Action on maximum security question failures

Lock security phrases

Determines what happens when a user has reached the Maximum allowed security question failures – see section 31.1, Logon page (Security Settings). This can be one of the following:

Lock security phrases – The user's account is locked.

None – The user can retry as many times as they like.

Ask Security Questions for Self Service Card Unlock

No

Whether the holder’s security phrase is used when unlocking a card.

See the Self-service PIN reset authentication section in the Operator's Guide.

Case sensitive security questions

Yes

Whether the case of responses to security phrases or logon codes is checked when authenticating.

Important: See section 3.3.2, Changing rules for security phrases.

For logon codes, if you set this option to No, make sure that you have not included L or l (must/may contain lower case letters) in your logon code complexity format; otherwise, you will be unable to use the generated codes. Use a code like 12-12USN instead.

Default max PIN length

12

The default maximum PIN length. You can override this setting in the credential profile using the Maximum PIN length option.

See section 11.3.1, Credential profile options.

FIDO Immediate Collect Timeout

120

The number of seconds before timeout when performing immediate FIDO registration through the Self-Service Request Portal.

See the Registering FIDO authenticators using the Self-Service Request Portal section in the FIDO Authenticator Integration Guide.

Lock Card on Issuance

Ask

Whether the PIN assigned during issue is locked. If so, the holder must enter a new PIN on first use.

See section 11.3.1, Credential profile options.

Number of security questions for operator authentication

1

The number of security phrases the user is required to provide when an operator asks them; for example, during the Authenticate Person or Unlock Credential workflows.

See section 3.3.3, Setting the number of security phrases required to authenticate.

Number of security questions for self-service authentication

2

The number of security phrases users are required to provide when authenticating themselves.

See section 3.3.3, Setting the number of security phrases required to authenticate.

Number of security questions to register

2

The number of security phrases to enroll for a user in the Change Security Phrases or Change My Security Phrases workflows.

See section 3.3.3, Setting the number of security phrases required to authenticate.

Offline Unlock Method

Challenge

Challenge – a dialogue between the holder and the helpdesk, passing challenges and responses to identify the holder and the device.

Witness – another holder must witness the request.

None – offline unlocking not possible.

Used for Giesecke & Devrient cards.

PIN Timeout

180

Period of inactivity (in minutes) before a PIN must be re-entered. This may be overruled by the device’s own timeout period, if shorter.

Prevent version 1 password enrollment

No

If you set this option to Yes, and the Use Security Phrase algorithm version 2 option is set to Ask, security phrases are stored only with SHA256 hashes. This allows you to force a transition to SHA256 security phrases and gradually remove any SHA1 stored answers.

Reload Device Profile

Yes

No longer used. Previously, this setting forced MyID to reload the device profile onto the card during issuance.

Appears only on upgraded systems.

Remote Unlock requires an Authentication Code prompt

No

No longer required. Previously, ff set to Yes, the user had to provide an authentication code to remotely unlock a card or device.

Appears only on upgraded systems.

See the Unlocking a credential remotely section in the Operator's Guide for details of configuring MyID for remote unlock.

Security Phrase allowable characters

The characters accepted in a security phrase. List individual characters or ranges. The only permissible ranges are a-z (all lowercase letters), A-Z (all uppercase letters) and 0-9 (all numbers).

For example: a-zA-Z!%&

The default (blank) means no restrictions.

Note: a-z and A-Z do not include accented characters. If required, these must be specified individually.

Security Phrase complexity format

Defines the rules for allowed security phrases. Leave blank to allow any format.

See section 3.3.1, Setting rules for security phrases for detailed instructions.

Security Phrase minimum length

0

The minimum number of characters accepted for a security phrase.

Set to 0 to allow any security phrases with one or more characters.

Security Phrase repeat character limit

0

The maximum number of repeated characters accepted in security phrases. 0 allows any number of repeated characters.

Security Phrase sequential character limit

0

The maximum number of sequential characters – either numbers (1, 2, 3) or letters (a, b, c) – in security phrases. 0 allows any number of sequential characters.

Security Phrase whitespace removal

No

Set to Yes to remove any spaces from security phrases before storing or checking the security phrase.

Important: See section 3.3.2, Changing rules for security phrases.

Set GlobalPlatform Card Status

No

Whether MyID can set the GlobalPlatform status for a device.

When you use deferred activation, MyID must be able to set the card status from SECURED to LOCKED. If the card is shipped with the status SECURED, no further action is required. If the card is shipped with the status OP_READY or INITIALIZED, for example, you must set this option to Yes to allow MyID to change the card status to SECURED before it sets the status to LOCKED for deferred activation.

Note: You must also make sure that you set up customer GlobalPlatform keys for your cards. The status change from OP_READY or INITIALIZED to SECURED occurs when MyID sets the customer keys for a card.

See the Smart Card Integration Guide for whether you need to set this option.

Show Generated PINs

Yes

Whether the PIN for a device (when this is a random or server-generated PIN) should be displayed when the device is issued.

Only the Issue Card workflow can display generated PINs. Other issuance workflows will not display the user PIN that has been generated.

Transport PIN

12549856

Default PIN for canceled cards. If you are using on-device PIN policies, you must set the transport PIN to match the PIN policy in the card properties file.

Use logon name for server PIN generation

No

You can use the user's logon name as the diversification data for PIN generation; this ensures that the user has the same PIN for all of their devices.

See section 9.3, EdeficePinGenerator PIN generation algorithm for details.

Use PIN policy settings in random server PIN generation

No

When set to No, the random PIN generator does not take into account the PIN policy determined by the credential profile.

When set to Yes, the random PIN generator takes into account the PIN policy determined by the credential profile.

See section 9, PIN generation for details.

Use Security Phrase algorithm version 2

Ask

If you are upgrading from a previous system, and this option was previously set to No, this is set to Yes by the installer.

This option is used to configure MyID to set security phrases to use SHA256 hashing.

See the Upgrading security phrase security in the Installation and Configuration Guide for details of upgrading the hashed security phrase answers stored in the MyID database.