Digipass Plug-In for IAS Product Guide - Vasco
Digipass Plug-In for IAS Product Guide - Vasco
Digipass Plug-In for IAS Product Guide - Vasco
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.5.1.1 Self-Assignment<br />
A <strong>Digipass</strong> may be assigned to a User by their own action. The User must log in and include<br />
the serial number, Windows static password and One Time Password. This in<strong>for</strong>ms the <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> of the assignment, and provided that the User enters the details correctly, a link will be<br />
made between the <strong>Digipass</strong> record and the User account. A grace period is not used <strong>for</strong> this<br />
method.<br />
2.5.1.2 Auto-Assignment<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> can automatically assign an available <strong>Digipass</strong> when a <strong>Digipass</strong> User account<br />
is created using Dynamic User Registration (DUR). The correct <strong>Digipass</strong> must then be<br />
delivered to the User. A grace period is typically set, which allows a number of days in which<br />
the User may still log in using only their static password.<br />
2.5.1.3 Manual Assignment<br />
A selected <strong>Digipass</strong> is manually assigned to a specific <strong>Digipass</strong> User account. The <strong>Digipass</strong><br />
must then be sent out to the User. A grace period is typically set, during which the User may<br />
still log in using only their static password.<br />
2.6 Security Levels<br />
The following will affect the security level of your setup <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>:<br />
Using the Windows Static Password instead of a Server PIN<br />
You can configure the authentication process so that a User is required to use their Windows<br />
static password in place of a Server PIN when logging on through a remote access server. This<br />
is a valid two-factor authentication combination, but it is important to consider the security of<br />
the machines from which the User will log in. If there is a risk of key logging <strong>for</strong> example, it<br />
would still not be possible <strong>for</strong> the hacker to log in, but they would have captured the Windows<br />
static password of the User. If a PIN was used, they would only have captured the PIN.<br />
This has to be balanced against the need <strong>for</strong> a User to learn and remember an additional item,<br />
the Server PIN.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 38