HyID
View HyID Policies
To view the list of HyID policies and manage them:
-
Log on to the Management console.
-
Go to Policies > HyID Policies.
-
The policy details are listed in a table.
| Field | Description |
|---|---|
| Policy Name | Name of the HyID Policy. |
| Authentication Domain | The authentication domain on which the HyID policy is applied. |
| Authentication Server | The authentication server applies the HyID policy to the list of Users/User Groups/ Organizational Units (OU) it retrieves. |
| Assignment Type | Shows if the assignment type is for users, groups, or OUs. |
| Assigned to | Displays the names of the users, groups, or OUs to which the policy applies. |
| 2FA Enabled | This indicates whether the Two Factor Authentication (2FA) Policy is enabled or not. |
| Priority | Shows the priority of policy - 1 to 10, 1 being the highest. |
Search a HyID Policy
The HyID policy list can be filtered or searched on the following fields:
- Policy Name
- Authentication Domain
- Authentication Server
- Applied to
- Binding Attribute
- Users/ User Groups/OU
- Priority
The field on which the list will be filtered can be selected in the Search drop-down list. The search values can be specified in the text box.
Add a HyID Policy
The HyID policies can be configured either for HySecure or HyID Desktop Agent. The common configuration is indicated below.
-
Log on to the Management console.
-
Go to the Policies > HYID Policies and click the Add.
| Field | Description |
|---|---|
| HyID Policy Name | HyID policy name for logging and reporting. |
| HyID Policy Description | Detailed description of the HyID policy. |
| HyID Policy Type | HySecure: Choose this option if you want to configure Two Factor Authentication for a domain. HyID Desktop Agent: Choose this option if you want to configure Two Factor Authentication for desktop login of users. |
| Select priority of the Policy | Choose the priority of the policy - 1 to 10, 1 being the highest. |
| Select Authentication Domain | Select the authentication domain on which the HyID policy is applied to achieve 2FA. |
| Select Authorization Server | Select the authentication server to apply the HyID policy to the list of Users/User Groups/ Organizational Units (OU) it retrieves. |
| Select Policy assignment Type | To apply the policy, select either users, user groups, or organizational units. Choose users, user groups, or organization units depending on the assignment type. |
HySecure Authentication
Select HyID Policy Type as HySecure to configure Multi-Factor Authentication (MFA).
| Field | Description |
|---|---|
| Enable Two factor authentication | Enable Two Factor Authentication (2FA) by selecting this radio button for Users, User Groups, or Organizational Units. |
| Disable Two factor authentication | Click this radio button to disable 2FA. |
Select 2FA tokens
Configure how the tokens are sent to users for authentication.
| Field | Description |
|---|---|
| Email Token | Enable if the token is to be sent over Email. |
| SMS Token | Enable if the token is to be sent over an SMS. |
| Email and SMS Token | Enable if the token is to be sent over Email as well as over an SMS. |
| Mobile Token | Enable if the token is to be sent as a mobile app notification for Android and iOS. |
| PC Token | Enable if the token is to be sent over a PC app as a notification. |
| FIDO Token | Enable if the token is to be sent over Email as well as over an SMS |
| Hardware Token | Enable if the OTP is to be sent to the Hardware token. Users must register and assign a hardware token before use. |
| Biometric Authentication (Face) | Enable if biometric authentication is required for a user. |
| Push Notification | Enable if notifications are to be sent to the HyID app installed on the user’s mobile phone or PC. Administrators can configure the MFA policy to allow users to authenticate by sending consent from HyID apps, to get consent to be accompanied by additional security tokens like SMS OTP, Email OTP, mobile token, PC token, hardware token, and biometric token. When using a mobile app, the consent authentication is approved on a single click. When using a PC, the consent authentication would require the user to enter an additional token, unless the PC is registered with a PC token. |
Email and SMS OTP Configuration
This section's configuration is exclusively active when 2FA authentication is enabled.
| Field | Description |
|---|---|
| Select primary directory server for email/mobile | Enter the main directory server to send emails. |
| Select secondary directory server for email/mobile | Enter the secondary directory server to send emails. |
| Select OTP token length | Enter the length of OTP token to send via Email/SMS. |
| Select OTP token expiry time | Enter the OTP expiration time. |
| Enable OTP token use for multiple time | Check this option to use the OTP multiple times during user login, within the OTP expiry time, e.g., if the expiry time is one hour and this option is selected, the user can log in multiple times using the OTP generated within the same hour. |
| Select OTP token regenerate timeout | Select a timeout from the list to regenerate OTP. |
| Select maximum OTP send attempts | Select the maximum number of times an OTP can be sent before locking out the user to limit authentication attempts. |
| Select OTP sending cool off time | Choose the duration of the lockout period before reauthentication.. |
Mobile/PC/FIDO token configuration
This section's configuration is exclusively active when 2FA authentication is enabled.
| Field | Description |
|---|---|
| Select OTP token length | Select the length of OTP token to send over Email/SMS. |
| Select OTP token expiry time | Choose the OTP expiration time. |
| Enable OTP token use for multiple time | Selecting this option allows the user to reuse the same OTP during their login session, within the OTP token expiry time. For example, if the expiry time is one (1) hour and this option is checked, the user can log in multiple times using the same OTP generated for the first login within 1 hour. |
| Select OTP token regenerate timeout | Select the timeout from the list, after which the OTP will be regenerated. |
| Enable Email/SMS token for Mobile Token Registration | An authenticated user can register/reactivate their mobile token on an authenticator app without having to authenticate with MFA i.e without SMS ot Email OTP verification. This change supports use case where user’s mobile phone or email is not available in user directory. The option is customization at user level and is set to not ask for MFA by default. |
| Enable self-service mobile token registration for users | Select if users can themselves register for the mobile token. |
| Allow re-activation of same device | Check the box to reuse the same authenticator OTP during the token expiry time. |
| Allow multiple devices per User | Select the number of devices that a user is allowed to log in simultaneously. |
Common OTP Configuration
This section's configuration is exclusively active when 2FA authentication is enabled.
| Field | Description |
|---|---|
| Account lockout on number of failed attempts | Choose this option to set the number of failed login attempts that will lock the user account. The account can only be unlocked by an administrator. |
| Account Lockout Time | Choose the lockout duration. |
Risk-Based Profile Configuration
| Field | Description |
|---|---|
| Disable OTP for WAN IP addresses | Select this option and specify the IP addresses that should not receive the OTP. |
Biometric Configuration
This section guides administrators on biometric configuration.
| Field | Description |
|---|---|
| Select Fingerprint Biometric Server | Select the Fingerprint biometric server that will be used as an authentication server. |
| Enable biometric token use for multiple time | Click to enable reuse of biometric token. |
| Select biometric token reuse timeout | Set token reuse timeout. |
| Select Biometric Face Server | Select the biometric face server that will be used as an authentication server. |
| Max failed attempts for biometric verification | The user will not be locked out after this specified time interval. |
| Enable Continuous Monitoring | Click to enable continuous monitoring after the user logs in. |
| Show Consent dialog | Ask for consent to monitor user via camera. Users can accept or deny. |
| Show information dialog | Display customizable guidelines and instructions for the user after login. Customizable through the Management Console's "Customize Portal" section. |
| Monitor at a time chosen randomly between time interval | The system randomly captures the user's face within a specified time interval, at different unspecified times. For instance, if the interval is set between 20 and 30 seconds, the user's face may be captured at the 23rd second, and then again at the 29th second. |
| Max failures for monitoring | The maximum number of failed captures allowed during monitoring before a warning or action is taken. |
| On Monitoring failure | Select to either show a warning or take action, if monitoring fails. |
| Time duration to show warning | Specify the duration for displaying warning dialog if monitoring fails. |
| Action | In case user monitoring fails, and Take Action is selected in On Monitoring failure, the user can be forced to logout. |
HyID Desktop Agent Configurations
To enable two-factor authentications for Windows users, the HyID desktop agent is to be installed on Windows machines, and the HyID policy needs to be created for the desktop agent on the HySecure server. This HyID desktop agent setting will be pushed to all Windows machines at the time of login.
Enable HyID Desktop Agent
On enabling the HyID Desktop Agent, the policy will be applied for the specified users, user groups, or OU.
- Enable two factor authentications for desktop login: If enabled, users must provide an OTP to login into the desktop/server console.
- Enable two factor authentications for remote access via RDP: If enabled, users must provide an OTP when initiating RDP to a target machine with HYID desktop agent. When disabled, users can RDP without an OTP.
Desktop Agent-based HyID Configurations
HyID agent configurations are automatically pushed from the HyID server to agents, including desktop configurations triggered by agent communication with the server.
| Field | Description |
|---|---|
| Account lockout on number of failed attempts | Set the maximum failed login attempts allowed before account lockout. |
| Account Lockout Time | This sets the time duration for a locked user account after failed login attempts. |
| Bypass OTP after successful authentication for | The time period after a successful authentication during which an OTP is not required. |
| Allow OTP for workstation unlock/sleep/hibernate | If enabled, OTP is required to unlock or recover from sleep/hibernation. |
| Master password to bypass OTP | Admin can configure the master password, which can be used on the end user's machine, to bypass OTP. |
| Enable OTP for domain users | Enable if all domain users need to enter OTP at the time of login onto windows machine. Otherwise HyID agent will bypass OTP for domain users. If Validate using alternate domain user is chosen, an alternate domain will used as a failover. |
| Enable OTP for workgroup users | Enable to require workgroup users to enter an OTP at login. Otherwise, the HyID agent will bypass OTP for workgroup users. The user can also validate through an alternate domain user by providing credentials for the alternate domain. This way, the actual identity of the user with the service account's credentials is recorded in the HyID logs. |
| Enable OTP for all workgroup users | Enable if all the workgroup users need to enter OTP at the time of login onto a Windows machine. |
| Enable OTP for workgroup admin users only | Enable if the local machine's admin user needs to enter OTP at the time of login into a Windows machine. |
| Enable OTP for specific workgroup users | Specify a comma-separated list of local machine users to allow only specific workgroup users to enter OTP while logging into Windows. |
| Exclude OTP for following workgroup users | The administrator can enable login for specified local machine users without OTP by providing a comma-separated list of usernames. |
| Ask domain credentials for workgroup users | Enable if users are required to provide domain credentials. |
Offline OTP Configurations
These configuration settings are available when the mobile token option is enabled.
| Field | Description |
|---|---|
| Enable Offline OTP token | Enable offline mobile token option for login when HyID agent is unreachable from server. |
| Select Offline token | Select the available Offline token types: Mobile, Hardware, and Biometric. |
| Enable mobile token use for multiple time | When enabled, the same token can be used multiple times before it expires. |
| Select Offline OTP token expiry time | Specify time interval after which offline token will expire and cannot be reused. |
| Maximum login attempts using Offline OTP | Limit the offline token logins for the users. |
Modify HyID Policy
Select the policies and click Modify to edit on HyID Policies. Edit details and click Submit.
Delete HyID Policy
Select the policy to be deleted from the HyID Policy page and click the Delete button. Once confirmed, the policy will be permanently removed.