA Auth ID OTP for authenticating to CA Strong Authentication-protected applications.
    • Display Name
      Enter the name that is used to display the CA Auth ID OTP on the client device. You can either enter a fixed string or pass the following user variables as $$(<variable>)$$:
      • user name (userName)
      • organization name (orgName)
      • credential custom attributes
      • user custom attributes
    • Validity Start Date
      Set the date from when the issued CA Auth ID OTP credential is valid.
      The validity can start from either the date when this credential is created or you can specify a custom date.
    • Validity End Date
      Set the date when the CA Auth ID OTP expires.
      Use any of the following options to set the expiration date:
      • Specify the duration
      • Specify a custom date
      • Choose Never Expires option if you want the CA Auth ID OTP not to expire.
  5. Expand the 
    Advanced Configurations
     section by clicking the 
    [+]
     sign.
  6. In the
     Custom Attributes
     section, specify any extra information in the 
    Name
    -
    Value
     pair format. For example, the organization information that plug-ins can use.
  7. In the 
    Custom Card Attributes
     section, specify the additional information that you want to add to the CA Auth ID OTP-OATH card. These custom attributes are available as part of the card string.
  8. Set the following values in the 
    User Validations
     section:
    • Select the 
      User Active
       option if you want to verify the user status for the following operations involving the current credential:
      • Create credential
      • Reissue credential
      • Reset credential
      • Reset validity of the credential
    • Select the 
      User Attribute
       option if you want to verify whether the user attribute matches certain values. You can set the value for the following user attributes:
      • Date when the user was created
      • Date when the user details were modified
      • Email address
      • First name
      • Middle name
      • Last name
      • User status
      • Telephone number
      • Unique user identifier
      User attribute check feature is available
      only
      if you are performing configurations at the organization-level.
  9. In the 
    Multiple Credential Options
     section, enter the description to identify the purpose for which the CA Auth ID OTP is used in the 
    Usage Type
     field. For example: A user gets a temporary credential to perform a remote login to the network. The usage type for this credential can be 
    temporary
    .
  10. Click 
    Save
     to create or update the CA Auth ID OTP profile.
  11. Refresh 
    all
     deployed CA Strong Authentication instances.
Configuring CA Auth ID OTP (OATH-Compliant) Authentication Policy
A CA Auth ID OTP-OATH policy can be used to specify the following authentication-related attributes for CA Auth ID OTPs that are OATH-compliant:
  • User status
    : The status of the user, which can be active or inactive.
    If the user status check is enabled, then the authentication for users in inactive state results in failure.
  • Lockout criteria
    : The number of failed attempts after which the user credential is locked.
  • Unlocking criteria:
     The number of hours after which a locked credential can be used again.
Follow these steps:
  1. Click the Services and Server Configurations tab on the main menu.
  2. Verify that the CA Strong Authentication tab in the submenu is active.
  3. Under the CA Mobile OTP-OATH section, click the Authentication link to display the CA Mobile OTP-OATH Authentication Policy page.
  4. Edit the fields in the Policy Configuration section, as required.
    • Create
      To create a new policy:
      • Select the Create option.
      • Specify the Configuration Name of the new policy in the field that appears.
    • Update
      To update an existing policy, select the policy that you want to update from the Select Configuration list that appears.
    • Copy Configuration
      Enable this option if you want to create the policy by copying the configurations from an existing policy.
      Note
      : You can also copy from configurations that belong to other organizations that you have scope on.
    • Available Configurations
      Select the policy from which the configurations are copied.
    • Authentication Look Ahead Count 
      Enter the number of times the CA Auth ID OTP counter on the CA Strong Authentication Server is increased to verify the CA Auth ID OTP entered by the user. The CA Auth ID OTP entered by the user is compared with all the CA Auth ID OTPs that are generated from current count - Authentication Look Back Count to current count + Authentication Look Ahead Count on the server, and if the CA Auth ID OTP entered by the user matches, then the user is authenticated.
      Note
      : If the client and server CA Auth ID OTP matches, then that count is set as the current count on the server.
    • Authentication Look Back Count
      Enter the number of times the CA Auth ID OTP counter on the CA AuthMinder Server is decreased to verify the CA Auth ID OTP entered by the user.
      The CA Auth ID OTP entered by the user is compared with all the CA Auth ID OTPs that are generated from current count - Authentication Look Back Count to current count + Authentication Look Ahead Count on the server, and if the CA Auth ID OTP entered by the user matches, then the user is authenticated.
      Note
      : If the client and server CA Auth ID OTP matches, then that count is set as the current count on the server.
    • Synchronization Look Ahead Count 
      Enter the number of times the CA Auth ID OTP counter on the CA Strong Authentication Server is increased to synchronize with the CA Auth ID OTP counter on the client device.
      To synchronize the client and the server CA Auth ID OTPs, the user has to provide two consecutive CA Auth ID OTPs and if these CA Auth ID OTPs match with the consecutive server CA Auth ID OTPs in the lookup range (count - Synchronization Look Back Count to current count + Synchronization Look Ahead Count), then the server counter is synchronized with the count corresponding to the second CA Auth ID OTP entered by the user.
    • Synchronization Look Back Count 
      Enter the number of times the CA Auth ID OTP counter on the CA Strong Authentication Server is decreased to synchronize with the CA Auth ID OTP counter on the client device.
      To synchronize the client and the server CA Auth ID OTPs, the user has to provide two consecutive CA Auth ID OTPs and if these CA Auth ID OTPs match with the consecutive server CA Auth ID OTPs in the lookup range (count - Synchronization Look Back Count to current count + Synchronization Look Ahead Count), then the server counter is synchronized with the count corresponding to the second CA Auth ID OTP entered by the user.
    • Lockout Credential After
      Specify the number of failed attempts after which the CA Auth ID OTP is locked.
    • Check User Status Before Authentication 
      Select this option if you want to verify whether the user status is active, before authenticating them.
  5. Expand the 
    Advanced Configurations
     section by clicking the 
    [+]
     sign.
  6. Edit the fields in the section, as required.
    • Issue Warning
      Specify the number of days before the warning is sent to the calling application about the user impending credential expiration.
    • Allow Successful Authentication
      Specify the number of days for which the users can use an expired credential to log in successfully.
    • Enable Automatic Credential Unlock
      Select this option for the credential to be automatically unlocked after the time you specify in the following field.
      This field is valid only if you specify the corresponding value in the Lockout Credential After field.
    • Unlock After
      Specify the number of hours after which a locked credential can be used again for authentication.
    • Alternate Processing Options
      The 
      Advanced Authentication
       Server acts as a proxy and passes the authentication requests to other authentication servers, which are based on the following conditions:
      • User Not Found: If the user trying to authenticate is not present in the 
        Advanced Authentication
         database, then the request is passed to the other server.
      • Credential Not Found: If the credential with which the user is trying to authenticate is not present in the 
        Advanced Authentication
         database, then the request is passed to the other server.
      For more information about how to enable this feature, see Configuring CA Strong Authentication for RADIUS.
    • Multiple Credential Options
    • Usage Type for Verification
      If you want the users to authenticate with the particular CA Auth ID OTP credential, then enter the name of its usage type in this field.
      If you do not specify the usage type, then the default usage type CA Auth ID OTP authentication policy is used.
  7. Click Save.
  8. Refresh 
    all
     deployed CA Strong Authentication Server instances.