DIGIPASS | OneSpan Community Platform

The POLICIES > DIGIPASS tab shows the authenticator-related settings of the policy.

Table: POLICIES – DIGIPASS tab
Field name	Description
DIGIPASS Assignment
Assignment Mode	Specifies the method of automated authenticator assignment that will be used for this policy if any. There are two methods, auto-assignment and self-assignment. Use auto-assignment together with Dynamic User Registration (DUR). When DUR occurs, the next available authenticator is assigned to the new user account. A grace period is set for the authenticator according to the Grace Period setting in the policy. If maker–checker authorization is enabled, assigning an authenticator requires the approval of a checker administrator. In that case, auto-assignment is not available. Typically, self-assignment is used with DUR also, but if the user account is created first by the administrator, DUR is not necessary. In the self-assignment mode, users are able to assign themselves an authenticator by entering the serial number, a valid OTP from the authenticator, and their static password. There is no grace period associated with self-assignment, because the user has to use the authenticator to perform self-assignment. In both cases, any applicable authenticator restrictions apply to the policy. For example, it will not be permitted to self-assign a Digipass 300 if the policy restricts the types to Digipass GO 3 and Digipass GO 1. In addition, if the user already has an authenticator assigned that meets the policy restrictions, the user will not be able to self-assign another one. This setting is not applicable to provisioning or signature validation. Optionally, it is also possible to allow the user via the authenticator assignment mode settings to reset the server PIN if applicable. By default, this option is disabled. Possible values: Default. Use the setting of the parent policy. Auto-Assignment. Use the auto-assignment method. Do not reset the server PIN. Self-Assignment. Use the self-assignment method. Do not reset the server PIN. Auto-Assignment-Pin-Reset. Use the auto-assignment method and reset the server PIN during assignment. Self-Assignment-Pin-Reset. Use the self-assignment method and reset the server PIN during assignment. Neither. Do not use either method of automated assignment.
Grace Period (days)	The grace period is the default period (in days) between the time an authenticator is assigned (manually or via auto-assignment) and the time the user has to start using the authenticator to log on (if applicable). It allows some time for users to continue using their static passwords before they receive the authenticator and learn how to use it. The grace period expires automatically when a one-time password (OTP) is used to authenticate for the first time, i.e. after the OTP has been successfully validated (if it has not been set manually to expire prior to that in the relevant policy). It also expires after a successful MDL activation, either using an OTP or a signature validation. After the grace period has expired, depending on the Local Authentication settings in the relevant policy, users can then either continue to use both their static password or their authenticator (DIGIPASS or Password), or must only use the authenticator (DIGIPASS/Password during Grace Period or DIGIPASS Only) to log on. This setting does not affect manual assignment by an administrator or provisioning.
Serial No. Separator	The character (or short sequence of characters) that will be included at the end of the authenticator serial number during a self-assignment logon operation. It allows OneSpan Authentication Server to easily recognize that a self-assignment attempt is being made and extract the serial number from the credentials.
Search Upwards in Org. Unit Hierarchy	This controls the search scope for an available authenticator for auto-assignment or provisioning registration, or for a specific authenticator for self-assignment. This setting does not affect manual assignment by an administrator. Possible values: Default. Use the setting of the parent policy. No. The search scope is only the organizational unit in which the user account is located. If the user does not belong to an organizational unit, the search will look for authenticators that also do not belong to an organizational unit. Yes. The search will start in the user account's organizational unit. If necessary, the search will then move upwards through the organizational unit hierarchy until it reaches the top.
Expiration Period (days)	The length of time in days since the initial assignment until an authenticator expires.
DIGIPASS Type Limit	This setting allows you to restrict the maximum number of assigned authenticators per user for specific authenticator types. If you need to have more than one authenticator provided to your users, you should still limit the number to avoid that too many authenticators (and/or instances) are assigned to or activated for single users. For single-device licensing, it is possible to limit the number of assigned authenticators; for multi-device activation/multi-device licensing the setting limits the number of assigned authenticator licenses and activated authenticator instances. If the list is empty, no additional limits per authenticator type are set, except for the default limits. If specified, each item indicates the authenticator type and the maximum number of authenticators allowed for that type. If you set the limit for a specific authenticator type to 0, no instances of that authenticator type can be assigned. If you add an item and select the type from list, the list contains the authenticator types currently defined in the database only.
Delayed Activation
Delay Period (hours)	The delayed activation period (in hours), i.e. the time span after the activation until an activated (software) authenticator can effectively be used for authentication and signature operations. Possible values: 0 – 9999 For more information about delayed activation, refer to the OneSpan Authentication Server Product Guide and the OneSpan Authentication Server Administrator Guide.
Notify user when activation process starts	Determines whether a notification should be sent to the user when an authenticator activation is delayed (delayed activation). The notification messages are scheduled to be sent via Message Delivery Component (MDC) using the delivery method specified by Delivery Method.
Notify user when activation completes	Determines whether a notification should be sent to the user when a delayed authenticator activation completes (delayed activation). The notification messages are scheduled to be sent via Message Delivery Component (MDC) using the delivery method specified by Delivery Method.
Delivery Method	Specifies the default delivery method when sending notifications for delayed activation. The notification messages are scheduled to be sent via Message Delivery Component (MDC) and use message templates specified in the global server configuration (see Table: Global Configuration – Virtual DIGIPASS tab). Possible values: Default. Use the setting of the parent policy. Email. Deliver the notification message via email. The user account must have a configured email address. SMS. Deliver the notification message via SMS. The user account must have a configured mobile phone number. Voice. Deliver the notification message via voice channel (i.e. dictated over a phone line). The user account must have a configured mobile phone number.
Applicable DIGIPASS
Application Names	This controls which authenticator applications may be used. If the list is empty, there is no restriction. If there are one or more entries, they will indicate the application names that are permitted.
Application Type	This controls which authenticator application type (e.g. Response-Only, Challenge/Response) may be used. Possible values: Default. Use the setting of the parent policy. No Restriction. Any type of authenticator application may be used. Response Only. Only authenticator applications of type RO (Response-Only) or MM (multi-mode) may be used. Challenge/Response. Only authenticator applications of type CR (Challenge/Response) or MM (multi-mode) may be used. Signature. Only authenticator applications of type SG (Signature) or MM (multi-mode) may be used. Multi-Mode. Only authenticator applications of type MM (multi-mode) may be used.
Secure Channel Support	Indicates if the authenticator application should support Secure Channel operations. Possible values: Default. Use the setting of the parent policy. No. Authenticator applications that support Secure Channel are not considered. Yes – Permitted. Authenticator applications that support Secure Channel are not required, but are permitted. Yes – Required. Requires an authenticator application that supports Secure Channel.
DIGIPASS Type	The policy can specify a restriction on which authenticator types may be used when it is effective. If the list is empty, there is no restriction. If there are one or more entries, they indicate the authenticator types that are permitted.
Allow PIN change	Specifies whether authenticator users will be allowed to change their server PIN during authentication requests to which the current policy applies. Normally this setting is enabled, but it can be used to prevent PIN changes if required.
Multiple DIGIPASS App Validation Mode	Specifies whether OneSpan Authentication Server should authenticate a user with multiple assigned authenticator applications. If this option is set to Single DIGIPASS, then users with multiple authenticator applications assigned cannot log in. If there are any policy restrictions on the application type, then OneSpan Authentication Server will only detect applications of the restricted type. For more information, refer to the OneSpan Authentication Server Product Guide, Section "Multiple authenticators or authenticator applications".

Available actions

Edit
Delete