Allow Logon Codes

No

Enables logon codes. Used as a global setting for all credential profiles – to use logon codes, you must set this option to Yes and set the Generate Logon Code option in the credential profile.

See section 3.4, Logon using codes for details.

Client Signing

Yes (Software or Card if available)

Whether the information passed from the client to the server is signed using a key or certificate stored on the card that was used to log in. This provides extra security.

Choose:

Yes (Software or Card if available) – Use a signing key from your smart card if available (if you select the MyID Logon option in the Services section of the credential profile, you can either select a certificate to be used for signing, or use a signing key generated on the card by MyID at issuance). If neither a certificate nor a manager keypair is available, use a temporary software signing key generated by MyID when you log on.

No – Do not sign data.

Software signing only – use a temporary software signing key generated by MyID when you log on.

Complex Logon Code Complexity

12-12ULSN

The complexity rule used to generate a logon code when the Generate Logon Code option in the credential profile is set to Complex.

It takes the format mm-nnULSN.

Mm = min length

nn = max length

U/u = must/may contain upper case (optional)

L/l = must/may contain lower case (optional)

S/s = must/may contain symbols (optional)

N/n = must/may contain numbers (optional)

See section 3.4, Logon using codes for details.

Logon Name Required

No

Whether the logon name associated with the MyID account is used in addition to the password when logging on to MyID.

No longer supported. Will appear only on upgraded systems, but has no effect.

Maximum Allowed OTP Failures

5

Specify the maximum number of failed attempts a user can make when attempting to answer an OTP challenge. When this number is exceeded, the OTP is rendered unusable, and the user must request a new OTP.

Maximum allowed security question failures

3

Specify the maximum number of failed attempts a user can make when attempting to answer a security question.

When this number is exceeded, the user's account can be locked out – see the Action on maximum security question failures option in section 30.4, PINs page (Security Settings).

Note: If you set this option to 0, the default value of 3 is used and the user's account is locked when three attempts have been made without success.

For information on unlocking security phrases, see section 3.3.5, Unlocking security phrases and section 3.3.6, Unlocking your own security phrases.

Prevent Direct Password Logon

No

Allow password logon for self-service operations only when a card is present.

Set Security Phrase at Logon

If a user logs into MyID Desktop and the required number of security phrases (as specified by the Number of security questions to register configuration option) have not been set up, run the first workflow listed that the user has access to.

Workflows should be listed as option,operationid;option,operationid and so on. For example, 1,110 – this automatically launches the Change My Security Phrases workflow.

See section 3.3.3, Setting the number of security phrases required to authenticate for details.

Note: The Set Security Phrase at Logon option is supported in MyID Desktop from MyID 10.6 Update 1 onwards – make sure you have upgraded your clients. This option does not affect the logon process when using the MyID Operator Client.

Show Full Name at Logon

No

Controls whether the card owner's full name is displayed on the Logon page when their card is inserted.

Note: If you set this option to No, and either you have the Show Photo at Logon set to No, or the users do not have photos attached to their user accounts, if you insert more than one card you will not be able to tell which card belongs to which user except by the card serial number and device type (which is available when you hover your mouse over the image).

This option does not affect the MyID Operator Client. In accordance with best security practice, the MyID Operator Client does not display any personal information to an unauthenticated user.

Show Photo at Logon

No

Whether the holder’s photograph is displayed at logon.

This option does not affect the MyID Operator Client. In accordance with best security practice, the MyID Operator Client does not display any personal information to an unauthenticated user.

Signed Logon

Yes

Whether the information passed to the server during logon is signed using the keys or certificate stored on the card.

Simple Logon Code Complexity

12-12N

The complexity rule used to generate a logon code when the Generate Logon Code option in the credential profile is set to Simple.

It takes the format mm-nnULSN.

Mm = min length

nn = max length

U/u = must/may contain upper case (optional)

L/l = must/may contain lower case (optional)

S/s = must/may contain symbols (optional)

N/n = must/may contain numbers (optional)

See section 3.4, Logon using codes for details.

Validate logon certificate

No

If you set this option to Yes, when a user logs on to MyID with a certificate, MyID validates the certificate by verifying that it has not expired and checking it against the certificate revocation list. If the validation fails, MyID prevents the user from logging on.

In addition, if you have an external system that allows you to link to an authentication service for certificate validation, the authentication service is used to validate the certificate after MyID as secondary validation.

Note: The application server must trust the Certificate Authority that issued the certificate being validated.