Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Tokens

Token templates

search

Token templates

Token templates

Token templates provide the operating parameters, such as passcode or PIN strength, for a token. The templates are applied every time a token is enrolled.

The operating parameters in a template vary depending on the token type. In addition, the selection of one option may affect the availability of another option.

Token templates are provided for the following token types:

  • eToken
  • GOLD
  • Google Authenticator
  • GrIDsure
  • KT-1
  • KT-2/3
  • KT-4
  • KT-5
  • Legacy 4.X
  • Legacy 5.X
  • Legacy 6.X
  • MobilePASS
  • OATH
  • RADIUS
  • RB
  • SecurID
  • SMS

By default, all tokens use AES 256-bit encryption. Certain third-party tokens use 3DES or OATH. STA applies the strongest algorithm that the token type supports.

You can customize the token templates, and therefore token operation, to adapt to changes in your security policy. Customizing a template does not affect tokens that are already initialized and does not affect tokens that are assigned to users.

The operating parameters in a template vary depending on the token type. The token templates can include the following parameters:

Passcode policy parameters

Parameter Description
Mode Tokens can operate in either Challenge-Response or Quick Log mode. Quick Log mode is recommended because it greatly simplifies the User logon experience and strengthens security by eliminating the requirement to have the user key a challenge into a token to get an OTP. Default value: Quick Log.
Complexity

The OTPs generated by the token can be comprised of numbers, letters, and additional characters as follows:

  • Decimal: Token generates passcodes comprised of digits from 0-9.
  • Hexadecimal: Token generates passcodes comprised of digits and letters from 0–9 and A-F.
  • Base32: Token generates passcodes comprised of digits and letters from 0-9 and A-Z. (Default value).
  • Base64: Token generates passcodes comprised of digits and letters from 0-9 and Aa-Zz, as well as punctuation.
Encryption

This option determines the hashing algorithm used for signing: 

  • SHA1
  • SHA256
  • SHA512
Length This option determines the number of characters displayed as the OTP. Options are 5, 6, 7 or 8 characters. For software tokens, the default is 6 characters, although 8 can be configured by request. For hardware tokens, the default depends on how they are programmed in the factory or during operator token initialization.
Synchronization
  • Time-based: Determines the number of seconds the user has to authenticate, before another Passcode needs to be generated.
  • Event-based: Determines the number of clicks the user has to authenticate, before another Passcode needs to be generated.
Display Mask If set to Telephone Mode, the fourth character of the OTP will always be a dash (“-“). Typically, this is used with a decimal OTP, length of 8. Example OTP: 123-5678. If set to None, the fourth character is unmodified. Example OTP: 12345678. Telephone mode can be used with any token complexity and length setting. Default value: None.
Password/Cycle This option is used in conjunction with Operation Policy (Manual Shut-Off, Auto Shut-Off). Tokens can be limited to generating 1 password per cycle or allow multiple passwords to be generated in a cycle. Default value: Single.

Operation policy parameters

Parameter Description
Manual Shut-Off If Enabled, the user can clear the OTP from the display and turn the token off at any time by pressing the appropriate button, depending on the token type. If Disabled, the OTP will be displayed until the Auto Shut-off value expires. Default Value: Disabled.
Auto Shut-Off This value determines the length of time the password will be displayed, 30, 60 or 90 seconds. On expiration of this value, the token automatically clears the display and shuts off. Default Values: 60.

For tokens with a No PIN or Server-side PIN policy, the selection of Single in combination with Manual Shut-Off set to Disabled means that the token will not generate another password until the Auto Shut-Off value has expired. For example, if the value is 60 seconds, the user must wait 60 seconds before another password can be generated.

For tokens with a Fixed or User selected PIN, selection of Manual Shut-off set to Disabled means that the token will not generate another password until the Auto Shut-Off value has expired and the user enters their PIN into the token.

Thales recommends using the Operation Policy Group default settings for RB and KT series tokens configured for QUICKLog operation. Doing so ensures that the user must wait at least 60 (default) seconds before the token will generate another passcode.

PIN policy parameters

Parameter Description
PIN Type

This setting determines the type of PIN to be used with the token:

  • No PIN—Means that the user will not use a PIN. The token generated password will be sufficient for authentication.
  • Fixed PIN—Means that the PIN generated for the token during initialization is permanent and cannot be changed without reinitializing the token. This PIN must always be keyed into the token before a password is generated.
  • User-selected PIN—Means that the user must change the PIN generated for the token during initialization before a password will be generated. Thereafter, the user can change the PIN at any time. Note that the PIN change must conform to the minimum requirements for PIN Length, Complexity and Maximum PIN Attempts.
  • Server-side Fixed—Means that the PIN generated for the token at initialization is permanent and cannot be changed without reinitializing the token.  This PIN type is evaluated at SafeNet Trusted Access.
  • Server-side User Select—Means that the PIN generated for the token can be changed by the User. The new PIN must conform to the minimum requirements set in the Server-side PIN policy.
  • Server-side Server Select—Means that the PIN generated for the token can be changed, however, the new PIN will be generated by STA and will conform to the minimum requirements set in the Server-side PIN Policy Group on the Policy Admin tab.

Server-side PINs require the user to append or prepend the PIN to the token generated password during login, allowing the PIN to be evaluated by the Virtual Server. For example, if the user PIN is ABCD, and it must be prepended to the password 12345678, the user would enter ABCD12345678 at the password prompt.

All other PIN types require the user to key the correct PIN into the token before a password is generated. In this case, the user provides only the password at the password prompt. For example, if the user PIN is 8432 and the password is 12345678, the user will enter 12345678 at the password prompt. Generally, server-side PINs are used with KT tokens.
Initial PIN Determines the nature of the initial PIN created for a token during initialization. If Random, SafeNet Trusted Access will generate a random PIN that conforms to the minimum PIN Policy options set in the drop-downs for this group for each token during initialization. If Fixed, all tokens will be initialized with the same PIN. Default value: Random
Min. PIN Length

Determines the minimum PIN length that can be used with the token.

  • This option is disabled if PIN Type is set to No PIN. The user will not be required to use a PIN at any time.
  • This option is disabled if PIN Type is set to Server-side Fixed, Server-side User Select, or Server-side Server Select. The user will be required to use a PIN according to the options set in the Server-side PIN Policy Group.
  • This option is enabled if PIN Type is set to Fixed PIN or User selected PIN. This requires that any PIN set for the token meets the indicated minimum number of digits. The range is 1 to 8 digits.
Allow Trivial PINs

If enabled, a PIN may be three or more consecutive numbers (for example, 1234), or three or more identical digits (for example, 2222). Default value: Cleared.
Max. PIN Attempts Determines the maximum number of consecutive failed PIN attempts permitted by the token. If this number is exceeded, the token will enter the Locked state and cannot be used for authentication until it is reinitialized. This option is available only if PIN Type is set to Fixed PIN or User selected PIN.
PIN Complexity
  • If PIN Complexity is set to Decimal and Allow Trivial PINs is selected, the user can use a PIN with any consecutive or repeated characters. For example, 1111, 1234, 6543, abcd, aaaa.
  • If PIN Complexity is set to Decimal and Allow Trivial PINs is disabled, the user can use either a Numeric or an alphanumeric PIN, as long as it does not consist of consecutive or repeated characters. For example, aaaa or 1234 are not permitted while 9946, 123682, 321aaa, i6gfaa are permitted.
  • If PIN Complexity is set to Alphanumeric, the user must use an alphanumeric PIN that includes at least one uppercase and one lowercase character, and one number. For example, 1Qazxs8, ajUys36
Allow Biometric PIN

If enabled, subscribers can use a fingerprint sensor or facial recognition instead of typing a PIN to access their MobilePASS+ token. Default value: Disabled. This option requires that:

  • Token Type is set to MobilePASS.
  • PIN Type is set to User-selected PIN.

The Biometric PIN (Touch ID for iOS devices or Windows Hello for Windows devices) policy setting on STA is applied to tokens at the time of enrollment only. After a token is enrolled, policy changes on STA do not affect the availability of the Biometric PIN feature on that token.

Edit a token template

  1. On the STA Token Management console, select Policy > Token Policies.

  2. Click Token Templates.

  3. Select a token Type.

  4. Click Edit and modify the settings, as needed.

    alt_text

  5. Click Apply to apply changes to the template.

Changes to the template are applied to tokens during initialization. Previously initialized tokens are not affected by later changes to a template.