Digipass Plug-In for IAS Product Guide - Vasco

More documents

Recommendations

Info

Digipass Plug-In for IAS Product Guide Digipass 2.7.6 Limiting Usage of Virtual Digipass Use of Virtual Digipass may be limited by: Using Backup Virtual Digipass only. Minimizing the number of Users assigned a Primary Virtual Digipass. A User’s Primary Virtual Digipass use cannot be limited. The Backup Virtual Digipass feature may be enabled as an ‘emergency’ backup for Users who have left their primary Digipass at home, or for other reasons do not have access to their primary Digipass. Use of this feature can be limited for each User by: Time period Set a time period in which a User may access the Backup Virtual Digipass. After this period has expired, any Virtual Digipass requests from the User will be rejected. If the User is still unable to use their Digipass, the time period must then be extended by an administrator. Once they have started using their Digipass again, the administrator must reset the time period if the User is to be allowed to use Backup Virtual Digipass again. Number of Uses Set a maximum number of times a User may request an OTP using the Backup Virtual Digipass feature. When the User has reached this number of uses, any further OTP requests from the User will be rejected. This must be reset by an administrator if further use of the Backup Virtual Digipass is required for the User. Global and Individual Backup Virtual Digipass settings Backup Virtual Digipass options can be set globally or individually, to allow a standard policy for all Digipass with exceptions made where necessary. Global settings will affect all Digipass whose individual option is set to 'Default'. Global options are defined in the Policy that controls authentication. Therefore, by using multiple Policies, you have some additional flexibility. 2.7.6.2 Backup Virtual Digipass Usage Guidelines Some questions which will need to be answered before arriving at a Backup Virtual Digipass usage guidelines are: Will any users have access to Backup Virtual Digipass? If so, will all users have access to Backup Virtual Digipass? Will usage of Backup Virtual Digipass be limited? If so, how? Time-limited Limited number of uses © 2005 VASCO Data Security Inc. 40
Digipass Plug-In for IAS Product Guide Digipass Some Possible Guidelines Guideline Pro Con Backup Virtual Digipass disabled for all - enabled for individual Users as required. Backup Virtual Digipass enabled for all - either time/number of usage limit set. Backup Virtual Digipass enabled for all - no limits set. Table 5: Backup Virtual Digipass Example Guidelines Low text message costs Manual enable for each User and circumstance. Possible heavy administration load. Predictable text message costs 2.7.7 Resetting Virtual Digipass Restrictions Administrator may need to reset limits frequently – medium administration load. Lighter administration load Possible high text message costs. When a User has reached their limit of Virtual Digipass use, an administrator must reset their limit. 2.7.8 Virtual Digipass Login options A decision must be made as to how Users will log in using Virtual Digipass. In particular, Users with a hardware Digipass and the Backup Virtual Digipass enabled must be able to request an OTP to be sent to their mobile when required, but to login using the hardware Digipass at other times. The simplest method for the User is to allow a 2-step login process, where the User enters their User ID and static password only, triggering an OTP Request, and are redirected to a second login page to enter the OTP sent to them. To use this method, though, your system must be set up to allow 2-step logins. Check with your system administrator if unsure. Alternatives to the 2-step login are a sequence of two 1-step logins or the use of the OTP Request Site. See the Administrator Reference for information on possible login permutation. 2.7.9 Location of OTP Request Site If the OTP Request Site is to be used, its location must be decided. You may choose to install the Web Site onto any web server, bearing the following in mind: If the Web Site is installed onto a web server in the DMZ, you need to permit TCP/IP access from the web server to the IAS Plug-In on port 20003. This is the recommended option. The Web Site can be used on the Internet, however it would be essential to provide SSL (or TLS) encryption for access to it. Otherwise, an attacker could discover static passwords and PINs. The other point to take into consideration is that publishing the Web Site on the Internet would allow anyone in the world to send requests to the IAS Plug-In – this would provide the potential for denial of service and brute force attacks. It would be strongly advised to protect the Web Site from general use in some way. If the Web Site is installed onto a web server that communicates over a WAN link to the IAS Server(s), the WAN link must be encrypted. For example, an IPSEC-based VPN connection would be sufficient. © 2005 VASCO Data Security Inc. 41
Page 1 and 2: Digipass Plug-In for IAS IAS Plug-I
Page 3 and 4: Digipass Plug-In for IAS Product Gu
Page 39: Digipass Plug-In for IAS Product Gu
Page 73: Digipass Plug-In for IAS Product Gu

Digipass Plug-In for IAS Product Guide - Vasco

Create successful ePaper yourself

Delete template?

Save as template?