aXsGUARD Identifier 3.0.2.0 Product Guide v1.5
User Authentication Process
The three possible requests mechanisms are:
a Response only One Time Password (OTP: described in section
a Challenge for Challenge/Response OTP generation (described in section
a
Virtual DIGIPASS
OTP (described in section
; for further information on
Virtual DIGIPASS
use, please
see section
For more information on these authentication methods, see section
3.5.3.2
DIGIPASS Lookup and Checks
The first step of Local Authentication is to search for DIGIPASS records applicable to the login. Normally, this is a
simple search for all DIGIPASS records assigned to the DIGIPASS User Account. However, if no DIGIPASS User
Account is found, a DIGIPASS is not searched for. This can occur if
Dynamic User Registration
is enabled: see
When a DIGIPASS User Account is found, the search for DIGIPASS records may be affected by policy restrictions,
linked user accounts and a DIGIPASS Grace Period as explained below. Having taken these restrictions into
account, it is possible that multiple DIGIPASS records and/or multiple applications enabled for a DIGIPASS may be
identified. In this case, the aXsGUARD Identifier checks all available applications. Any one of them can validate the
OTP. Validation only needs to be completed with one application, after which the aXsGUARD Identifier stops
checking through the available applications.
Image 7: Multiple DIGIPASS Assignment
Policy Restrictions
The Policy can specify restrictions on which types of DIGIPASS and/or DIGIPASS applications may be used. Any
combination of the following restrictions can be defined:
Application Names
-
a list of named applications. Only DIGIPASS with one or more of the named applications
are usable.
©
2009 VASCO Data Security
31