CA Strong Authentication Administration Guide › Managing Global CA AuthMinder Configurations › Configuring Profiles and Policies › Configuring ArcotID OTP (OATH-Compliant) Settings › Configuring CA Auth ID OTP (OATH-Compliant) Authentication Policy

Configuring CA Auth ID OTP (OATH-Compliant) Authentication Policy

An CA Auth ID OTP-OATH policy can be used to specify the following authentication-related attributes for CA Auth ID OTPs that are OATH-compliant:

• User status: The status of the user, which can be active or inactive.

  Note: If the user status check is enabled, then the authentication for users in inactive state results in failure.

• Lockout criteria: The number of failed attempts after which the user’s credential is locked.
• Unlocking criteria: The number of hours after which a locked credential can be used again.

Follow these steps:

1. Click the Services and Server Configurations tab on the main menu.
2. Verify that the CA Strong Authentication tab in the submenu is active.
3. Under the ArcotOTP-OATH section, click the Authentication link to display the ArcotOTP-OATH Authentication Policy page.
4. Edit the fields in the Policy Configuration section, as required.

   Create

   If you choose to create a new policy, then:

   • Select the Create option.
   • Specify the Configuration Name of the new policy in the field that appears.

   Update

   If you choose to update an existing policy, then select the policy that you want to update from the Select Configuration list that appears.

   Copy Configuration

   Enable this option if you want to create the policy by copying the configurations from an existing policy.

   Note: You can also copy from configurations that belong to other organizations that you have scope on.

   Available Configurations

   Select the policy from which the configurations will be copied.

   Authentication Look Ahead Count

   Enter the number of times the CA Auth ID OTP counter on the CA Strong Authentication Server is increased to verify the CA Auth ID OTP entered by the user. The CA Auth ID OTP entered by the user is compared with all the CA Auth ID OTPs that are generated from current count - Authentication Look Back Count to current count + Authentication Look Ahead Count on the server, and if the CA Auth ID OTP entered by the user matches, then the user is authenticated.

   Note: If the client and server CA Auth ID OTP matches, then that count is set as the current count on the server.

   Authentication Look Back Count

   Enter the number of times the CA Auth ID OTP counter on the CA AuthMinder Server is decreased to verify the CA Auth ID OTP entered by the user.

   The CA Auth ID OTP entered by the user is compared with all the CA Auth ID OTPs that are generated from current count - Authentication Look Back Count to current count + Authentication Look Ahead Count on the server, and if the CA Auth ID OTP entered by the user matches, then the user is authenticated.

   Note: If the client and server CA Auth ID OTP matches, then that count is set as the current count on the server.

   Synchronization Look Ahead Count

   Enter the number of times the CA Auth ID OTP counter on the CA Strong Authentication Server is increased to synchronize with the CA Auth ID OTP counter on the client device.

   To synchronize the client and the server CA Auth ID OTPs, the user has to provide two consecutive CA Auth ID OTPs and if these CA Auth ID OTPs match with the consecutive server CA Auth ID OTPs in the lookup range (count - Synchronization Look Back Count to current count + Synchronization Look Ahead Count), then the server counter is synchronized with the count corresponding to the second CA Auth ID OTP entered by the user.

   Synchronization Look Back Count

   Enter the number of times the CA Auth ID OTP counter on the CA Strong Authentication Server is decreased to synchronize with the CA Auth ID OTP counter on the client device.

   To synchronize the client and the server CA Auth ID OTPs, the user has to provide two consecutive CA Auth ID OTPs and if these CA Auth ID OTPs match with the consecutive server CA Auth ID OTPs in the lookup range (count - Synchronization Look Back Count to current count + Synchronization Look Ahead Count), then the server counter is synchronized with the count corresponding to the second CA Auth ID OTP entered by the user.

   Lockout Credential After

   Specify the number of failed attempts after which the CA Auth ID OTP will be locked.

   Check User Status Before Authentication

   Select this option if you want to verify whether the user status is active, before authenticating them.

5. Expand the Advanced Configurations section by clicking the [+] sign.
6. Edit the fields in the section, as required.

   Issue Warning

   Specify the number of days before the warning is sent to the calling application about the user’s impending credential expiration.

   Allow Successful Authentication

   Specify the number of days for which the users can use an expired credential to successfully log in.

   Enable Automatic Credential Unlock

   Select this option if you want the credential to be automatically unlocked after the time you specify in the following field.

   This field is valid only if you specify the corresponding value in the Lockout Credential After field.

   Note: The credential does not get automatically unlocked after the unlock period. The credential has to be used for successful authentication after the unlock period to get it unlocked.

   Unlock After

   Specify the number of hours after which a locked credential can be used again for authentication.

   Alternate Processing Options

   The CA Advanced Authentication Server acts as a proxy and passes the authentication requests to other authentication servers, based on the following conditions:

   • User Not Found: If the user trying to authenticate is not present in the CA Advanced Authentication database, then the request is passed to the other server.
   • Credential Not Found: If the credential with which the user is trying to authenticate is not present in the CA Advanced Authentication database, then the request is passed to the other server.

   For more information on how to enable this feature, See Configuring CA AuthMinder as RADIUS Proxy Server.

   Multiple Credential Options

   Usage Type for Verification

   If you want the users to authenticate with the particular CA Auth ID OTP credential, then enter the name of its usage type in this field.

   If you do not specify the usage type, then the usage type mentioned in the default CA Auth ID OTP authentication policy is used.

7. Click Save.
8. Refresh all deployed CA Strong Authentication Server instances. See Refresh a Server Instance for instructions about the procedure.