31.1 Logon page (Security Settings)

Setting

Allow Logon Codes

Default value

No

Description

Enables logon codes. Used as a global setting for all credential profiles – to use logon codes, you must set this option to Yes and set the Generate Code on Request option in the credential profile.

Further information

See section 3.4, Logon using codes for details.

 

Setting

Allow Self-Service at Logon

Default value

Yes

Description

Determines whether the Manage My Credentials option appears on the MyID Authentication screen in the MyID Operator Client.

Further information

See the Managing your credentials from the MyID Authentication screen section in the MyID Operator Client guide.

 

 

Setting

Client Signing

Default value

Yes (Software or Card if available)

Description

Whether the information passed from the client to the server is signed using a key or certificate stored on the card that was used to log in. This provides extra security.

Choose:

Yes (Software or Card if available) – Use a signing key from your smart card if available (if you select the MyID Logon option in the Services section of the credential profile, you can either select a certificate to be used for signing, or use a signing key generated on the card by MyID at issuance). If neither a certificate nor a manager keypair is available, use a temporary software signing key generated by MyID when you log on.

No – Do not sign data.

Software signing only – use a temporary software signing key generated by MyID when you log on.

Further information

 

 

Setting

Logon Name Required

Default value

No

Description

Whether the logon name associated with the MyID account is used in addition to the password when logging on to MyID.

Further information

No longer supported. Will appear only on upgraded systems, but has no effect.

 

Setting

Maximum Allowed OTP Failures

Default value

5

Description

Specify the maximum number of failed attempts a user can make when attempting to answer an OTP challenge. When this number is exceeded, the OTP is rendered unusable, and the user must request a new OTP.

Further information

 

 

Setting

Maximum allowed security question failures

Default value

3

Description

Specify the maximum number of failed attempts a user can make when attempting to answer a security question or enter a logon code.

When this number is exceeded, the user's account can be locked out – see the Action on maximum security question failures option in section 31.4, PINs page (Security Settings).

Further information

Note: If you set this option to 0, the default value of 3 is used and the user's account is locked when three attempts have been made without success.

For information on unlocking security phrases, see section 3.3.5, Unlocking security phrases and section 3.3.6, Unlocking your own security phrases.

 

Setting

Prevent Direct Password Logon

Default value

No

Description

Allow password logon for self-service operations only when a card is present.

Further information

 

 

Setting

Set Security Phrase at Logon

Default value

 

Description

If a user logs into MyID Desktop and the required number of security phrases (as specified by the Number of security questions to register configuration option) have not been set up, run the first workflow listed that the user has access to.

Workflows should be listed as option,operationid;option,operationid and so on. For example, 1,110 – this automatically launches the Change My Security Phrases workflow.

Further information

See section 3.3.3, Setting the number of security phrases required to authenticate for details.

Note: The Set Security Phrase at Logon option is supported in MyID Desktop from MyID 10.6 Update 1 onwards – make sure you have upgraded your clients. This option does not affect the logon process when using the MyID Operator Client.

 

Setting

Show Full Name at Logon

Default value

No

Description

Controls whether the card owner's full name is displayed on the Logon page when their card is inserted.

Note: If you set this option to No, and either you have the Show Photo at Logon set to No, or the users do not have photos attached to their user accounts, if you insert more than one card you will not be able to tell which card belongs to which user except by the card serial number and device type (which is available when you hover your mouse over the image).

Further information

This option affects both MyID Desktop and the MyID Operator Client.

Note: If you enable this feature, it is possible to obtain cardholder names without authentication.

 

Setting

Show Photo at Logon

Default value

No

Description

Whether the holder’s photograph is displayed at logon.

Further information

This option affects both MyID Desktop and the MyID Operator Client.

Note: If you enable this feature, it is possible to obtain user photos without authentication.

 

Setting

Signed Logon

Default value

Yes

Description

Whether the information passed to the server during logon is signed using the keys or certificate stored on the card.

Further information

 

 

Setting

Validate logon certificate

Default value

No

Description

If you set this option to Yes, when a user logs on to MyID with a certificate, MyID validates the certificate by verifying that it has not expired and checking it against the certificate revocation list. If the validation fails, MyID prevents the user from logging on.

In addition, if you have an external system that allows you to link to an authentication service for certificate validation, the authentication service is used to validate the certificate after MyID as secondary validation.

Further information

Note: The application server must trust the Certificate Authority that issued the certificate being validated.