In the Assignment > Authentication Methods module, manage tokens for users and view information about the associated token tasks.

1. On the STA Token Management console, search for the user.

2. Select a user ID.

3. Select Authentication Methods.

4. Select Manage.

   The following options for managing a token are displayed:

   • Suspend tokens

   • Unlock tokens

   • Set a new PIN

   • Resync tokens

   • Initialize tokens

   • Revoke tokens

   

View tokens for a user

View the tokens that are associated with a user.

1. On the STA Token Management console, search for the user.

2. Select the Authentication Methods module.

   The Authentication Methods module lists the tokens that are associated with the selected user.

   

   It includes the following token information:

   • Type is the authentication method assigned to the user.

   • Target is the device to which a token is deployed (such as Windows™ computer, iPhone™, BlackBerry™, and so on).

   • Description is the serial number of the token or “Password” if a static password is allowed.

   • State is the state of the token or authentication method:

   • Provisioning Rule is the method by which a token was provisioned: <Rule Name>, "Manual", or blank space (if STA is unable to determine the rule name).

   • Initial PIN is the PIN value to be given to the user when using Assign to issue a token. By default, the initial PIN value must be changed by the user during their first authentication. STA clears the Initial PIN field as soon as the user completes the PIN change.

Configure the password type

Use the password option to configure whether a user's AD password or static password is accepted by STA for authentication. This option is disabled if the user has any other assigned authentication method.

To configure a user's password type:

1. On the STA Token Management console, select a user.

2. Select Authentication Methods > Password and then select one of the following:

   • Accept LDAP/AD Password to use the AD domain password for authentication.

   • Set Temporary Static Password to use a static password for authentication.

3. Click Assign.

For more information about password options, see Suspend tokens.

Suspend tokens

Use this option to suspend the token, making it invalid for authentication but leaving it assigned to the user.

To suspend a token:

1. On the STA Token Management console, select a user.

2. Select Authentication Methods > Manage.

   

3. Select Suspend.

   This button is disabled if the token is not in the Active state.

   

   To reactivate a suspended token, see Unlock tokens

If a user has multiple active tokens, the various password options will not be available. If the user has only one active token and the virtual server temporary password policy allows assignment of a password, the following options may be available when suspending a user’s token:

• No Static Password: The user’s token will be suspended and the user will not be given a temporary static password.

• Accept LDAP/AD Password: The user’s token will be suspended and the user will be allowed to use their LDAP/Active Directory password to authenticate. Note that this option is displayed only if Active Directory Password Sync is set up for STA, and the user has a synchronized Active Directory password. Refer to Enable password synchronization for additional details.

• Accept LDAP/AD Password: The user’s token will be suspended and the user will be allowed to use their LDAP/Active Directory password to authenticate. Note that this option is displayed only if the STA LDAP Integrator service is set up in SAS PCE. For more information, see Enable password synchronization.

Currently, STA does not synchronize the password expiry state. The AD password is handled as a cached credential, where the credential remains valid until the user updates it through the domain controller.

The Account Lockout policy (defined in Policy > User Policies) temporarily locks a user’s AD password if the Account lock threshold is exceeded. The AD password is automatically unlocked after the configured Account lock duration. Assigned AD passwords appear in the user’s token list, and can also be manually unlocked by the operator. However, the operator cannot manually unlock unassigned AD passwords that can be used in pre-authentication rules or STA password validation. Both assigned and unassigned AD passwords are always automatically unlocked according to the Account Lockout policy.

• Set Temporary Static Password: The user’s token will be suspended and the user will be given a temporary static password which can be used to authenticate:

  • Generate button—Use this to generate a static password that complies with the established policy. (Refer to Temporary password policy.)

  • Change Password on First Use: If checked, the user must change the provided static password to a new value known only to them and which complies with the established policy.

  • No Static Password after: Use this option to limit the life of the temporary password.

• Comment: Use this area to enter a brief explanation for suspending the token. This forms part of the permanent token record and can be viewed by other Operators managing this user’s account.

Unlock tokens

Use this option to reactivate a token that is in the locked or suspended state, making it valid for authentication. Its use varies depending on the PIN mode.

If the token is locked due to excessive consecutive failed authentication attempts, clicking Unlock and then Activate will reactivate the token.

Check the Set a New PIN option to create a new PIN for the user for this token or use the Random button to generate a PIN that complies with the policy.

A token initialized with a token-side PIN that has been locked by the user by exceeding the maximum allowed PIN attempts may be unlocked using this function, provided the token was initialized with the unlock token option enabled. This function should only be used if you are certain that the person in possession of the token is the rightful owner.

To use this function the user must generate an unlock challenge. The method for doing this varies with the token type.

Set a new PIN

This option is available where the PIN is evaluated by the Server (Server-side PIN). This function sets a new PIN value for this token according to the configured PIN policy.

Use the Generate button to automatically create a new PIN that meets the minimum policy requirements.

The Change PIN on first use option is disabled if the change PIN policy is set to prevent Operator override. If enabled, the Operator can remove the requirement to change PIN on first use.

Resync tokens

Use this option to resync a token or test a token if there are repeated failed authentication attempts with it. Generally, a resync is not required. Resync does not require the user or Operator to reveal the PIN associated with a token.

The resync methods vary depending on the type of token:

• For challenge/response resynchronization: Have the user key the challenge into their token after enabling resync to generate a response. Enter the resulting response into the Response field and then click Resync. The response provided by the user's token for the displayed challenge should result in a successful test. If so, the token is working properly and in sync with the server.

  

• For OATH, SafeNet Gold/Platinum tokens" Have the user generate two passcodes and enter these in the correct order. A message will be displayed confirming the success or failure of the resync process.

  

Initialize tokens

Use initialize to generate new token seeds and change the operating parameters of hardware tokens. The current token template is applied during initialization. The appropriate token initializer must be connected to the computer.

This button is available only if a hardware token is selected.

Revoke tokens

Use this button to revoke a token. A revoked token can no longer be used to authenticate.

If the Authentication Type is Password, and the Revoke Password check box is not selected, the user can still authenticate using a previously assigned static password. The user can also authenticate with any other active token associated with their account.

• Return to Inventory, Initialization Required: Choose this option for hardware tokens issued with a token-side PIN or if the token seed and operating parameters must be changed before the token is reissued. Generally, this option is used with RB-1 PIN Pad tokens.

• Return to Inventory, token does not need to be reinitialized: Choose this option for all other cases where the token is being returned.

• Lost: Returns the token to inventory in the Lost state. Tokens in this state cannot be reissued unless they are recovered and reinitialized.

• Faulty: Returns the token to inventory in the Faulty state. Tokens in this state cannot be reissued unless they are successfully reinitialized.