Static password
Digipass Authentication for Windows Logon relies on the Windows static password to perform the Windows logon. It is therefore important that OneSpan Authentication Server is always up to date with the current Windows static password for each user. There are two ways to ensure that the static password is up to date:
Static password synchronization
Password Synchronization Manager (PSM) automatically updates a changed Windows password on OneSpan Authentication Server. The product is installed on the Active Directory domain controller. The new Windows password will be reflected as the static password on OneSpan Authentication Server.
If OneSpan Authentication Server is not available, the synchronization will fail.
If the user is not defined on OneSpan Authentication Server, only the password on the domain controller will be changed.
Static password randomization
Static password randomization is used to enforce strong authentication for Windows logon. It helps ensure the following:
- The user will not be able to log on to a Windows machine without an OTP.
- The user cannot uninstall Digipass Authentication for Windows Logon and log on with the Windows static password only.
If password randomization is enabled, OneSpan Authentication Server replaces the static Windows password with a randomly generated password for each logon, while adhering to strict formatting rules. Password randomization occurs transparently for the user, who only needs to enter their ID and an OTP for authentication. The password is generated in the background.
Since the password is randomized for each authentication procedure, users are prevented from logging on to client workstations which do not have Digipass Authentication for Windows Logon installed.
You can enable password randomization in the relevant Digipass Authentication for Windows Logon client component policy.
Static password randomization is only available if Windows or Active Directory back-end authentication is enabled. It is not available for IBM Security Directory Server or NetIQ eDirectory back-end authentication.
Password format
The format criteria for the new password include the following:
-
Password length. The default length is 16 characters, but this can be overridden by specifying a password length in the relevant OneSpan Authentication Server Windows logon policy.
- On systems with a Windows back end, the maximum length is 63 characters.
- On systems using another back end, the maximum length is 127 characters.
-
Character set. The random password will consist of characters from the following set:
- a–z
- A–Z
- 0–9
- Printable symbols: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
-
Complexity requirements. The following requirements must be met:
- The random password must not contain the user ID or parts of the user's full name that exceed two consecutive characters.
- The random password must contain characters from three of the four character set components listed above.
The password complexity requirements are taken from the Microsoft Windows 2003 Active Directory password requirements and guarantee a successful Windows static password.
Regulatory compliance
Some regulations specify that a strong password must be defined for Windows logon. The regulations frequently relate to the length of the password, the combination of characters in the password, and the frequency with which it must be changed. By using static password randomization, better control can be exerted over the regulatory criteria. Generated random passwords can be longer and much more complex than a static password that a user has to remember.
When using Active Directory, a minimum password age is set in Active Directory Group Policy Management. If the static password is reset and password randomization is enabled in OneSpan Authentication Server, the User must change password at next logon checkbox must be selected. This will prevent an authentication failure at the next logon due to the password being too new to be immediately changed again.