Static password strength and age rules
You can customize password strength and password age rules to increase static password security. Password strength rules control the required formatting of static passwords. Password age rules control when and how often users can change their static passwords. Password rules are configurable via the policy associated with the server component to apply to all users independent of the used client.
Different password strength rules can be applied for administrators and regular users via the policy inheritance:
- Administrators. The effective policy values for password strength rules are applied for administrative users.
- Users. The values defined in the base policy of the applicable policy are applied, NOT the effective settings.
This mechanism allows you to specify general password rules, which apply to all users, in the base policy. You can further create a child policy based on that base policy to specify stricter password rules for administrative users.
By default, password rules are only defined in the base policy, i.e. a default installation of OneSpan Authentication Server will have to be adapted accordingly.
Password strength rules
Password strength rules control the required formatting of static passwords.
Password policies only apply to static passwords when they are created or updated.
They do not apply to the passwords used by the following:
- First administrator
- SSL certificates
- Security configuration for the SNMPv3 user
For these cases the default password rules apply.
You can configure the following password requirements:
- Minimum password length
- Minimum number of lower case characters
- Minimum number of upper case characters
- Minimum number of numeric characters
- Minimum number of symbols
- Password different from the number of passwords previously used, i.e. the number of different passwords that must be used before you can reuse a password.
- No inclusion of the user ID, i.e. whether the user ID (or parts thereof) can be used as part of the password.
OneSpan Authentication Server supports Unicode in passwords. However, the supported characters can be limited by the back-end server, should one have been configured to be used in the respective context.
For more information, refer to the OneSpan Authentication Server Administrator Reference, Section "Policy properties".
Password strength rules enforcement
Password strength rules are always enforced in the following circumstances:
- During the first installation.
- If a user account is created or updated, or if a password is set via the Administration Web Interface or the Tcl Command-Line Administration tool.
The following default password strength rules will be applied to the first administrator password:
- At least 7 characters long
- Contains at least 1 lowercase character
- Contains at least 1 uppercase character
- Contains at least 1 numeric character
For back-end authentication the password policy of both OneSpan Authentication Server and the back-end server should be identical. If there are multiple back-end systems and each one has a different password policy, OneSpan Authentication Server should be either less strict or just as strict as the least strict password policy of all the back-end systems
Password age rules
Password age rules control when and how often users can change their static passwords (password longevity).
You can configure the following password age rules:
- Minimum password age
- Maximum password age
- Days to notify before a password expires
The password age rules apply to the local authentication mode DIGIPASS or Password only. The minimum password age is verified when a static password is created or updated. The maximum password age is verified during an authentication.
They do not apply to the passwords used by the following:
- First administrator
- SSL certificates
- Security configuration for the SNMPv3 user
For these cases the default password rules apply.
Static password expiration (Local password)
Another factor that contributes to password strength is the expiration of the static password as this ensures that end users change their static password at adequate intervals. In OneSpan Authentication Server the end user's local static password continuously expires at the interval that has been specified, and if the local authentication mode is set to DIGIPASS or Password
Note that this type of password expiration applies to the static password locally stored in OneSpan Authentication Server. If you change the local static password, it is not synchronized with the static password in a possible back-end system. That means that if you are using back-end authentication, the local static password and the back-end password will be different, for example, after changing the local password via the Administration Web Interface.
You should not use local static password expiration when using back-end authentication, but rely on the back-end system to enforce password expiration (see Static password expiration (Back-end password)).
If Days to Notify before Expiration has been set, the user will receive a notification in OneSpan Authentication Server and/or OneSpan User Websites that the static password is about to expire with the exact expiration date indicated.
The Administration Web Interface allows users to set their passwords when they are notified and have the respective administrative privileges (Set User Password).
Static password expiration (Back-end password)
You can configure your back-end passwords to expire, so that your users are forced to change their back-end passwords regularly. This option is preferred over the local password expiration option (see Static password expiration (Local password)).
If you configure your static back-end passwords to expire after a certain time, you can allow users who log on to the Administration Web Interface to change their password right from the logon page. This means that whenever a user attempts to log on to the Administration Web Interface and the back-end password has expired or has been set to be changed at next logon, the user is automatically redirected to a change password page.
To set a new back-end password, the user needs to authenticate first using either the current back-end password or a one-time password (OTP) generated by an authenticator assigned to the user. In the former case, the user is automatically logged on after successfully setting a new back-end password. In the latter case, the user is redirected to the logon page again.
Changing expired back-end passwords at the logon page requires the following:
- The authentication scenario must be enabled.
- The effective policy must have back-end authentication set to Always.
- If you have enabled Stored Password Proxy in the policy to use the stored password for back-end authentication, you must also enable Password Autolearn. Otherwise, the stored password and the effective back-end password will differ after changing an expired back-end password and logon will no longer work.