3.3 Logon using security phrases

You can log on to MyID Desktop or the MyID Operator Client using security questions, which grants limited access to the system.

If you want to allow the same security access with a security phrase as you would with a smart card and PIN, you must enable password logon for roles.

To allow password logon:

1. Select Security Settings from the Configuration category.
2. On the Logon Mechanisms tab, make sure that Password Logon is set to Yes.
3. Click Save changes.

4. In the Edit Roles workflow, make sure the user's role has the Password logon mechanism assigned.

   See section 4.1.5, Assigning logon mechanisms for details of using the Edit Roles workflow.

5. Click Save Changes.

6. Set security phrases for the user using the Change Security Phrases workflow.

The user can now log on to MyID using their security phrases.

3.3.1 Setting rules for security phrases

Rules for security phrases can be specified by using a combination of configuration settings. See section 31.4, PINs page (Security Settings) for an explanation of the basic settings available:

• The maximum number of repeated characters in a security phrase
• The maximum number of sequential characters in a security phrase
• The minimum length of a security phrase
• The characters allowed in a security phrase
• Whether white space should be stripped from security phrases

The setting called Security Phrase complexity format enables you to configure additional rules for security phrases. By default, this complexity is not defined.

Note: Invalid rules are ignored, making it equivalent to having no rules. Invalid rules include:

• Not following the rule pattern.
• Setting the maximum length to 0.
• Including any characters not specified in the syntax.
• Setting the maximum to be less than the minimum.
• Not including any types of characters.

To set rules for security phrase complexity:

1. From the Configuration category, select Security Settings and then select the PINs tab.

2. In the Security Phrase complexity format option, specify the complexity required for a security phrase using the following parameters in the following format:

   [mm-nn][u|U|][l|L][s|S][n|N]

   where:

   Parameter		Notes
   mm	minimum length	If not specified, this defaults to 4.
   nn	maximum length	If not specified, this defaults to 8.
   u	may contain uppercase characters	If neither u nor U is present, the security phrase cannot contain uppercase characters.
   U	must contain uppercase characters
   l	may contain lowercase characters	If neither l nor L is present, the security phrase cannot contain lowercase characters.
   L	must contain lowercase characters
   n	may contain a number	If neither n nor N is present, the security phrase cannot contain numbers.
   N	must contain a number
   s	may contain a symbol	Allowable symbols are: -!$%^&*()_+|~=`{}[]:";'<>?,./@#\ and <space> If neither s nor S is present, the security phrase cannot contain symbols.
   S	must contain a symbol

   Note: You must include at least one type of allowable or mandatory character, or the rule will be invalid.

   Examples:

   7-9ulns – from seven to nine characters, may contain uppercase, lowercase, numbers or symbols:

   12345678abcdefghABC123!?

   7-9ULNS – from seven to nine characters, must contain uppercase, lowercase, numbers and symbols.

   aBC123!?

   123Abc#

   4-8ULns – from four to eight characters, must contain uppercase and lowercase, and may also contain numbers or symbols.

   ABCabc12ABCabcABABCabc1!

3. Click Save changes.

3.3.2 Changing rules for security phrases

Important: If you have recorded pass phrases within MyID, then subsequently change any of the following options for security phrases:

• Case sensitive security questions
• Security Phrase whitespace removal

the existing security phrases stored in the database are likely to become invalid, and therefore you must re-enroll the security phrases for all of your users to allow them to authenticate again. You can do this using the Lifecycle API or using the Change Security Phrases or Change My Security Phrases workflows in MyID Desktop.

3.3.3 Setting the number of security phrases required to authenticate

If passphrase logon is enabled in MyID, and a user has the roles to enable password logon, and has at least one security phrase recorded, that user will be able to log on with security phrases, and will be prompted to answer some or all of the security phrases recorded for that user.

The following options on the PINs page of the Security Settings workflow control the number of security phrases required:

• Number of security questions to register – determines how many security phrases a user is required to enroll in the Change Security Phrases or Change My Security Phrases workflows.

• Number of security questions for operator authentication – determines the number of security phrases the user is required to provide when an operator asks them; for example, during the Authenticate Person or Unlock Credential workflows.

• Number of security questions for self-service authentication – determines the number of security phrases users are required to provide when authenticating themselves.

  Important: Do not increase this value to a number greater than the number of security phrases your users already have registered. If a user does not have at least as many security questions registered as are required for self-service authentication, they will be unable to log on using security phrases.

Note: You can set a maximum value of 6 for these options.

Note: The startup user created by GenMaster has a single security phrase, so can still log on to MyID with the single security phrase even if the configuration option is set to a higher value. This is by design.

If required by customer specific security policy, you can change the Number of security questions to register configuration to a higher number, forcing users who set their security phrases to record more security phrases, and therefore enter randomly-selected security phrases from a larger number of different questions when they log on.

If you increase the Number of security questions to register option after users have already been enrolled, existing users will still be able to authenticate with their currently enrolled number of security phrases, as long as this is equal to or greater than the Number of security questions for self-service authentication or Number of security questions for operator authentication options as appropriate.

To force MyID Desktop users to use the Change My Security Phrases workflow to increase the number of their security phrases, you can use the Set Security Phrase at Logon option:

1. From the Configuration category, select Security Settings.

2. On the Logon page, set the following option:

   • Set Security Phrase at Logon – set this to the following value:

     1,110

     This identifies the Change My Security Phrases workflow – when a user attempts to authenticate, but has fewer than the configured Number of security questions to register, they will be required to complete this workflow before continuing.

3. Click Save changes.

Note: The Set Security Phrase at Logon option is supported in MyID Desktop from MyID 10.6 Update 1 onwards – make sure you have upgraded your clients. This option does not affect the logon process when using the MyID Operator Client.

3.3.4 Configuring the number of attempts to enter security phrases

The Maximum allowed security question failures configuration option (on the Logon page of the Security Settings workflow) determines how many attempts a user is allowed to enter their security phrases before their security phrases are locked.

By default, this is three attempts.

Note: If you set this option to 0, the default value of 3 is used and the user's account is locked when three attempts have been made without success. If you want to provide unlimited attempts to enter security phrases, you can set the Action on maximum security question failures option (on the PINs page of the Security Settings workflow) to None.

3.3.5 Unlocking security phrases

If a user has locked their account by entering their security phrases incorrectly too many times, you can unlock their account and allow them to attempt to log on again.

To unlock a user's security phrases:

1. From the People category, select Unlock Security Phrases.

   You can also launch this workflow from the View Person screen in the MyID Operator Client; this launches the workflow with the person already selected. See the Unlocking a person's security phrases section in the MyID Operator Client guide for details.

2. Use the Find screen to search for the user whose account you want to unlock.

3. Select the user from the list.

   The user's details appear on screen.

   

4. Click Unlock.

3.3.6 Unlocking your own security phrases

You can allow users to unlock their own security phrases by giving their role access to the Unlock My Security Phrases workflow. The user can authenticate to MyID with some other method (for example, smart card or logon code) then use this workflow to unlock their security phrases without any further authentication.

To unlock your own security phrases:

1. From the People category, select Unlock My Security Phrases.

   

2. Click Unlock.