DP Control Parameters | OneSpan Community Platform

Last modified: 2024-08-28

The POLICIES > DP Control Parameters tab shows the authenticator control parameter settings of the policy.

Table: POLICIES – DP Control Parameters tab
Field name	Description
Synchronization Windows
Identification Time Window	Controls the maximum allowed number of time step variations between an authenticator and the host system during logon. This only applies to time-based authenticator applications when verifying a one-time password (OTP). The Dynamic Time Window option may be used to allow more variation according to the length of time since the last successful logon. Default value: 20. If this setting is not specified, the default value applies.
Signature Time Window	Controls the maximum allowed number of time step variations between an authenticator and the host system during digital signature verification. This only applies to time-based authenticator applications when validating a signature, but even then it may be used or not according to the online signature level setting. The Dynamic Time Window option may be used to allow more variation according to the length of time since the last successful logon. Default value: 24. If this setting is not specified, the default value applies.
Initial Time Window	When an authenticator is used for the first time, OneSpan Authentication Server calculates the initial deviation between the authenticator time and the server time. This option controls the maximum allowed time variation between an authenticator and the host system, the first time that the authenticator is used. The time is specified in hours. This Initial Time Window is also used directly after a Reset Application operation, which can be used if it appears that the internal clock in the authenticator has drifted too much since the last successful logon. This only applies to time-based authenticators when verifying an OTP. In either case, after the first successful logon, the initial time window is no longer active. Default value: 6. If this setting is not specified, the default value applies.
Avoid Initial Time Synchronization	This option allows you to avoid the initial time shift initialization on the server side (based on Initial Time Window). Possible values: Default. Use the setting of the parent policy. No. The initial time synchronization is never omitted. OneSpan Authentication Server handles the time shift for all authenticator types. Software DIGIPASS only. This avoids the initialization for time-based software authenticators on the server side. This can be useful, because the time shift is usually handled by the mobile app, so it can be omitted on the server side. For hardware authenticators the time shift is still handled on the server side. Default value: Software DIGIPASS only
Event Window	Controls the maximum allowed number of event variations between an authenticator application and the host system during login. This only applies to event-based authenticator applications and always applies for OTP verification. For signature validation, it depends on the online signature level setting whether the event window is used or not. Default value: 20. If this setting is not specified, the default value applies.
Locking Thresholds
Identification Threshold	Specifies the number of consecutive failed authentication attempts allowed before the authenticator application will be locked from future authentication attempts. Once the authenticator application is locked, the Reset Appl Lock command is required to unlock it for further authentication. This locking mechanism is separate from the User Lock Threshold and is normally not necessary. It only applies when a single authenticator application can be used for a logon, either because the user only has one authenticator with one application, or because the policy restrictions narrow the list down to one authenticator application. If policy restrictions are used in this way, the identification threshold can be used to lock users out of one logon type (e.g. a VPN) while still permitting them to use another type (e.g. a web application). If this setting is not specified, this feature is not used.
Signature Threshold	Specifies the number of consecutive failed signature validation attempts allowed before the authenticator application will be locked from future signature validation attempts. Once the authenticator application is locked, the Reset Appl Lock command is required to unlock it for further signature validation. This locking mechanism is separate from the User Lock Threshold and is normally not necessary. It only applies when a single authenticator application can be used for a signature validation, either because the user only has one authenticator with one application, or because the policy restrictions narrow the list down to one authenticator application. If policy restrictions are used in this way, the identification threshold can be used to lock users out of one signature validation type while still permitting them to use another type. If this setting is not specified, this feature is not used.
Max. Days Since Last Use	This setting specifies the maximum number of days for which an authenticator application can remain unused for authentication or signature validation. After this limit, authentication and signature validation will be rejected until an administrator performs a Reset Application operation. If this setting is not specified, this feature is not used.
Challenge Check Mode	This setting is for advanced control over time-based Challenge/Response authentication. Possible values: 0. The challenge is not checked at all. This is necessary for 1-step Challenge/Response. 1. The challenge presented for verification must be the last one that was generated specifically for that authenticator. This is the normal mode of operation in 2-step Challenge/Response. 2. The challenge presented for verification is ignored. Instead, the last one that was generated specifically for that authenticator is used. 3. Only one verification is permitted per time step. This option only applies to time-based Challenge/Response procedures. This is a method of avoiding a potential replay of a captured response if the same challenge comes up again in the same time step. 4. If the same challenge and response are presented for verification twice in a row during the same time step, they are rejected. This is an advanced method of avoiding a potential replay of a capture Challenge/Response. Default value: 1. This should be used for standard RADIUS Challenge/Response. It is also the value that applies if this setting is not specified.
Online Signature Level	This setting is for advanced control of signature validation. Possible values: 0. The signature is validated in offline mode. This is useful if the signatures may not be validated in the same sequence as they were generated by the user. It is also useful when there may be some delay after the signature is generated by the user, before the signature is validated. For time-based authenticator applications: This mode is typically used with a large time step. When this mode is used, no clock synchronization occurs between the authenticator and OneSpan Authentication Server. OneSpan Authentication Server will not reject a signature that is older than the most recently validated signature, provided it is still within the signature time window. For event-based authenticator applications: When this mode is used, OneSpan Authentication Server will not reject a signature that is older than the most recently validated signature, provided it is still within the event window. 1. The signature is validated in online mode. This is useful if the signatures are expected or required to be validated immediately after they are generated. For time-based authenticator applications: This mode is typically used with a small time step. When this mode is used, clock synchronization occurs between the authenticator and OneSpan Authentication Server. OneSpan Authentication Server will reject a signature that is older than the most recently validated signature. A newer signature must be within the signature time window. This mode will allow more than one signature to be validated in the same time step, provided that the same exact signature is not repeated twice in a row. For event-based authenticator applications: When this mode is used, OneSpan Authentication Server will reject a signature that is older than the most recently validated signature. A newer signature must be within the event window. 2. The signature is validated in strict online mode. This is useful for time-based signatures when you want to prevent more than one signature from the same time step from being validated. Otherwise, this mode is the same as online mode. 3. The signature is validated using the deferred event count. This mode only applies to event-based signatures. For each signature validation request, the deferred event count must be supplied as a parameter. Default value: 0. This can be used for authenticator applications that are neither time- nor event-based. This is the built-in default value if the setting is not specified at all.