HyID Policy
Overview
HyID is a two factor authentication solution which is integrated in HySecure. The second factor of authentication is achieved by configuring a HyID policy which helps decide the generation of One Time Passwords (OTPs) which can be delivered via different mechanisms like E-mail, SMS, Mobile and Hardware tokens.
The HyID policy can be configured for specific Users, User groups or OUs, so that when the user from these groups try to login to HySecure, s/he would need to enter the OTP generated through the configured mechanisms. On validating the OTP, the user logs in to HySecure.
One or more HyID policies can be created and assigned to an Authentication Domain which in trun is bound to a HySecure Domain.
Recommendation
It is recommended to use the Active Directory in conjunction with HyID to provide group assignment of resource access
The HYID POLICY page provides management of HyID policies including their creation. To get the list of configured HyID policies and manage them, perform the following steps:
-
Open the Management console and expand AUTH MANAGEMENT
-
Select HyID Policy from the submenu.
-
All the created HyID policies will be listed on this page in a tabular manner with the following information of each such policy.
| # | Field | Description |
|---|---|---|
| 1. | HyID Policy Name | This is the logical name of the HyID Policy |
| 2. | Authentication Domain | This is the Authentication Domain on which HyID policy will be applied |
| 3. | Authentication Server | This represents the Authentication Server used from the Authentication Domain, from which the list of Users/UserGroups/OU will be derived on which the HyID policy will get applied |
| 4. | Binding Attribute | This represents the attribute from the Authentication Server, to which the HyID policy will be bound to |
| 5. | Users/UserGroups/OU | This indicates the Users / User Groups / OU to which the HyID policy would be bound to. The list is derived from the selected Authentication server configured for the Authentication Domain |
| 6. | HyID Status | This indicates whether the HyID Policy is enabled or not |
Search HyID Policy
The HyID policy list can be filtered or searched on the following fields:
- HyID Policy Name
- Authentication Domain
- Authentication Server
- Binding Attribute
- USers/Groups/OU
The field on which the list is to be filtered can be selected in the "Search Filter" drop down list. The search values can then be specified in the "Search Policy" text box. On clicking the "Show" button, the filtered list will get displayed.
The list filtered on User or User Group or OUs can be seen by selecting the search filter as "Binding Attribute" and selecting the search policy as either of User / UserGroup / OU, as needed.
Add HyID Policy
On the HyID Policy page, click on the Add button to create a HyID Policy and provide the information indicated against each head.
| S.No. | Field | Type | Description |
|---|---|---|---|
| 1 | HyID Policy Name | String | This is a logical identifier for the HyID policy which is used for listing as well as logging and reporting. |
| 2 | HyID Policy Description | String | Enter the description of the need or use of this policy for a easy recall. |
| 3 | HyID Policy Type | List | HySecure: Choose this option to configure the Two Factor Authentication for a domain HyID Desktop Agent: Choose this option if you want to configure Two Factor Authentication for desktop login of users. |
User Database
| S.No | Field | Type | Description |
|---|---|---|---|
| 1 | Select Authentication Domain | List | Select from the list of configured Authentication Domains on which the HyID policy needs to be applied for achieving Two Factor Authentication. |
| 2 | Select Authorization Server | List | This list will be filled with the authorization servers configured for the selected Authentication Domain. Select the authorization server from the list from where the Users/User Groups/Organizational Unit will be fetched. |
| 3 | Select Policy assignment Type | List | Chose from the list of Users/User Groups/Organizational Units, on which you would want the policy to be applied. Based on the selected "Policy Assignment Type", the list box will be filled up by fetching the relevant information from the selected Authorization Server. Select from the list and click on "Add" button to move to the list on which this policy should be applied. Specific Users/User Groups/Organizational Units can be narrowed down by typing in the first few letters of the same in the Search box. Selection can then be done on the narrowed down list. |
HySecure Authentication
Select HyID Policy Type as HySecure, to configure multi factor authentication.
| S.No. | Field | Type | Description |
|---|---|---|---|
| 1 | Enable Two factor authentication | radio button | Click on this radio button to configure Two Factor Authentication for the above selected Users/User Groups/Organizational Units. |
| 2 | Disable Two factor authentication | radio button | Click on this radio button to disable Two factor authentication. On selecting this option, the 2FA cannot be configured. |
Select 2FA tokens
This section is used to configure the medium through which the tokens will be sent to the user for authentication.
| S.No. | Field | Type | Description |
|---|---|---|---|
| 1 | Enable in-line 2FA | Check Box | Check this option, if one of the OTP delivery mechanisms is to be configured |
| 2 | Email Token | Check Box | Select this option if the token is to be sent over Email. |
| 3 | SMS Token | Check Box | Select this option if the token is to be sent over an SMS. |
| 4 | Email and SMS Token | Check Box | Select this option if the token is to be sent over Email as well as over an SMS |
| 5 | Mobile Token | Check Box | Select this option if the token is to be sent as a notification on the mobile App for Android and iOS. |
| 6 | Hardware Token | Check Box | Select this option if the OTP is to be sent to the Hardware token. Note that the hardware token should have been registered and assigned to a user. |
Email and SMS OTP Configuration
Configuration under this block is enabled only if either or both of Email and SMS token are selected for the 2-factor authentication.
| S.No. | Field | Type | Description |
|---|---|---|---|
| 1 | Select OTP token length | List | Select the length of OTP token which should be sent to the user over Email/SMS. |
| 2 | Select OTP token expiry time | List | Select the time after which OTP will expire and user will be required to request for another OTP. |
| 3 | Enable OTP token use for multiple time | Check Box | Select this option to use the OTP multiple times across user login and restricted by the OTP token expiry time. For e.g. if OTP expiry time is 1 hour and this option is checked, then user can login multiple times using the OTP generated for the first time within the configured OTP expiry time which is 1 hour in the example. |
| 4 | Select OTP token regenerate timeout | List | Select the timeout from the list, after which the OTP will be regenerated. |
| 5 | Select maximum OTP send attempts | List | |
| 6 | Select OTP sending cool off time | List |
Mobile token configuration
Configuration under this block is enabled only if Mobile token is selected for the 2-factor authentication.
| S.No. | Field | Type | Description |
|---|---|---|---|
| 1 | Select OTP token length | List | Select the length of OTP token which should be sent to the user over Email/SMS. |
| 2 | Select OTP token expiry time | List | Select the time after which OTP will expire and user will be required to request for another OTP |
| 3 | Enable OTP token use for multiple time | Check Box | Select this option to use the OTP multiple times across user login and restricted by the OTP token expiry time. For e.g. if OTP expiry time is 1 hour and this option is checked, then user can login multiple times using the OTP generated for the first time within the configured OTP expiry time which is 1 hour in the example. |
| 4 | Select OTP token regenerate timeout | List | Select the timeout from the list, after which the OTP will be regenerated. |
| 5 | Enable self-service mobile token registration for users | Checkbox | Select the checkbox if HD_TBD |
| 6 | Allow re-activation of same device | Checkbox | Select the checkbox if HD_TBD |
| 7 | Allow multiple devices per User | List | Select the number of devices from which the user can HD_TBD |
Common OTP Configuration
| S.No. | Field | Type | Description |
|---|---|---|---|
| 1 | Account lockout on number of failed attempts | Check Box | Select this option and the count of number of failed attempts which would lead to the user account being locked out. On lock out, the user will not be able to login again till the administrator unlocks the user through the "AUTH MANAGEMENT |User Profiles" menu. |
Risk Based Profile Configuration
| S.No. | Field | Type | Description |
|---|---|---|---|
| 1 | Disable OTP for WAN IP addresses | Check Box | Select this option and enter the IP address or range of IP addresses for which the OTP should not be sent. |
Modify HyID Policy
On the HyID Policy page, select the policy whose details are to be modified and click on the Modify button. Modify the details as appropriate and click on Submit button for the changes to take effect.
Delete HyID Policy
On the HyID Policy page, select the policy which needs to be deleted and click on the Delete button. On confirmation, the policy will be deleted.