HyID Policy
Overview
HyID is a Two-Factor Authentication (2FA) solution that can be used either with HySecure or as a standalone solution. It offers a ready-to-use authentication system for third-party applications when used as a standalone solution.
The HyID policy allows for configuring MFA using diverse tokens such as SMS, Email, Mobile and Hardware, Push notifications, Face Authentication, PC tokens, FIDO, and Fingerprint authentication.
The HyID policy enables configuring MFA for users, user groups, or organizational units (OU). Consequently, members of these groups must authenticate using MFA generated through the designated mechanisms when accessing HySecure or third-party applications.
Multiple HyID policies can be created by the administrator and assigned to an authentication domain, which can then be linked to a HySecure domain.
Note
It is recommended to use HyID in conjunction with Active Directory to enable group-based resource access assignments.
View HyID Policies
To view the list of HyID policies and manage them:
-
Log on to the Management Console.
-
Navigate to Policies > HyID Policies.
-
The policy details are listed in a tabular form with the following details:
| Field | Description |
|---|---|
| Policy Name | Displays the name given to the policy. |
| Authentication Domain | Displays the authentication domain on which the HyID policy is applied. |
| Authentication Server | Displays the authentication server used to apply the HyID policy to the list of Users/User Groups/ Organizational Units (OU) that it retrieves. |
| Assignment Type | Displays to whom the policy is applied to, users, groups, or OUs. |
| Assigned to | Displays the names of the users, groups, or OUs to which the policy applies. |
| 2FA Enabled | Displays whether the Two Factor Authentication (2FA) Policy is enabled or not. |
| Priority | Displays the priority of the policy - from the range 1 to 10. 1 being the highest. |
Search a HyID Policy
The HyID policy list can be filtered or searched on the following fields:
- Policy Name
- Authentication Domain
- Authorization Server
- Applied to
- Users/ User Groups/OU
- Priority
The field on which the list will be filtered can be selected in the Search drop-down list. The search values can be specified in the text box.
Add a HyID Policy
The HyID policies can be configured either for HySecure or HyID Desktop Agent.
Common configurations
A common HyID Policy configuration is indicated below.
-
Log on to the Management Console.
-
Navigate to the Policies > HyID Policies and click the Add.
| Field | Description |
|---|---|
| HyID Policy Name | Enter the identifier for the HyID policy. |
| HyID Policy Description | Enter a detailed description of the HyID policy. |
| HyID Policy Type | Select the type of the HyID Policy from the drop-down list: HySecure: Select this option to enable Two factor authentication (2FA) for login through the HySecure client/HyLite portal. HyID Desktop Agent: Select this option to enable Two-factor authentication (2FA) for desktop login users. |
| Select priority of the Policy | Select the policy priority level from 1 to 10, where 1 is the highest. |
| Select Authentication Domain | Select the authentication domain on which the HyID policy is applied to achieve 2FA. |
| Select Authorization Server | Select the authorization server to apply the HyID policy to the list of Users/User Groups/ Organizational Units (OU) that it retrieves. |
| Select Policy assignment Type | Select users, user groups, or organizational units to apply the policy. |
Policy-wise configurations
The details of policy-wise configurations are given below.
HySecure Authentication
Select HyID Policy Type as HySecure to configure Multi-Factor Authentication (MFA).
| Field | Description |
|---|---|
| Enable Two factor authentication | Select the radio button to Enable Two Factor Authentication (2FA) for Users, User Groups, or Organizational Units. |
| Disable Two factor authentication | Select the radio button to Disable Two factor authentication (2FA). |
Select 2FA tokens
This section configures, how the tokens are sent to users for authentication. This section is visible only when 2FA authentication is enabled.
| Field | Description |
|---|---|
| Email Token | Select the box to enable if the token is to be sent over an Email. |
| SMS Token | Select the box to enable if the token is to be sent over SMS. |
| Email and SMS Token | Select the box to enable if the token is to be sent over both Email and SMS. |
| Mobile Token | Select the box to enable the token to be entered from a registered Android or iOS mobile using the Accops HyID client. |
| PC Token | Select the box to enable the token to be entered from a registered Windows machine using the Accops HyID client. |
| FIDO Token | Select the box to enable FIDO Token for MFA. |
| Hardware Token | Select the Hardware Token MFA type for the particular user/user group. Users must register and assign a hardware token before use. |
| Biometric Authentication (Face) | Select the box to enable biometric authentication for a user. |
| Push Notification | Select the box to enable notifications to the HyID app on the user’s device to allows the administrator to set MFA policies that use consent from the app. This can be accompanied by SMS OTP, Email OTP, Hardware, or Biometric tokens. |
Email and SMS OTP Configuration
This section configures, 2FA via email and SMS OTP for authentication. This section is visible only when 2FA authentication is enabled.
| Field | Description |
|---|---|
| Select primary directory server for email/mobile | Choose the primary directory server to fetch the user’s mobile number/Email address where OTP is to be sent. |
| Select secondary directory server for email/mobile | Choose the secondary directory server to fetch the user’s mobile number/Email address where OTP is to be sent. |
| Select OTP token length | Choose the length of the OTP token to send via Email/SMS. |
| Select OTP token expiry time | Choose the OTP expiration time. |
| Enable OTP token use for multiple time | Check this option to use the OTP multiple times during user login, within the OTP expiry time, e.g., if the expiry time is one hour and this option is selected, the user can log in multiple times using the OTP generated within the same hour. |
| Select OTP token regenerate timeout | Select a timeout from the list to regenerate OTP. |
| Select maximum OTP send attempts | Select the maximum number of times an OTP can be sent before locking out the user to limit authentication attempts. |
| Select OTP sending cool off time | Choose the duration of the lockout period before allowing the user to request OTP again. |
Mobile/PC/FIDO token configuration
This section's configuration is exclusively active when 2FA authentication is enabled.
| Field | Description* |
|---|---|
| Select OTP token length | Select the length of the OTP token to send over Email/SMS. |
| Select OTP token expiry time | Select the OTP expiration time for Mobile/PC Token |
| Enable OTP token use for multiple time | This option enables users to reuse the same OTP for multiple logins within a session, as long as the token hasn't expired. E.g., If the token expires in an hour and this option is selected, users can use the same OTP for logging in multiple times within the hour. |
| Select OTP token regenerate timeout | Select the timeout from the list, after which the OTP will be regenerated. |
| Enable Email/SMS token for Mobile Token Registration | Users are able to register or reactivate their mobile token on an authenticator app without the need for multi-factor authentication (MFA). This feature is supported when mobile or email verification is unavailable. The option to bypass MFA is customizable at the user level and is set to not require MFA by default. |
| Enable self-service mobile token registration for users | Select if users are allowed to self-register mobile tokens without the administrator's intervention. |
| Allow re-activation of same device | Check this box to allow users to reactivate mobile tokens. |
| Allow multiple devices per User | Select the number of devices a user can login to simultaneously. |
Note
These parameters are fixed and cannot be changed.
Common OTP Configuration
This section's configuration is exclusively active when 2FA authentication is enabled.
| Field | Description |
|---|---|
| Account lockout on number of failed attempts | Choose this option to set the number of failed login attempts that will lock the user account. |
| Account Lockout Time | Choose the duration after which user account will be unlocked upon login. |
Risk-Based Profile Configuration
| Field | Description |
|---|---|
| Disable OTP for WAN IP addresses | Select this option and specify the WAN IP addresses that should be allowed to login without MFA. |
Biometric Configuration
This section guides administrators on biometric configuration.
| Field | Description |
|---|---|
| Select Fingerprint Biometric Server | Select the Fingerprint biometric server that will be used to authenticate the same. |
| Enable biometric token use for multiple time | Click to enable reuse of biometric token. |
| Select biometric token reuse timeout | Set token reuse timeout. |
| Select Biometric Face Server | Select the biometric face server that will be used as an authentication server. |
| Max failed attempts for biometric verification | Select a number of failed face authentication attempts, after which the user account will be locked out in HySecure. |
| Enable Continuous Monitoring | Click to enable continuous monitoring after the user logs in. |
| Show Consent dialog | Ask for consent to monitor the user via camera. Users can accept or deny it. |
| Show information dialog | Display customizable guidelines and instructions for the user after login. Customizable through the Management Console's "Customize Portal" section. |
| Monitor at a time chosen randomly between time interval | The system randomly captures the user's face within a specified time interval, at different unspecified times. For instance, if the interval is set between 20 and 30 seconds, the user's face may be captured at the 23rd second and then again at the 29th second. |
| Max failures for monitoring | The maximum number of failed captures allowed during monitoring before a warning or action is taken. |
| On Monitoring failure | Select to either show a warning or take action, if monitoring fails. |
| Time duration to show warning | Specify the duration for displaying the warning dialog if monitoring fails. |
| Action | If user monitoring fails, and Take Action is selected in On Monitoring failure, the user can be forced to logout. |
HyID Desktop Agent Configurations
To add an extra layer of security, the administrator can enable two-factor authentication on the user's login by following these steps:
- Install the HyID client on each machine.
- Create the HyID Desktop Agent policy on the HySecure gateway.
- The policy will be pushed to all Windows machines during login.
This will ensure the HyID desktop agent setting is properly configured across all clients.
Enable HyID Desktop Agent
On enabling the HyID Desktop Agent, the policy will be applied for the specified users, user groups, or OU.
- Enable two factor authentications for desktop login: If enabled, the user will be asked to provide MFA to log into the desktop/server console.
- Enable two factor authentications for remote access via RDP: If enabled, users will be asked to provide MFA when initiating RDP to a target machine. When disabled, users will be able to log in without a MFA.
Desktop Agent-based HyID Configurations
HyID agent configurations are automatically pushed from the HyID server to agents, including desktop configurations triggered by agent communication with the server.
| Field | Description |
|---|---|
| Account lockout on number of failed attempts | Choose this option to set the number of failed logins to lock the user account. |
| Account Lockout Time | This sets the time duration for a locked user account after failed login attempts. |
| Bypass OTP after successful authentication for | The period after a successful authentication during which an OTP is not required. |
| Allow OTP for workstation unlock/sleep/hibernate | If enabled, OTP is required to unlock or recover from sleep/hibernation. |
| Master password to bypass OTP | Admin can configure the master password, which can be used on the end user's machine, to bypass OTP. |
| Enable OTP for domain users | Enable if all domain users need to enter OTP at the time of login. Otherwise, the HyID agent will bypass OTP for domain users. |
| Enable OTP for workgroup users | Enable to force the workgroup users to enter an OTP at login. Otherwise, the HyID agent will bypass OTP for workgroup users. The user can also validate through an alternate domain by providing credentials for the alternate domain. This way, the actual identity of the user with the service account’s credentials is recorded in the HyID logs. |
| Validate using alternate domain user | Enable this option to require users using a service account to provide their domain credentials for login. |
| Enable OTP for all workgroup users | Enable if all the workgroup users need to provide MFA at the time of login. |
| Enable OTP for workgroup admin users only | Enable if only the local machine’s admin user needs to provide MFA at the time of login. |
| Enable OTP for specific workgroup users | Specify a comma-separated list of local machine users who must use OTP for login. |
| Exclude OTP for following workgroup users | The administrator can enable login for specified local machine users without OTP by providing a comma-separated list of usernames. |
| Ask domain credentials for workgroup users | Enforce workgroup users to provide domain credentials for login. |
Offline OTP Configurations
These configuration settings are available only when the Mobile/Hardware/Biometric token option is enabled.
| Field | Description |
|---|---|
| Enable Offline OTP token | Enable login with offline token when server is unreachable. |
| Select Offline token | Select the available Offline token types: Mobile, Hardware, and Biometric. |
| Enable mobile token use for multiple time | When enabled, the same token can be used multiple times before it expires. |
| Select Offline OTP token expiry time | Specify time interval after which offline token will expire and cannot be reused. |
| Maximum login attempts using Offline OTP | Limit the offline token logins for the users. |
Modify HyID Policy
Select the policies and click Modify to edit HyID Policies. Edit details and click Submit.
Delete HyID Policy
Select the policy to be deleted from the HyID Policy page and click the Delete button. Once confirmed, the policy will be permanently removed.