TID Provisioning for Multi-Device Licensing (Policy)

The following is an overview of the relevant default settings of provisioning for multi-device licensing with OneSpan Cloud Authentication.

  • Parent policy: IDENTIKEY Provisioning for Multi-Device Licensing
TID Provisioning for Multi-Device Licensing—Default parameter settings
Parameter name Default value Description
local_auth DIGIPASS or Password

Local Authentication

This specifies whether authentication requests using the policy will be handled by the Authentication component using local authentication.

When local authentication is used, there are two factors that determine whether an authenticator is used for authentication – any policy restrictions on authenticator types and/or applications that can be used and whether the user account has any assigned authenticator that meets the restrictions. For example, if the policy requires a certain authenticator type, but the user has a different type, they cannot use the authenticator for authentication under that policy.

This setting also affects the provisioning registration process.

Possible values:

  • Default. Use the setting of the parent policy.
  • NoneThe Authentication component will not use local authentication under this policy. The authentications may be handled using back-end authentication or not handled at all by the authentication service.
  • DIGIPASS OnlyThe Authentication component will always use local authentication under this policy, using authenticator authentication. If authentication with authenticator is not possible, the user cannot log in. Back-end authentication may also be used.
  • DIGIPASS/Password During Grace Period The Authentication component will always use local authentication under this policy. The static password can only be used within a (configurable) grace period until an authenticator is used the first time. Back-end authentication may also be used.
  • DIGIPASS or Password. This authentication mode allows users to permanently use their static password or their authenticator. This is possible even after the grace period has expired and/or they have previously already used their authenticator for authentication. The grace period also expires after a successful MDL activation, either using an OTP or a signature validation.
user_days_inactive 0

Maximum Days Between Authentications

This setting specifies the number of days a user account can remain inactive before it is suspended. If the account has been suspended, the user will not be able to log on. The user will be notified during authentication that the user account has been suspended. By default, a user account expires when no operations have been performed during the last 90 days.

You can reactivate a suspended user account with the Reset Last Authentication Time action in the USERS >User Account tab.

Setting this value to 0 effectively disables this feature. User accounts that are suspended at the time the feature is being disabled will become active again with the next successful user authentication.

pvdp_req_method None

Request Method

The method by which a user has to request a Virtual Mobile Authenticator login. The request is made in the password field during login. The request will be ignored if the user does not have a Virtual Mobile Authenticator assigned.

Possible values:

  • Default. Use the setting of the parent policy.
  • None. Do not use primary Virtual Mobile Authenticator.
  • Keyword. Use the request keyword, with or without another item. The user needs to type the request keyword into the password field. This can be blank.
  • Keyword Only. Only the keyword will be accepted.
  • Password. Use the static password. The user needs to type the static password into the password field.
  • KeywordPassword. Use the request keyword followed by the static password. The user needs to type the request keyword followed by the static password into the password field. No separator characters or white spaces are allowed between them.
  • PasswordKeyword. Use the static password followed by the request keyword. The user needs to type the static password followed by the request keyword into the password field. No separator characters or white spaces are allowed between them.

dp_type_limit

  • TYP01: 10 per user

  • TYP03: 10 per user

  • TYP07: 10 per user

Types 01, 03, and 07 are MDL instances derived from the DAL10 authenticator type.

Authenticator Type Limit

Limits of authenticator instances per authenticator type.

Limit of authenticator instances per authenticator type.

This setting allows you to restrict the maximum number of assigned authenticators per user for specific authenticator types. If you need to have more than one authenticator provided to your users, you should still limit the number to avoid that too many authenticators (and/or instances) are assigned to or activated for single users.

For single-device licensing, it is possible to limit the number of assigned authenticators; for multi-device activation/multi-device licensing the setting limits the number of assigned authenticator licenses and activated authenticator instances.

dp_types
  • DAL10
  • DP760
  • DP770
  • TGP10

DIGIPASS Type

The policy, when effective, can specify a restriction on the authenticator type to be used. If the list is empty, there is no restriction. If there are one or more entries, they indicate the authenticator types that are permitted.