aXsGUARD Identifier 3.0.2.0 Product Guide v1.5
DIGIPASS
17.5.4
Implementation Decision
Several factors need careful consideration before implementing a Virtual DIGIPASS system:
Cost
: your company will probably need to pay an amount for each text message sent. In some countries,
mobile phone owners may need to pay an amount for each text message received on their mobile phones.
These costs need to be taken into consideration when deciding how to implement Virtual DIGIPASS
functionality.
Security
: hardware DIGIPASS devices provide the highest level of security. Virtual DIGIPASS provide a lower,
although still high level of security. This needs to be weighed against other considerations before deciding
whether and how to implement Virtual DIGIPASS.
Convenience
: a Virtual DIGIPASS is more convenient than a hardware DIGIPASS for many Users. Only the
User's usual mobile phone is required: there are no extra devices to carry around. Users who do not habitually
carry their mobile phone with them, though, are likely to find a GO 1 or GO 3 more convenient. Additionally,
having Backup Virtual DIGIPASS enabled might result in User's getting important work done at home rather
than needing to go to work to collect a forgotten DIGIPASS device.
Virtual DIGIPASS login options:
a
decision must be made as to how Users will log in using Virtual DIGIPASS.
In particular, Users with a hardware DIGIPASS device and the Backup Virtual DIGIPASS enabled must be able
to request an OTP to be sent to their mobile when required, but to login using the hardware DIGIPASS at other
times.
The simplest method for the User is to allow a 2-step login process, where the User enters their User ID and
password only, triggering an OTP Request, and is redirected to a second login page to enter the OTP sent to
them. To use this method, though, your system must be set up to allow 2-step logins. Check with your system
administrator if unsure.
Alternatives to the 2-step login are a sequence of two 1-step logins or the use of a specific web page to
request an OTP, separate from the login page screen (see also section
For more information on Virtual DIGIPASS use during an authentication attempt, see section
17.5.5
Limiting Use of Virtual DIGIPASS
Use of Primary and Backup Virtual DIGIPASS may be limited by:
Using Backup Virtual DIGIPASS only.
Minimizing the number of Users assigned a Primary Virtual DIGIPASS.
A User’s Primary Virtual DIGIPASS use cannot be limited.
The Backup Virtual DIGIPASS feature may be enabled as an ‘emergency’ backup for Users who have left their
primary DIGIPASS device at home, or for other reasons do not have access to it. Use of this feature can be limited
for each DIGIPASS device by:
Time limit (days):
set a time period in which a User may access the Backup Virtual DIGIPASS. After this period
has expired, any Virtual DIGIPASS requests from the User are rejected. If the User is still unable to use their
DIGIPASS device, the time period must be extended by an administrator. Once the User has started using their
©
2009 VASCO Data Security
113