3.3 Logon using security phrases

You can log on to MyID using security questions, which grants limited access to the system.

If you want to allow the same security access with a security phrase as you would with a smart card and PIN, you must enable password logon for roles.

To allow password logon:

1. Select Security Settings from the Configuration category.
2. On the Logon Mechanisms tab, make sure that Password Logon is set to Yes.
3. Click Save changes.

4. In the Edit Roles workflow, make sure the user's role has the Password logon mechanism assigned.

   See section 4.1.4, Assigning logon mechanisms for details of using the Edit Roles workflow.

5. Click Save Changes.

6. Set security phrases for the user using the Change Security Phrases workflow.

The user can now log on to MyID using the security phrase.

3.3.1 Setting the number of security phrases required to authenticate

If passphrase logon is enabled in MyID, and a user has the roles to enable password logon, and has at least one security phrase recorded, that user will be able to log on with security phrases, and will be prompted to answer some or all of the security phrases recorded for that user.

The following options on the Device Security page of the Security Settings workflow control the number of security phrases required:

• Number of security questions to register – determines how many security phrases a user is required to enroll in the Change Security Phrases or Change My Security Phrases workflows.
• Number of security questions for operator authentication – determines the number of security phrases the user is required to provide when an operator asks them; for example, during the Unlock Credential workflow.

Note: You can set a maximum value of 6 for these options.

Note: The startup user created by GenMaster has a single security phrase, so can still log on to MyID with the single security phrase even if the configuration option is set to a higher value. This is by design.

If required by customer specific security policy, you can change the Number of security questions to register configuration to a higher number, forcing users who set their security phrases to record more security phrases, and therefore enter more security phrases when they log on.

If you increase the Number of security questions to register option after users have already been enrolled, existing users will still be able to authenticate with their currently enrolled number of security phrases, as long as this is equal to or greater than the Number of security questions for operator authentication option.

3.3.2 Unlocking security phrases

If a user has locked their account by entering their security phrases incorrectly too many times, you can unlock their account and allow them to attempt to log on again.

To unlock a user's security phrases:

1. From the People category, select Unlock Security Phrases.
2. Use the Find screen to search for the user whose account you want to unlock.

3. Select the user from the list.

   The user's details appear on screen.

   

4. Click Unlock.

3.3.3 Unlocking your own security phrases

You can allow users to unlock their own security phrases by giving their role access to the Unlock My Security Phrases workflow. The user can authenticate to MyID with some other method (for example, smart card or logon code) then use this workflow to unlock their security phrases without any further authentication.

To unlock your own security phrases:

1. From the People category, select Unlock My Security Phrases.

   

2. Click Unlock.