Local authentication
Local authentication refers the process of OneSpan Authentication Server authenticating a user based on information in its data store. Typically the authenticator OTP is required, but in other cases a static password may be sufficient.
The Local Authentication policy setting indicates whether to perform local authentication, and if so, whether a static password is permitted. This setting can be overridden by the same setting in the user account, unless that has the value Default. However, the setting in the user account would typically be used only for rare special case users.
The Local Authentication policy setting is relevant for software authenticator provisioning (see Software authenticator provisioning).
Using Windows group check in back-end mode, the local authentication setting can be overridden. If a user is not a member of the listed groups, local authentication will not be performed.
The possible values for local authentication are:
Default
Local authentication is handled as configured in settings inherited from the parent policy. For more information about policies, see Policy inheritance.
None
Local authentication will not take place.
DIGIPASS/Password during Grace Period
A one-time password or static password may be verified. The users can authenticate with their static passwords until they start to use an authenticator. The grace period of the authenticator expires the first time an OTP is used to authenticate, unless it has been set manually to expire prior to that. It also expires after a successful MDL activation, either using an OTP or a signature validation. After the grace period has expired, the user can only authenticate with the authenticator.
DIGIPASS or Password
This authentication mode allows users to permanently use their static password or their authenticator. This is possible even after the grace period has expired and/or they have previously already used their authenticator for authentication. The grace period also expires after a successful MDL activation, either using an OTP or a signature validation. In the context of the authentication scenario, use of this authentication mode is subject to licensing. For provisioning, this authentication mode is license-free.
Digipass Only
A one-time password must be verified. Users without an authenticator will not be able to authenticate. However, self-assignment is still possible, as an OTP is used as part of the process.
It is also possible to configure user-specific policy settings for local authentication. These settings will override those set by the parent policy