Configuring Password Authentication Policy

CA AuthMinder Administration Guide › Managing Global AuthMinder Configurations › Configuring Profiles and Policies › Configuring Password Settings › Configuring Password Authentication Policy

Configuring Password Authentication Policy

A Password policy can be used to specify the following attributes related to password-based authentication:

User status: The status of the user, which can be active or inactive.
Note: If the user status check is enabled, then the authentication for users in inactive state results in failure.
Lockout criteria: The number of failed attempts after which the user’s credential is locked out.
Unlocking criteria: The number of hours after which a locked user password credential can be used to log in again.
Partial password options: Number of password characters to challenge.
When AuthMinder Server receives the partial password authentication request, the user will be challenged with the number of characters from their password at various positions. For example, if the password is welcome1 and the Number of Password Characters to Challenge field is set to 4. The challenge might look like "Enter the characters at positions 2, 4, and 7". If the user enters ece, then the authentication will be successful.
Multi-password options: Specifies whether the user is allowed to enter any of their passwords or a password with the specific usage type.

To configure a Password authentication policy for organizations:

Ensure that you are logged in as a Global Administrator (GA).
Activate the Services and Server Configurations tab on the main menu.
Ensure that the WebFort tab in the submenu is active.
Under the Password section, click the Authentication link to display the Password Authentication Policy page.
Edit the fields in the Policy Configuration section, as required. The following table describes the fields of this section:

Field	Description

Policy Configurations
Create	If you choose to create a new policy, then: Select the Create option. Specify the Configuration Name of the new policy in the field that appears.
Update	If you choose to update an existing policy, then select the policy that you want to update from the Select Configuration list that appears.
Copy Configuration	Enable this option if you want to create the policy by copying the configurations from an existing policy. Note: You can also copy from configurations that belong to other organizations that you have scope on.
Available Configurations	Select the policy from which the configurations will be copied.
Lockout Credential After	Specify the number of failed attempts after which the user credential will be locked.
Check User Status Before Authentication	Select this option if you want to verify whether the user is active, before authenticating them.

Expand the Advanced Configurations section by clicking the [+] sign.
Edit the fields in the section, as required. The following table describes the fields of this section:

Field	Description

Additional Password Options
Issue Warning	Specify the number of days before the warning is sent to the calling application about the user’s impending credential expiration.
Allow Successful Authentication	Specify the number of days for which the users can use an expired credential to successfully log in.
Enable Automatic Credential Unlock	Select this option if you want the credential to be automatically unlocked after the time you specify in the following field. This field is valid only if you specify the corresponding value in the Lockout Credential After field.
Unlock After	Specify the number of hours after which a locked credential can be used again for authentication.
Challenge Validity (in Seconds)	Specify the duration for which the password challenge has to be valid.
Partial Password Options
Number of Password Characters to Challenge	Specify the total number of password characters that have to be challenged. The number of random positions challenged by AuthMinder Server is equal to this value.
Alternate Processing Options
Alternate Processing Options	The AuthMinder Server acts as a proxy and passes the authentication requests to other authentication servers, based on the following conditions: User Not Found: If the user trying to authenticate is not present in the AuthMinder database, then the request is passed to the other server. Credential Not Found: If the credential with which the user is trying to authenticate is not present in the AuthMinder database, then the request is passed to the other server. See "Configuring AuthMinder as RADIUS Proxy Server" for more information to enable this feature.
Multiple Credential Options
Usage Type for Verification	Choose the Any Usage Type option if you want to authenticate users with any of their passwords. For example, if the user has two passwords, welcome123 with usage type as permanent and hello123 with usage type as temporary, then the user will be authenticated if they provide either of the passwords. If you want the user to authenticate with the particular password, then enter the name of its usage type in the UsageType field.

Click Save to create or update the Password policy.
Refresh all deployed AuthMinder Server instances. See "Refreshing a Server Instance" for instructions about the procedure.