Pre-defined policies

Pre-loaded policies are created for OneSpan Authentication Server during installation and provide useful policy examples for typical environments.

The Base Policy provides globally applicable settings. In general, all other policies should inherit from it, either directly or indirectly.

Non-default settings for Base Policy are as follows:

  • Applicable DIGIPASS - Allow PIN change = Yes
  • User Lock Threshold = 3
  • Challenge Request Method = Keyword
  • Virtual DIGIPASS - Delivery Method = SMS
  • Primary DIGIPASS - Request Method = Password
  • Backup DIGIPASS - Request Method = KeywordPassword
  • Backup DIGIPASS - Request Keyword = otp
  • Identification Time Window = 20
  • Signature Time Window = 20
  • Challenge Check Mode = 1
  • Event Window = 20
  • Sync-Window = 6
  • Online Signature Level = 0
  • Identification Threshold = 0
  • Signature Threshold = 0
  • Local Authentication = None
  • Back-End Authentication = None
  • Back-End Protocol = <empty>
  • Dynamic User Registration = No
  • Password Autolearn = No
  • Stored Password Proxy = No
  • Group-Check-Mode = No Check
  • DIGIPASS Assignment - Assignment Mode = Neither
  • Search Upwards in Org. Unit Hierarchy = No
  • Application Type = No Restriction
  • 1-Step Challenge/Response - Permitted = No
  • 1-Step Challenge/Response - Add Check Digit = No
  • Backup Virtual DIGIPASS - BVDP Mode = No
  • Offline Authentication Enabled = No
  • Offline Time Window = 21
  • Offline Event Window = 300
  • Password Randomization - Enabled = No
  • Password Randomization - Back-End Password Length = 16
  • Client-Group-Mode = No Check
  • Second-OTP-Synch-Enabled = No
  • Reply RADIUS Attributes = No
  • RADIUS - Supported Protocols = Any
  • RADIUS - Wireless Session Lifetime = 3600
  • RADIUS - TLS Session Lifetime = 86400
  • RADIUS - Maximum Fast Reconnect Count = 48
  • Radius-Session-Ticket-Group-List = <empty>
  • Static Password - Different From Last # Passwords = 4
  • Static Password - Minimum Password Length = 7
  • Static Password - Minimum # Lowercase Characters = 1
  • Static Password - Minimum # Uppercase Characters = 1
  • Static Password - Minimum # Numerical Digits = 1
  • Static Password - Minimum # Special Characters = 0
  • Static Password - Not Based on User ID = Yes
  • Max Days Between Authentications = 90
  • Multiple DIGIPASS App Validation Mode = Multiple DIGIPASS Applications Allowed
  • Local Admin Users = Reject
  • Virtual Signature - Delivery Method = SMS
  • Virtual Signature - Virtual Signature Mode = No
  • Virtual Signature - MDC Profile = <empty>
  • DIGIPASS Assignment - Expiration Period = 0
  • Secure Channel Support = Yes - Permitted
  • Secure Channel - Activation Message Validity Period = 365
  • Message Signing - Allow Custom Request Body = No
  • Message Signing - Min App Version = 0
  • 1-Step Challenge/Response - Require PIN = Yes
  • 1-Step Challenge/Response - Template Number = 0
  • 1-Step Challenge/Response - Font Index = 0
  • Signature Transaction - Require PIN = Yes
  • Signature Transaction - Template Number = 0
  • Signature Transaction - Font Index = 0
  • Signature Transaction - Show Response = Yes
  • Signature Transaction - Show Warning = No
  • Delayed Activation - Delay Period = 0
  • Delayed Activation - Notify user when activation process starts = No
  • Delayed Activation - Notify user when activation process completes = No
  • Delayed Activation - Delivery Method = SMS
  • Account Lockout - User Lock Threshold = 30
  • Account Lockout - Lock Duration Multiplier = 150
  • Account Lockout - Maximum Unlock Tries = 0
  • User Info Synchronization = No
  • Static Password - Maximum Age in Days = 42
  • Static Password - Minimum Age in Days = 1
  • Static Password - Days to Notify before Expiration = 8
  • Push Notification - Request Method = KeywordPassword
  • Push Notification - Request Keyword = push
  • Push Notification - Mobile Application Name = <empty>
  • Push Notification - Authentication Timeout (seconds) = 30
  • Virtual DIGIPASS - Challenge Message = Enter One-Time Password
Table: Pre-loaded policies
Policy name Parent policy Description Settings different from parent policy
Base Policy - Globally applicable settings. In general, all other Policies should inherit from this, directly or indirectly.

User Lock Threshold=3

PIN Change Allowed=Yes

Challenge Request Method=Keyword

Primary VDP Request Method=Password

Backup VDP Request Method=Keyword

Password Backup VDP Request Keyword=otp

Identification Time Window=20

Check Challenge Mode=1

Event Window=20

Sync Window=6

Online Signature Level= 0

Identification Threshold=0

Local Authentication=None

Back-End Authentication=None

DUR=No

Password Autolearn=No

Stored Password Proxy=No

Group Check Mode=No

Check Assignment Mode=Neither

Search Up OU Path=No

Application Types=No Restriction

1-Step Challenge/Response=No

1-Step Challenge Check Digit=No

Backup VDP Enabled=No

IDENTIKEY Local Authentication Base Policy Settings applicable to all OneSpan Authentication Server authentication Policies, including local authentication. In general, all other OneSpan Authentication Server Policies using local authentication should inherit from this, directly or indirectly. Local Authentication=DIGIPASS/Password during Grace Period
IDENTIKEY Windows Password Replacement IDENTIKEY Local Authentication OneSpan Authentication Server model for password replacement and Dynamic User Registration (DUR), using Windows back-end authentication.

Back-End Authentication=Always

Back-End Protocol=Windows

DUR=Yes

Assignment Mode=Neither

Password Autolearn=Yes

Stored Password Proxy=Yes

IDENTIKEY Microsoft AD Password Replacement IDENTIKEY Local Authentication OneSpan Authentication Server model for password replacement with Microsoft Active Directory (LDAP connection).

Local Auth=Default

Backend Auth=Always

Backend Protocol=Microsoft AD

DUR=Yes

Password Autolearn=Yes

Stored Password Proxy=Yes

IDENTIKEY Novell eDirectory Password Replacement IDENTIKEY Local Authentication OneSpan Authentication Server model for password replacement with NetIQ eDirectory (formerly Novell eDirectory) (LDAP connection).

Local Auth=Default

Backend Auth=Always

Backend Protocol=Novell eDirectory

DUR=Yes

Password Autolearn=Yes

Stored Password Proxy=Yes

IDENTIKEY Windows Auto-Assignment IDENTIKEY Windows Password Replacement OneSpan Authentication Server model for Auto-Assignment based on the Windows password replacement model.

Assignment Mode=Auto-Assignment

Search Up OU Path=Yes

Grace Period=7

IDENTIKEY Microsoft AD Auto Assignment IDENTIKEY Local Authentication OneSpan Authentication Server model for Auto Assignment for Microsoft Active Directory

Local Auth=Default

Backend Auth=If Needed

Backend Protocol=Microsoft AD

Assignment Mode=Auto-Assignment

Search-Up-OU-Path=Yes

IDENTIKEY Windows Self-Assignment IDENTIKEY Windows Password Replacement OneSpan Authentication Server model for self-assignment based on the Windows password replacement model.

Assignment Mode=Self-Assignment

Search Up OU Path=Yes

Self Assignment Separator=|

IDENTIKEY Microsoft AD Self Assignment

IDENTIKEY Microsoft AD Password Replacement

OneSpan Authentication Server model for self-assignment for AD Password Replacement

Local Auth = Default

Backend Auth = Always

Backend Protocol = Microsoft AD

Assignment Mode = Self-Assignment

Search-Up-OU-Path = Yes

IDENTIKEY Novell eDirectory Self-Assignment IDENTIKEY Novell eDirectory Password Replacement OneSpan Authentication Server model for self-assignment for NetIQ eDirectory (formerly Novell eDirectory).

Local Auth = Default

Backend Auth = Always

Backend Protocol = Novell eDirectory

Assignment Mode = Self-Assignment

Search-Up-OU-Path = Yes

IDENTIKEY RADIUS Password Replacement IDENTIKEY Local Authentication OneSpan Authentication Server model for password replacement using a RADIUS server for back-end authentication.

Backend Authentication=Always

Backend Protocol=RADIUS

Password Autolearn=Yes

Stored Password Proxy=Yes

IDENTIKEY RADIUS Auto-Assignment IDENTIKEY Local Authentication OneSpan Authentication Server model for auto-assignment based on the RADIUS password replacement model.

Grace Period=7

Search Up OU Path=Yes

Assignment Mode=Self-Assignment

IDENTIKEY RADIUS Self-Assignment IDENTIKEY Local Authentication OneSpan Authentication Server model for self-assignment based on the RADIUS password replacement model.

Search Up OU Path=Yes

Assignment Mode=Self-Assignment

Self Assignment Separator=|

IDENTIKEY Back End Authentication Base Policy OneSpan Authentication Server model for only back-end authentication. Change the back-end protocol to the one required.

Backend Protocol=RADIUS

Backend Authentication=Always

IDENTIKEY DP110 Provisioning 1 Base Policy IDENTIKEY DP110 provisioning model scenario 1 - Activation codes are encrypted with pre-loaded static passwords.

Local Auth=DIGIPASS/Password during Grace Period

1-Step Challenge/Response=Yes-Any challenge

IDENTIKEY DP110 Provisioning 2 Base Policy IDENTIKEY DP110 Provisioning model scenario 2 - Dynamic Registration using back-end system. Change the back-end protocol to the one required.

Local Auth = DIGIPASS/Password during Grace Period

Back-End Authentication = Always

1-Step Challenge/Response=Yes – Any challenge

IDENTIKEY DP4Mobile Provisioning 1 Base Policy Mobile Authenticator Studioprovisioning model scenario 1  
IDENTIKEY DP4Mobile Provsioning 2 Base Policy Mobile Authenticator Studioprovisioning model scenario 2

Local Authentication = DIGIPASS/Password during Grace Period

Backend authentication = NONE

DIGIPASS type: 'MOB40'

IDENTIKEY DP4Mobile Provsioning 3 Base Policy Mobile Authenticator Studio provisioning model scenario 3

Local Authentication = DIGIPASS/Password during Grace Period

Backend authentication = IF NEEDED

DIGIPASS type: 'MOB40'

IDENTIKEY DP4Web Provisioning 1 Base Policy DIGIPASS for Web Provisioning model scenario 1 - Activation codes are encrypted with pre-loaded static passwords.  
IDENTIKEY DP4Web Provisioning 2 Base Policy DIGIPASS for WebProvisioning model scenario 2 - pre-loaded user accounts and static passwords. Local Auth = DIGIPASS/Password during Grace Period
IDENTIKEY DP4Web Provisioning 3 Base Policy DIGIPASS for Web Provisioning model scenario 3 - Dynamic Registration using back-end system. Change the back-end protocol to the one required.

Local Auth = DIGIPASS/Password during Grace Period

DUR=Yes

IDENTIKEY Deferred Time signature Verfication Base Policy Deferred time signature verification settings: Time based. Signature Time Window = 24
IDENTIKEY Real-Time signature verfication 1 Base Policy Real-time signature verification settings: Time-based, several signatures are allowed in the same timestep but 2 identical successive signatures will be rejected. Online signature level = 1 - Multiple Signatures allowed in same Time Step
IDENTIKEY Real-Time signature verfication 2 Base Policy Real-time signature verification settings: Time-based, one signature allowed per timestep. Online signature level = 2 - Only 1 Signature/Time Step allowed
IDENTIKEY Real-Time signature verfication 3 Base Policy Deferred time signature verification settings: Event based, off-line mode. Signature Time Window = 24
Windows logon online authentication - Windows Back-End IDENTIKEY Local Authentication Windows Logon with Windows back end

Back-End Authentication = Always

Back-End Protocol = Windows

Enable Random Password = No

Client Group List =

Client Group Mode = No check

Offline Authentication = No

Windows logon online authentication - LDAP AD Back-End IDENTIKEY Local Authentication Windows Logon for LDAP AD back end

Back-End Authentication = Always

Back-End Protocol = Microsoft AD

Enable Random Password = No

Client Group List =

Client Group Mode = No check

Offline Authentication = No

Windows logon online and offline authentication – Windows Back-End Windows logon online authentication - Windows Back-End Windows logon online and offline authentication for Windows back end

OfflineOffline Authentication = Yes

Offline Time Window (days) = 21

Offline Event Window = 300

Windows logon online and offline authentication – LDAP AD Back-End Windows logon online authentication - LDAP AD Back-End Windows logon online and offline authentication settings for LDAP AD back end

Offline Authentication = Yes

Offline Time Window (days) = 21

Offline Event Window = 300