Assigning authenticators to users

Authenticators may be assigned to users in a number of ways, depending on the requirements of your company. For example, for a company with only a few user accounts manual assignment may suffice. A larger company that needs to distribute large numbers of authenticator may find it easier to simply distribute the authenticators and require each user to go through a self-assignment process.

For both assignment modes, a grace period is typically set, which allows a number of days during which the users may still log on using only their static password. After the grace period has expired, depending on the Local Authentication settings in the relevant policy, users can then either continue to use both their static password or their authenticator (DIGIPASS or Password), or must only use the authenticator (DIGIPASS/Password during Grace Period or DIGIPASS Only) to log on. The grace period expires automatically when a one-time password (OTP) is used to authenticate for the first time, i.e. after the OTP has been successfully validated (if it has not been set manually to expire prior to that in the relevant policy). It also expires after a successful MDL activation, either using an OTP or a signature validation. For more information, see Local authentication and Grace period.

Authenticator records must be imported into the data store before being assigned to users.

Resetting the server PIN is also possible during authenticator assignment. When using self-assignment or auto-assignment for authenticators, the users can reset their server PIN. If Assignment Mode is set to Self-Assignment-Pin-Reset or Auto-Assignment-Pin-Reset, the server PIN is automatically reset. This is an optional feature and does not require any further administrator action, once the option has been enabled in the authenticator properties and/or the relevant policy settings.

You can restrict the maximum number of assigned authenticators per user for specific authenticator types to the number of devices really needed via the policy settings. If you need to have more than one authenticator provided to your users, limit the number to avoid that too many authenticators (and/or instances) are assigned to or activated for single users. The higher the number of authenticators assigned to a single user, the higher the chances of successful OTP guessing attacks!

self-assignment (Overview)

Users can assign an authenticator themselves via self-assignment. With self-assignment, the user must log on and include the serial number, static password, and one-time password (OTP). This informs OneSpan Authentication Server of the assignment. If the user enters the details correctly, OneSpan Authentication Server will link the authenticator record and the user account. A grace period is not used for this method.

self-assignment process

  1. The user account is created manually by an administrator or automatically by OneSpan Authentication Server during Dynamic User Registration (DUR).
  2. The authenticator is sent to the user.
  3. The user receives the authenticator.

  4. The user authenticates using the following:

    • The authenticator serial number
    • The current static password
    • An OTP generated by the authenticator
  5. OneSpan Authentication Server recognizes self-assignment logon.
  6. OneSpan Authentication Server verifies the authenticator serial number, static password, and OTP.
  7. OneSpan Authentication Server assigns the authenticator with the corresponding serial number to the user.

auto-assignment (Overview)

With Dynamic User Registration (DUR), OneSpan Authentication Server performs auto-assignment. OneSpan Authentication Server selects a random authenticator and assigns it to the new user account as it is created. The authenticator will then be delivered to the user.

If maker–checker authorization is enabled, assigning an authenticator requires the approval of a checker administrator. In that case, auto-assignment is not available.

auto-assignment process

  1. A new user account is created automatically by OneSpan Authentication Server during Dynamic User Registration (DUR).
  2. OneSpan Authentication Server randomly selects an available authenticator to prevent collisions during parallel assignment of authenticators.
  3. OneSpan Authentication Server assigns the authenticator.
  4. OneSpan Authentication Server sets a grace period.
  5. The authenticator is sent to the user.
  6. The user authenticates with the static password during the grace period.
  7. The user receives the authenticator.

  8. The user authenticates with an OTP.

    The grace period ends automatically.

Manual assignment (Overview)

With manual assignment, selected authenticators are manually assigned to specific user accounts. The authenticators must then be sent to the users.

Manual assignment process

  1. A new user account is created manually by an administrator, or automatically by OneSpan Authentication Server during Dynamic User Registration (DUR).
  1. The administrator assigns an authenticator to the user and sets a grace period.
  2. The authenticator is sent to the user.
  3. The user authenticates with the static password during the grace period.
  4. The user receives the authenticator.

  5. The user authenticates with an OTP.

    The grace period ends automatically.