Grace period
Each authenticator can be granted a grace period when it is assigned to a user account. The grace period is the default period (in days) between the time an authenticator is assigned (manually or via auto-assignment) and the time the user has to start using the authenticator to log on (if applicable). It allows some time for users to continue using their static passwords before they receive the authenticator and learn how to use it. The grace period expires automatically when a one-time password (OTP) is used to authenticate for the first time, i.e. after the OTP has been successfully validated (if it has not been set manually to expire prior to that in the relevant policy). It also expires after a successful MDL activation, either using an OTP or a signature validation.
The grace period can be set during manual administrative assignment of authenticator records as well as during auto-assignment. The grace period does not apply to self-assignment, because the user must use the authenticator to complete the assignment process.
Grace periods and local authentication
Local authentication and grace period handling influence each other:
- The grace period does not apply if the local authentication mode in a policy is set to Digipass Only.
- If local authentication in the relevant policy is set to DIGIPASS/Password during Grace Period, the users can authenticate with their static passwords until the grace period has expired. Afterward they can only authenticate with their authenticators.
- If local authentication is set to DIGIPASS or Password, the users can choose to use either their static password or their authenticator, even if they have already used their authenticator, independent of grace period restrictions.
Grace periods and policy restrictions
Because an applied policy might restrict which authenticator can be used during a login request, the grace periods of the authenticators are independent of each other. This means that if a user is assigned two authenticators, each one with a grace period of seven days, the user may log in using one authenticator within the seven-day period (ending the grace period for that authenticator) without affecting the grace period of the other one.
The company has set up policies that require a Response-Only logon via the local area network, and a Challenge/Response logon via the internet and limited to certain employees. The local authentication mode is set to DIGIPASS/Password during Grace Period.
Jane has two authenticators assigned to her: a Digipass 300 with the Challenge/Response application enabled and a Digipass GO 7 with a Response-Only application. The authenticators are both assigned to her on Tuesday. Jane receives her Digipass GO 7 on Friday and immediately uses an OTP to log on. The grace period for her Digipass GO 7 authenticator ends at that time. As of now she must use the Digipass GO 7 when logging into the intranet from the LAN.
Over the weekend, Jane needs to access the company intranet from home. Because a Challenge/Response logon is required via the internet and she does not yet have her Digipass 300 authenticator, she uses only her user ID and static password to log on. As she is still within the grace period for her Digipass 300, the logon is valid.
If OTP validation fails during the grace period, the static password is verified. For more information about static password verification during an authentication attempt, see Back-end authentication
The password is compared against the password stored in the user account:
- If the static password is valid, local authentication succeeds. However, the logon request can still fail if back-end authentication is enabled and fails.
- If the user account does not have a password set, the password has to be verified via back-end authentication. If the user account does not have a password set but back-end authentication is disabled, grace period password logons will not work.
- If the passwords do not match and back-end authentication is enabled, the password will be verified via back-end authentication.