DIGIPASS Plug-In for SBR Product Guide A4 - Vasco

Modify these field values (right-click and select Fields) to change text throughout the 

document: 

NOTE: Diagrams may appear or disappear depending on these field settings – so BE CAREFUL 

adding and removing diagrams, as you may be stuffing up formatting. 

ADDITIONAL NOTE: Be careful adding and removing text, too. Just because you see something 

in the document that looks like it shouldn't be there, doesn't mean removing it is a smart idea. 

Do a print preview to check if it will show up in the final document before you do anything. 

(the field values are currently just (relatively) rubbish values – modified at times to check that 

text conditions are working correctly) 

sbr 

Digipass Plug-In for SBR 

SBR Plug-In 

Steel-Belted RADIUS 

SBR 

ODBCAD 


Steel-Belted RADIUS 


Digipass Plug-In for SBR 

ODBCAD 

Product G uide

Disclaimer of Warranties and Limitations of Liabilities 

Disclaimer of Warranties and Limitations of Liabilities 

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express 

or implied, including but not limited to warranties of merchantable quality, merchantability of 

fitness for a particular purpose, or those arising by law, statute, usage of trade or course of 

dealing. The entire risk as to the results and performance of the product is assumed by you. 

Neither we nor our dealers or suppliers shall have any liability to you or any other person or 

entity for any indirect, incidental, special or consequential damages whatsoever, including but 

not limited to loss of revenue or profit, lost or damaged data of other commercial or economic 

loss, even if we have been advised of the possibility of such damages or they are foreseeable; 

or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers 

and suppliers shall not exceed the amount paid by you for the Product. The limitations in this 

section shall apply whether or not the alleged breach or default is a breach of a fundamental 

condition or term, or a fundamental breach. Some states/countries do not allow the exclusion 

or limitation or liability for consequential or incidental damages so the above limitation may 

not apply to you. 

RADIUS Documentation Disclaimer 

The RADIUS documentation featured in this manual is focused on supplying required 

information pertaining to the RADIUS server and its operation in the VACMAN Middleware 

environment. It is recommended that further information be gathered from your NAS/RAS 

vendor for information on the use of RADIUS. 

Copyright 

© 2006 VASCO Data Security Inc. All rights reserved. 

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in 

any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, 

without the prior written permission of VASCO Data Security Inc. 

Trademarks 

VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc. 

Microsoft and Windows are registered trademarks of Microsoft Corporation. 

All other trademarks are the property of their respective holders. 

© 2006 VASCO Data Security Inc. 2

Digipass Plug-In for SBR Product Guide Table of Contents 

Table of Contents 

1 Overview............................................................................................................... 9 

1.1 What is Digipass Plug-In for SBR?..................................................................................9 

1.2 What is a Digipass?........................................................................................................ 9 

1.3 Types of Digipass........................................................................................................... 9 

1.3.1 Hardware Digipass.................................................................................................... 9 

1.3.2 Software Digipass................................................................................................... 10 

1.3.3 Virtual Digipass....................................................................................................... 11 

1.4 Software Components.................................................................................................. 12 

1.4.1 Required Components.............................................................................................. 12 

1.4.2 Optional Components.............................................................................................. 13 

1.4.3 Extra Utilities.......................................................................................................... 14 

1.5 Digipass Plug-In for SBR Data Model............................................................................15 

1.5.1 Digipass record....................................................................................................... 15 

1.5.2 Digipass User account record.................................................................................... 15 

1.5.3 Component record................................................................................................... 15 

1.5.4 Policy record........................................................................................................... 16 

1.5.5 Domain record........................................................................................................ 16 

1.5.6 Organizational Unit record........................................................................................ 16 

1.6 Available Guides...........................................................................................................17 

2 Authentication Process........................................................................................18 

2.1 Logging in with a Digipass........................................................................................... 18 

2.2 Authentication Process Overview................................................................................. 19 

2.3 Identifying the Policy................................................................................................... 20 

2.3.1 RADIUS Client Policy Lookup..................................................................................... 20 

2.4 Digipass User Account Lookup and Checks................................................................... 21 

2.4.1 User ID and Domain Resolution................................................................................. 21 

2.4.1.1 Windows Name Resolution................................................................................................... 21 

2.4.1.2 Simple Name Resolution (ODBC/embedded database only)...................................................... 21 

2.4.1.3 Default Domain.................................................................................................................. 21 

2.4.1.4 Active Directory User Account.............................................................................................. 22 

2.4.1.5 Summary: Active Directory.................................................................................................. 23 

2.4.1.6 Summary: ODBC or Embedded Database...............................................................................24 

2.4.2 Windows Group Check (optional)............................................................................... 25 

2.4.2.1 'Pass Back' Mode................................................................................................................ 25 

2.4.2.2 'Reject' Mode..................................................................................................................... 25 

2.4.2.3 'Back-End' Mode.................................................................................................................26 

2.4.3 Digipass User Account Lookup................................................................................... 27 

2.4.4 Dynamic User Registration........................................................................................ 27 

2.5 Local Authentication.....................................................................................................29 

2.5.1 Digipass Lookup...................................................................................................... 29 

2.5.1.1 No Digipass User Account.................................................................................................... 29 

2.5.1.2 Policy Restrictions...............................................................................................................29 

2.5.1.3 Linked User Accounts.......................................................................................................... 30 

2.5.2 Authentication with Digipass..................................................................................... 31 

2.5.2.1 Server PIN.........................................................................................................................31 

2.5.2.2 Grace Period...................................................................................................................... 31 

2.5.2.3 Challenge Generation..........................................................................................................32 

2.5.2.4 Virtual Digipass OTP Generation........................................................................................... 32 

2.5.2.5 Requesting a Virtual Digipass OTP – User Perspective..............................................................33 



2.5.2.6 Request Method and Keyword.............................................................................................. 34 

2.5.2.7 Multiple Digipass or Digipass Applications.............................................................................. 35 

2.5.3 Authentication without Digipass................................................................................. 36 

2.5.3.1 Static Password Verification................................................................................................. 36 

2.5.3.2 Self-Assignment................................................................................................................. 36 

2.6 Back-End Authentication.............................................................................................. 38 

2.6.1 Stored Static Password............................................................................................ 39 

2.6.2 Stored Password Proxy............................................................................................ 39 

2.6.3 Password Autolearn................................................................................................. 39 

2.7 RADIUS Attributes........................................................................................................39 

2.7.1 RADIUS Attribute Settings........................................................................................ 40 

2.7.2 RADIUS Attributes Process....................................................................................... 42 

2.7.3 Multiple SBR Plug-Ins.............................................................................................. 43 

2.8 Supported RADIUS Password Protocols........................................................................45 

2.9 Unsupported by Digipass Plug-In for SBR.................................................................... 45 

2.9.1 Limitations of RADIUS Password Protocols.................................................................. 45 

2.9.2 Unsupported RADIUS Password Protocols................................................................... 46 

3 Administration Interfaces....................................................................................47 

3.1 Administration MMC Interface......................................................................................47 

3.1.1 Active Directory...................................................................................................... 47 

3.1.2 ODBC or Embedded Database................................................................................... 48 

3.2 Digipass Extension for Active Directory Users & Computers......................................... 49 

3.2.1 Context Menu Extensions – Tree Pane........................................................................ 49 

3.2.2 Context Menu Extensions – User Records.................................................................... 49 

3.2.3 Property Sheet Extensions – User Records.................................................................. 50 

3.2.4 Digipass Record Administration................................................................................. 50 

3.3 SBR Plug-In Configuration........................................................................................... 51 

3.4 Digipass TCL Command-Line Administration................................................................ 51 

4 Digipass User Accounts....................................................................................... 53 

4.1 Digipass User Account Creation....................................................................................53 

4.1.1 Manual Creation...................................................................................................... 53 

4.1.2 Dynamic User Registration........................................................................................ 53 

4.1.3 User Self-Management Web Site............................................................................... 53 

4.2 Changes to Stored Static Password.............................................................................. 53 

4.2.1 Password Autolearn................................................................................................. 53 

4.2.2 User Self-Management Web Site............................................................................... 54 

4.3 Administration Privileges............................................................................................. 54 

5 Digipass...............................................................................................................55 

5.1 Digipass Record Functions........................................................................................... 55 

5.1.1 Reset Application.................................................................................................... 55 

5.1.2 Set Event Counter................................................................................................... 55 

5.1.3 Reset PIN............................................................................................................... 55 

5.1.4 Force PIN Change.................................................................................................... 55 

5.1.5 Set PIN.................................................................................................................. 55 

5.1.6 Unlock Digipass...................................................................................................... 55 

5.1.7 Reset Application Lock............................................................................................. 55 

5.1.8 Test a Digipass Application....................................................................................... 56 



5.2 Digipass Programming................................................................................................. 56 

5.2.1 Digipass PIN........................................................................................................... 56 

5.2.2 Time/Event-based Digipass Applications..................................................................... 56 

5.2.3 OTP Length............................................................................................................ 57 

5.2.4 Challenge Length.................................................................................................... 57 

5.3 Digipass Record Settings..............................................................................................57 

5.3.1 Time/Event-based Settings....................................................................................... 57 

5.3.2 Response Length..................................................................................................... 58 

5.3.3 Server PIN............................................................................................................. 58 

5.3.4 Backup Virtual Digipass............................................................................................ 58 

5.4 Assigning Digipass to Users......................................................................................... 60 

5.4.1 Self-Assignment...................................................................................................... 60 

5.4.2 Auto-Assignment..................................................................................................... 61 

5.4.3 Manual Assignment................................................................................................. 62 

5.5 Virtual Digipass Implementation Considerations..........................................................63 

5.5.1 Digipass Assignment Options.................................................................................... 63 

5.5.2 Cost...................................................................................................................... 63 

5.5.3 Security................................................................................................................. 63 

5.5.4 Convenience........................................................................................................... 63 

5.5.5 Gateway and account.............................................................................................. 63 

5.5.6 Limiting Usage of Virtual Digipass.............................................................................. 63 

5.5.6.1 Backup Virtual Digipass Usage Guidelines.............................................................................. 64 

5.5.7 Resetting Virtual Digipass Restrictions........................................................................ 65 

5.5.8 Virtual Digipass Login options................................................................................... 65 

5.5.9 Location of OTP Request Site.................................................................................... 65 

6 Components........................................................................................................ 66 

6.1 Pre-loaded Components............................................................................................... 66 

6.2 Licensing...................................................................................................................... 66 

7 Policies................................................................................................................67 

7.1 Policy Inheritance........................................................................................................ 67 

7.1.1 Show Effective Settings............................................................................................ 68 

7.2 Pre-Loaded Policies...................................................................................................... 69 

7.3 Differences from VACMAN Middleware 2.3................................................................... 70 

7.3.1 Authenticator Setting............................................................................................... 70 

8 Database Integration.......................................................................................... 71 

8.1 Active Directory............................................................................................................71 

8.1.1 What is Stored in Active Directory?............................................................................ 71 

8.1.2 Schema Extensions................................................................................................. 71 

8.1.3 Digipass Records..................................................................................................... 71 

8.1.3.1 Location of Digipass Records................................................................................................ 71 

8.1.3.2 Delegated Administration in Active Directory.......................................................................... 72 

8.1.3.3 Typical Digipass Location Models.......................................................................................... 73 

8.1.4 Search for Digipass Records...................................................................................... 76 

8.1.5 Permissions Needed by the SBR Plug-In..................................................................... 76 

8.1.6 Administrative Permissions....................................................................................... 76 

8.1.7 Active Directory Command Line Utility........................................................................ 77 

8.2 ODBC or Embedded Database....................................................................................... 78 



8.2.1 What is Stored in the Data Store?.............................................................................. 78 

8.2.2 Domains and Organizational Units............................................................................. 78 

8.2.3 Location of Digipass Records..................................................................................... 78 

8.2.3.1 Typical Digipass Location Models.......................................................................................... 80 

8.2.4 Permissions Needed by the SBR Plug-In..................................................................... 82 

8.2.5 Database Command Line Utility................................................................................. 83 

8.2.6 Additional ODBC Databases...................................................................................... 83 

8.2.7 Multiple SBR Plug-Ins.............................................................................................. 84 

8.3 Sensitive Data Encryption............................................................................................ 84 

9 Licensing............................................................................................................. 85 

9.1 Overview...................................................................................................................... 85 

9.2 Obtaining and Loading a License Key........................................................................... 85 

10 Auditing and Tracing........................................................................................... 86 

10.1Audit System................................................................................................................ 86 

10.1.1 Configure Auditing Output........................................................................................ 86 

10.1.2 Audit Viewer........................................................................................................... 87 

10.1.3 Audit message types............................................................................................... 88 

10.1.4 Active Directory Auditing.......................................................................................... 88 

10.2Tracing......................................................................................................................... 88 

11 User Self Management Web Site..........................................................................89 

11.1What is the User Self Management Web Site?.............................................................. 89 

11.2Customizing the User Self Management Web Site.........................................................90 

12 OTP Request Site.................................................................................................91 

12.1What is the OTP Request Site?..................................................................................... 91 

12.1.1 Customizing the OTP Request Site............................................................................. 91 

13 Message Delivery Component..............................................................................92 

13.1What is the Message Delivery Component?.................................................................. 92 

13.2Configuration............................................................................................................... 92 

Alphabetical Index.............................................................................................. 93 



Illustration Index 

Image 1: GO 1......................................................................................................................... 10 

Image 2: GO 3......................................................................................................................... 10 

Image 3: DP 300....................................................................................................................... 10 

Image 4: DP 585....................................................................................................................... 10 

Image 5: DP 260....................................................................................................................... 10 

Image 6: GO 2......................................................................................................................... 10 

Image 7: DP 800....................................................................................................................... 10 

Image 8: Digipass for Pocket PC.................................................................................................. 11 

Image 9: Digipass for SIM.......................................................................................................... 11 

Image 10: Digipass for Palm....................................................................................................... 11 

Image 11: Digipass Plug-In for SBR Components........................................................................... 12 

Image 11: Login Method Processes.............................................................................................. 18 

Image 12: Authentication Process................................................................................................ 19 

Image 13: RADIUS Client Policy Lookup....................................................................................... 20 

Image 14: Name Resolution – Active Directory.............................................................................. 23 

Image 15: Name Resolution – ODBC/Embedded Database.............................................................. 24 

Image 16: Dynamic User Registration Process............................................................................... 28 

Image 17: User Account Link...................................................................................................... 30 

Image 18: Virtual Digipass login.................................................................................................. 33 

Image 19: Multiple Digipass Assignment....................................................................................... 35 

Image 20: RADIUS Attribute Settings in SBR Plug-In Configuration.................................................. 40 

Image 21: RADIUS Attribute Settings in Digipass User Properties..................................................... 41 

Image 22: Set RADIUS Attributes Process..................................................................................... 42 

Image 23: Multiple SBR Plug-Ins Using Same User Attributes.......................................................... 43 

Image 24: Multiple SBR Plug-Ins Using Different User Attributes...................................................... 44 

Image 25: Administration MMC Interface...................................................................................... 47 

Image 26: Digipass Extension for Active Directory Users and Computers........................................... 50 

Image 27: Self-Assignment Process............................................................................................. 60 

Image 28: Auto-Assignment Process............................................................................................ 61 

Image 29: Manual Assignment Process......................................................................................... 62 

Image 30: Component Overview................................................................................................. 66 

Image 31: Policy Inheritance...................................................................................................... 67 

Image 32: Digipass Record Locations - Digipass Pool...................................................................... 73 

Image 33: Digipass Record Locations - Parent Organizational Unit.................................................... 74 

Image 34: Digipass Record Locations - Individual Organizational Units.............................................. 75 

Image 35: Digipass Search window.............................................................................................. 76 



Image 36: Domain and Organizational Unit Overview..................................................................... 78 

Image 37: Digipass Record Locations – Domain Root...................................................................... 80 

Image 38: Digipass Record Locations - Parent Organizational Unit.................................................... 81 

Image 39: Digipass Record Locations - Individual Organizational Units.............................................. 82 

Image 40: Additional ODBC databases......................................................................................... 83 

Image 41: Multiple Plug-Ins Using Single Database........................................................................ 84 

Image 42: OTP Request Site....................................................................................................... 91 


Digipass Plug-In for SBR Product Guide Overview 

1 Overview 

1.1 What is Digipass Plug-In for SBR? 

Digipass Plug-In for SBR is a suite of components that work together to add Digipass twofactor 

authentication to Steel-Belted RADIUS. 

1.2 What is a Digipass? 

A Digipass is a device for providing a One Time Password to a User. A Digipass is provided to 

each person whom a company wishes to be able to log into their system using One Time 

Passwords. The User obtains a One Time Password (OTP) from the Digipass to use instead of, 

or as well as, a static password when logging in. 

Virtual Digipass is a mechanism where an OTP is generated by the server and sent by text 

message to the User's mobile phone. In this case, a physical Digipass device is not needed. 

1.3 Types of Digipass 

Each Digipass is programmed with at least one Digipass Application, and a unique algorithm. 

The Digipass uses this unique algorithm when generating One Time Passwords. 

Each type of Digipass Application generates One Time Passwords from different data, and in 

slightly different ways: 

Response Only 

Creates a One Time Password based on the date and time, or on the number of uses (events). 

Challenge/Response 

Creates a One Time Password (also referred to as a 'Response' in this context) based on a 

numerical challenge given on a login page. This may be either a challenge custom-created for 

the specific Digipass, or a randomly created challenge. The One Time Password may also be 

based on the date and time. 

Digital Signature 

Digital Signature Digipass Applications are typically used in online banking. The Digipass 

generates a unique code - referred to as a 'Digital Signature' - based on a number of factors 

entered, plus (optionally) the date and time, or number of uses (events). In an online banking 

environment, the factors used to generate the Digital Signature during a funds transfer might 

be the debit account number, the destination account number and the amount of money being 

transferred. 

Digital Signatures are not currently in use with the Digipass Plug-In for SBR. 

1.3.1 Hardware Digipass 

Hardware Digipass are devices specifically designed for creation of One Time Passwords. 

Depending on the model supplied, they may be used for Response Only, Challenge/Response 

and Digital Signature methods. 

The three basic types of hardware Digipass are: 



Digipass without keypads 

These are the simplest type of Digipass. They have a triggering mechanism - typically a button 

or action, such as pulling the Digipass open – which causes a One Time Password to be 

generated. They have only one Application, which is Response Only. 

Digipass with keypads 

Image 1: GO 1 Image 2: GO 3 

These are typically capable of supporting more than one Application, and can be programmed 

so that a PIN must be entered before a One Time Password may be accessed. 

Image 3: DP 300 Image 4: DP 585 Image 5: DP 260 

Smartcard reader Digipass 

These provide two-factor authentication based on smartcard technology. 

1.3.2 Software Digipass 

Image 6: GO 2 Image 7: DP 800 

Software Digipass may be installed on a PDA or other mobile device. The User then accesses a 

Digipass program to obtain a One Time Password. They typically support Response Only, 

Challenge/Response and Digital Signature (not supported by Digipass Plug-In for SBR) 

methods. 



Image 8: Digipass for 

Pocket PC 

Digipass for Pocket PC 


SIM 


Palm 

Digipass for Pocket PC turns Pocket PCs and smart phones into a personal hardware security 

device to provide One Time Passwords and Digital Signatures. 

Digipass for Palm 

Like Digipass for Pocket PC, Digipass for Palm allows generation of One Time Passwords and 

Digital Signatures from Palm Pilots and other devices utilising the Palm technology. 

Digipass for SIM 

Digipass for SIM allows a GSM mobile phone SIM card to be used to generate One Time 

Passwords. 

Digipass for Windows 

Digipass for Windows can be installed directly onto a PC. One Time Passwords and Digital 

Signatures can be generated on your computer and pasted into the required login window. 

1.3.3 Virtual Digipass 

Virtual Digipass can be used instead of hardware Digipass tokens, or as a backup mechanism 

when a User has mislaid their hardware Digipass. Using Virtual Digipass means that a User 

may receive a One Time Password on their mobile phone via text message. 

There are two forms of Virtual Digipass available: 

Primary Virtual Digipass are treated by Digipass Plug-In for SBR almost identically to 

hardware and software Digipass – a record of each Primary Virtual Digipass must be imported 

into the data store, and may then be assigned to a User automatically or manually. The User 

will typically log in with their User ID and static password, have a text message sent to their 

mobile phone, and then enter the One Time Password from the text message in the second 

stage of their login. 

The Backup Virtual Digipass feature allows a User to request a One Time Password sent to 

their mobile phone if they do not have their usual Digipass at hand. It may be limited by 

number of uses or days of use – eg. a User may be limited to 2 days' usage, after which they 

will again need to use their usual Digipass to log in. 



1.4 Software Components 

Digipass Plug-In for SBR consists of various components, some necessary and some optional. 

The diagram below shows an overview of the components, and how they interact. 

Image 11: Digipass Plug-In for SBR Components 

1.4.1 Required Components 


This is a Plug-In for SBR that performs the authentication processing. It can receive 

authentication requests from SBR and return an Access-Accept (with attributes if available) or 

Access-Reject. 

Data Store 

All information required by Digipass Plug-In for SBR is stored in Active Directory or an ODBC- 



compliant database. An embedded PostgreSQL database option is provided with Digipass Plug- 

In for SBR. The data store to be used is selected during installation. 

Administration MMC Interface 

This interface is used in slightly different ways, depending on the data store used by Digipass 

Plug-In for SBR. 

Active Directory 

If Active Directory is used as the data store, the Administration MMC Interface will be used for 

administration of Policy, Component and Back-End Server records. 

ODBC Database (including embedded database) 

If an ODBC database is used as the data store, the Administration MMC Interface will be used 

for administration of all VASCO data. 

Regardless of the data store used, administration is carried out by direct connection to the 

data store. 

Active Directory Users and Computers Extension 

A VASCO Extension to the Active Directory Users and Computers interface allows 

administration of additional User settings and Digipass records integrated with standard Active 

Directory User administration. This is only available when Active Directory is used as the data 

store for Digipass Plug-In for SBR. 

Audit System 

The SBR Plug-In provides a comprehensive audit trail of significant processing events such as 

successful and failed authentication attempts. The audit messages can be written to text files, 

the Windows Event Log and/or an ODBC-compliant database. 

1.4.2 Optional Components 

Audit Viewer 

The Audit Viewer is a Windows application that can display and filter audit messages from the 

SBR Plug-In. It can read the data from text files and ODBC databases, or receive a live feed 

from the SBR Plug-In. 

Virtual Digipass 

The VASCO components used for Virtual Digipass are: 

Message Delivery Component 

This is a Service that is responsible for delivering One Time Passwords through a text message 

HTTP gateway to a User’s mobile phone. 

OTP Request Site 

This is a miniature web site that allows a User to request a Virtual Digipass OTP to be sent to 

their mobile phone. 

User Self Management Web Site 

This is a miniature web site that allows Users to make appropriate changes to their own 

Digipass settings, such as PIN changes. This is used in a RADIUS environment, when the 

normal authentication requests are made using a CHAP-based protocol and therefore PIN 



changes and other 'self-management' features are not possible. 

Digipass TCL Command-Line Administration 

Administration may also be carried out using Digipass TCL Command-Line Administration 

Utility, which allows interactive command-line and scripted administration of Digipass Plug-In 

for SBR data. 

1.4.3 Extra Utilities 

These extra utilities may be used with Digipass Plug-In for SBR, but require separate 

installations. 

Data Migration Tool 

The VASCO Data Migration Tool is a general-purpose utility that allows you to migrate your 

data from one VASCO product to another. 

RADIUS Client Simulator 

The RADIUS Client Simulator is a program that simulates RADIUS Authentication and 

Accounting processing in a similar fashion to 'real' RADIUS clients. The RADIUS Client 

Simulator can be used to test Digipass authentication or to estimate performance. 



1.5 Digipass Plug-In for SBR Data Model 

The following kinds of record are stored in the Digipass Plug-In for SBR data store: 

1.5.1 Digipass record 

A Digipass record must exist in the data store for each Digipass in use. This record contains: 

Information about the Digipass (eg. serial number and model) 

The names and programming parameters of Applications in the Digipass 

The status of various options (eg. Digipass lock) 

Some of the information in this record is encrypted together in what is called the 'Digipass 

blob'. There is one 'blob' per Application. 

See 5 Digipass for more information. 

1.5.2 Digipass User account record 

Each User who will be logging in using Digipass authentication will require a Digipass User 

account. The Digipass User account record contains extra information needed by Digipass Plug- 

In for SBR, such as authentication settings. A Digipass must be assigned to a Digipass User 

account before it can be used for authentication. 

Using Active Directory, a Digipass User account is attached to an Active Directory user account 

(as an 'auxiliary class'). It is not possible to create a Digipass User account without an Active 

Directory user account. A Digipass User account is not required for administration, as 

administrative work is carried out using native Active Directory permissions. 

Using a database, Digipass User accounts are stored in a standard database table. They are 

not linked to any external user accounts. Administrative privileges are assigned to Digipass 

User accounts and therefore a Digipass User account is needed for each administrator. 

See 4 Digipass User Accounts for more information. 

1.5.3 Component record 

Component records are created to represent: 

SBR Plug-Ins 

Authentication client components – RADIUS Clients, IIS Modules (not required for 

Digipass Plug-In for SBR) 

Administration client components (not required for Digipass Plug-In for SBR) 

They are used for the following main purposes: 

For authentication clients, to indicate that it is permitted to process an authentication 

request from that client, and to specify an authentication Policy (see below) to be used 

For RADIUS Clients, to hold the Shared Secret 

To holding a license key for SBR Plug-Ins and IIS Modules 

See 6 Components for more information. 



1.5.4 Policy record 

Policies specify various settings that affect the User authentication process. Each 

authentication request is handled according to a Policy that is identified by the applicable 

Component record. 

There are many Policy settings including the following examples: 

Whether Windows or RADIUS authentication should be used 

Whether various automatic management features should be used 

The Digipass Application types required 

Backup Virtual Digipass settings 

See 7 Policies for more information. 

1.5.5 Domain record 

Domains are handled differently by Digipass Plug-In for SBR depending on the data store 

used: 


Digipass Plug-In for SBR operates within the pre-existing Active Directory domain and 

Organizational Unit structure. Each Digipass User and Digipass must belong to a domain in 

Active Directory. 

User IDs must be unique within a domain, but may be repeated between domains. 

While Digipass User account and Digipass records can belong to any domain, a single domain 

is identified during installation as the Digipass Configuration Domain. This domain is used 

to store the Component, Policy and Back-End Server records. It is also used as a default 

domain for user lookup, when no domain is specified. 

ODBC or Embedded Database 

Domains are included to: 

mirror the data structure used in Active Directory (approximately) 

allocate unassigned Digipass records to different Domains, for example to mirror the 

geographic location of the devices 

Domains are created manually using the Administration MMC Interface. 

Each Digipass User and Digipass must belong to a domain. One domain is identified as the 

Master Domain – this will be the default domain when none is specified. In addition, 

administrators in the Master Domain can be given rights to access data in all domains, where 

other administrators are limited to data in their own domain. 

User IDs must be unique within a domain, but may be repeated between domains. Digipass 

serial numbers must be unique in the database. 

1.5.6 Organizational Unit record 

Organizational Units are also handled differently by Digipass Plug-In for SBR depending on the 

data store used: 




Digipass User accounts and Digipass records are normally stored in Organizational Units or the 

Users container. A special container called Digipass-Pool is created during installation to hold 

unassigned Digipass, although they can be located in Organizational Units instead. 

Administration duties may be assigned to administrators per Organizational Unit, in the same 

way that regular user administration is delegated at that level. 


Organizational Units are included to: 

mirror the data structure used in Active Directory (approximately) 

allocate unassigned Digipass records to different Organizational Units, for example to 

mirror the geographic location of the devices 

Digipass User accounts and Digipass records may belong to an Organizational Unit, but this is 

not mandatory. 

1.6 Available Guides 

The following guides are available: 

Product Guide 

The Product Guide will introduce you to the features and concepts of Digipass Plug-In for SBR 

and the various options you have for using it. 

Installation Guide 

Use this guide when planning and working through an installation of Digipass Plug-In for SBR. 

Getting Started 

To get you up and running quickly with a simple installation and setup of Digipass Plug-In for 

SBR. 

Administrator Reference 

In-depth information required for administration of Digipass Plug-In for SBR. This includes 

references such as data attribute lists, backup and recovery and utility commands. 

Data Migration Tool Guide 

Takes you through a data migration from one VASCO product to another, using the VASCO 

Data Migration Tool. 

Help Files 

Context-sensitive help accompanies the administration interfaces. 


Digipass Plug-In for SBR Product Guide Authentication Process 

2 Authentication Process 

2.1 Logging in with a Digipass 

The diagram below shows a typical login process for the three basic login methods supported 

by Digipass Plug-In for SBR. 

Image 11: Login Method Processes 



2.2 Authentication Process Overview 

SBR Plug-In authenticates logins in two basic ways: 

Using information from its data store ('local' authentication) 

Asking a RADIUS server or Windows for verification of information ('back-end' 

authentication) 

The diagram below shows the basic process followed by the SBR Plug-In when authenticating a 

Digipass User login. 

Image 12: Authentication Process 



2.3 Identifying the Policy 

The SBR Plug-In identifies the Policy that will direct the remainder of the authentication 

process directly after the component check. It also checks that the Policy is valid. 

Normally, the Component record identified in the component check is used to select the Policy. 

However, this is not always the case. 

2.3.1 RADIUS Client Policy Lookup 

A RADIUS Client may be a RADIUS server that proxies requests from other sources. If so, you 

may wish to specify different Policies according to the original sources. This can be done by 

creating additional RADIUS Client Component records, using the NAS-IP-Address values 

corresponding to the original sources. For a source that does not include the NAS-IP-Address, 

the NAS-Identifier value should be used instead. There is no need to set a Shared Secret in 

these RADIUS Client Component records, as they are there simply to select a Policy and not to 

authorize requests that come directly from that location. 

The lookup process to identify the Policy for a RADIUS authentication request is shown below. 

Image 13: RADIUS Client Policy Lookup 



2.4 Digipass User Account Lookup and Checks 

The SBR Plug-In performs a number of checks before proceeding to local authentication. 

2.4.1 User ID and Domain Resolution 

In Digipass Plug-In for SBR, Digipass User accounts are identified using a User ID and a 

Domain, not just a User ID. There are a few ways to do this: 

2.4.1.1 Windows Name Resolution 

In Windows environments, there are a few ways to provide these details when logging in: 

Using NT4-style domain qualification in front of the User ID: DOMAIN\userid 

Using the User-Principal-Name as the User ID: user@suffix (note that this is only usable 

in Active Directory, not NT4 Domains) 

With separate User ID and Domain fields (this is not possible using RADIUS) 

When Digipass User accounts correspond to Windows user accounts, the Windows Name 

Resolution feature can be used to support these three login formats. If Active Directory is the 

data store, this is done automatically. With ODBC or an embedded database, it is optional 

whether to user Windows Name Resolution or not. However, if the Windows Name Resolution 

process is enabled and fails, the login is rejected. Therefore, a login with a User ID that does 

not correspond to a Windows user account will be rejected. 

With this feature enabled, Windows is used to resolve the NT4-style and User-Principal-Name 

User ID formats. In addition, if an Active Directory Domain name is passed as a separate 

parameter in short form (eg. VASCO instead of vasco.com), Windows is used to resolve to the 

Fully Qualified Domain Name (eg. vasco.com). Otherwise, Windows resolution does not occur. 

For ODBC/embedded database, Windows Name Resolution is enabled using the 

Authentication Server Configuration program. Click the Configure Advanced Settings 

button on the ODBC Connection tab to get the Advanced Settings dialog; check the Use 

Windows User Name Resolution checkbox. 

2.4.1.2 Simple Name Resolution (ODBC/embedded database only) 

When Windows Name Resolution is not used, the following formats are available: 

Using a similar format to User-Principal-Name: user@domain 

With separate User ID and Domain fields (this is not possible using RADIUS) 

If the user@domain format is used for the User ID, the SBR Plug-In will look for a Domain 

record with the name given after the @. If the Domain is found, the @domain part will be 

stripped from the User ID before the authentication process continues. If it is not found, the 

User ID will be left as user@domain, and no Domain will be identified. In that case, the 

Default Domain processing will be used, as described next. 

2.4.1.3 Default Domain 

Using either Windows or Simple Name Resolution, if none of the above formats are used, only 

the User ID is given, with no Domain qualification. It is still necessary to identify the Domain in 

order to look up the Digipass User account. 

The Default Domain can be configured in the following ways: 



In the Policy record, the Default Domain field can be set. If this is set, it will be used 

when no Domain has been identified by the Windows or Simple Name Resolution. 

Using Active Directory as the data store, when the Policy has no Default Domain set, the 

Digipass Configuration Domain will be used. 

Using an ODBC or embedded database as the data store, when the Policy has no Default 

Domain set, the Master Domain will be used. 

2.4.1.4 Active Directory User Account 

When Active Directory is used as the data store, Digipass User accounts are always attached to 

Active Directory User accounts. Therefore, if an authentication request is received for a User 

who does not have an account in Active Directory, the request is rejected. 

This is not mandatory for an ODBC or embedded database. 



2.4.1.5 Summary: Active Directory 

The full process of User ID and Domain name resolution is illustrated in the following diagram, 

for the case where Active Directory is the data store: 

Image 14: Name Resolution – Active Directory 



2.4.1.6 Summary: ODBC or Embedded Database 

The full process of User ID and Domain name resolution is illustrated in the following diagram, 

for the case where an ODBC or embedded database is the data store: 

Image 15: Name Resolution – ODBC/Embedded Database 



2.4.2 Windows Group Check (optional) 

Specific Windows Groups can be selected for authentication by the SBR Plug-In. This 

Windows Group Check feature might be used when: 

Deploying Digipass in stages. Users are not required to log in using a Digipass until they 

are put into a Windows group. They can be put into the group in manageable stages. 

Two-factor authentication is needed only for access to sensitive data, which has been 

granted to certain Users (for example, administrators). Only this group of people will 

require Digipass, and will be authenticated by the SBR Plug-In. Other Users will be 

authenticated by another authentication method. 

Most Users will have Digipass and be permitted to log in to the system, but some Users 

should not be authenticated under any circumstances. 

Authentication is needed for the live Audit Viewer connection to the SBR Plug-In, when 

using Active Directory as the data store. The Group Check can be used to limit which 

users are allowed to connect, for example to the Domain Admins group. 

When the Group Check is active, Users who are in one of the defined groups go through the 

full authentication process. However, there are a few Group Check Modes that control the 

outcome for Users who are not in one of the groups. The Group Check Mode is defined in the 

Policy. 

One or more Windows Group names must be defined in a Group List in the Policy. Group 

membership is checked within the User's own domain only, therefore these Groups must exist 

in each domain where there are Users who need to be included in a Group. 

Note 

It is important to note that when the Group Check is used, if the Group Check 

fails, the login will fail. This will occur for a user who is unknown to Windows. 

The following Group Check Modes are available: 

2.4.2.1 'Pass Back' Mode 

The full name in the Policy property sheet for this mode is: 

Pass requests for users not in listed groups back to host system 

The SBR Plug-In does not handle authentication for Users who are not in one of the defined 

groups. These Users are handled by Steel-Belted RADIUS. In effect, this means that they do 

not need to have Digipass User accounts and they do not need to use a Digipass to log on. As 

soon as the Group Check indicates that the User is not to be handled, authentication 

processing stops and the 'not handled' result is returned. 

This mode is suitable for staged deployment of Digipass and for the case where only certain 

Users need strong (Digipass) authentication. 

2.4.2.2 'Reject' Mode 


Reject requests for users not in listed groups 

The SBR Plug-In rejects authentication immediately for Users who are not in one of the defined 

groups. 



This mode is suitable for restricting which Users are permitted to log in. 

2.4.2.3 'Back-End' Mode 


Use only Back-End Authentication for users not in listed groups 

This mode can be used when Back-End Authentication is set up (see 2.6 Back-End 

Authentication). The SBR Plug-In will just use Back-End Authentication for Users who are not 

in one of the defined groups. 

Back-End Authentication will be used for the out-of-group Users even if the Policy setting for 

Back-End Authentication is set to None. In that case, the in-group Users would be 

authenticated only by Local Authentication, while the out-of-group Users would be 

authenticated only by Back-End Authentication. However, it is necessary to define the Back- 

End Protocol Policy setting. 

This mode is suitable for staged deployment of Digipass and for the case where only certain 

Users need strong (Digipass) authentication. 



2.4.3 Digipass User Account Lookup 

The SBR Plug-In checks that the User attempting to log in has a Digipass User account in the 

Digipass Plug-In for SBR data store. The User ID and Domain Resolution performed earlier 

determines the search criteria to look up the Digipass User account. 

If a Digipass User account is found, the Disabled and Locked indicators are checked. If either 

is set to Yes, the authentication request is rejected immediately. 

If no Digipass User account is found, then Policy settings will determine whether the SBR Plug- 

In continues processing or rejects the authentication request: 

If Local Authentication is required, a Digipass User account must exist. It is only 

possible to proceed if the Dynamic User Registration feature is enabled. This is 

explained further below. 

If Local Authentication is not required, authentication processing can proceed without 

a Digipass User account. 

If the Local Authentication Policy setting is None, no Local Authentication is required. If it is 

set to Digipass/Password or Digipass Only, Local Authentication is required. 

2.4.4 Dynamic User Registration 

Dynamic User Registration (DUR) allows Digipass User accounts to be created automatically 

when their credentials are validated by Back-End Authentication (ie. by Windows or a 

RADIUS server). The correct static password will be sufficient to permit a Digipass User 

account to be created. DUR saves the administrative work of manually creating or importing 

Digipass User accounts. 

It is typically used in conjunction with: 

the Digipass Auto-Assignment feature, which will assign the next available Digipass to 

the new Digipass User account as it is created, or 

the Digipass Self-Assignment feature, which will allow the new User to assign a 

Digipass to their account as part of their login process 

For more details on these Digipass assigment features, see 5 Digipass. 

In order to control the creation of new accounts, DUR can be used with: 

the Windows Name Resolution feature (this is mandatory for Active Directory); this 

will prevent more than one Digipass User account being created for the same Windows 

User account, when they use different User ID formats to log in 

the Windows Group Check feature, so that a staged creation of Digipass User accounts 

and assignment of Digipass is achieved 

A typical DUR process using Auto-Assignment and the Windows Group Check is illustrated 

below. 



Image 16: Dynamic User Registration Process 



2.5 Local Authentication 

Local Authentication is a term used to describe the SBR Plug-In authenticating a User based 

on information in its data store. Typically the Digipass One Time Password is required, but in 

other cases a static password may be sufficient. 

The Local Authentication Policy setting indicates whether to perform Local Authentication, 

and if so, whether a static password is permitted. This setting is overridden by the same 

setting in the Digipass User account, unless that has the value Default. However, this setting in 

the Digipass User account would typically be used only for rare special case Users. 

Using the Windows Group Check in Back-End Mode, this setting can be overridden. If a User 

is not in the list of groups, no Local Authentication will be performed. 

The possible values for the Local Authentication setting are as follows: 

None 

No Local Authentication will take place. 

Digipass/Password 

A Digipass One Time Password or static password may be verified. As a general rule, until a 

User starts to use a Digipass, they may continue to authenticate with their static password. 

Digipass Only 

A Digipass One Time Password must be verified. Users without Digipass will not be able to log 

in. However, Self-Assignment is still possible, as an OTP is used as part of the process. 

2.5.1 Digipass Lookup 

The first step of Local Authentication is to search for Digipass records applicable to the login. 

Normally, this is a simple search for all Digipass assigned to the Digipass User account. 

However, there are exceptions: 

2.5.1.1 No Digipass User Account 

If there is no Digipass User account, no search will be done. This can occur if Dynamic User 

Registration is enabled. 

2.5.1.2 Policy Restrictions 

The Policy can specify restrictions on which types of Digipass and/or Digipass Applications may 

be used. Any combination of the following restrictions can be defined: 

Application Names – a list of named Applications. Only Digipass that have one or more 

of the named Applications will be usable. 

Application Type – either Response Only or Challenge/Response (Signatures are not 

currently supported in Digipass Plug-In for SBR). Only Digipass with that Application 

Type will be usable. 

Digipass Type – a list of models such as DPGO3, DP260. Only Digipass from the listed 

models will be usable. 

Therefore, it is possible that a Digipass User account that has a Digipass assigned is not able 

to use that Digipass to log in, when a certain Policy applies. They will be regarded as a User 



without a Digipass in that case. In a different kind of login, a different Policy may apply, with 

no restrictions. Then they would be treated as a User with a Digipass. 

For example, a company has Go 3 Digipass (DPGO3) and Primary Virtual Digipass (DPVTL). 

The Outlook Web Access login permits both, so its Policy does not restrict Digipass Types. 

However the RADIUS VPN login requires the Go 3, so its Policy specifies Digipass Type = 

DPGO3. 

2.5.1.3 Linked User Accounts 

If a person has two Digipass User accounts, for example an administrative account and a 

'normal user' account, the two accounts can be linked together. This provides the ability for 

the two accounts to share a Digipass. The Digipass is assigned to one of the accounts, then the 

other account is linked to it. 

Image 17: User Account Link 

When an authenticating Digipass user account is linked to another, the search for Digipass will 

be done for the other account. In the example above, Digipass User account 2 is linked to 

Digipass User account 1. The Digipass is assigned to Digipass User account 1. When Digipass 

User account 1 logs in, the Digipass search is for that account. When Digipass User account 2 

logs in however, the Digipass search is for Digipass User account 1. 



2.5.2 Authentication with Digipass 

When the Digipass lookup returns at least one Digipass record, authentication processing 

requires a valid One Time Password to succeed, unless: 

All Digipass found are within a Grace Period. This feature is described below. 

The User successfully requests a Challenge for Challenge/Response (see below). 

The User successfully requests a Virtual Digipass One Time Password (see below). 

2.5.2.1 Server PIN 

A Server PIN may be required in addition to the One Time Password. The Server PIN is 

entered during login with the OTP – instead of a Digipass PIN, which is entered into the 

Digipass device. In some cases a new Server PIN may need to be set. This gives the following 

permutations: 

OTP – the normal login where a Server PIN is not required. 

PINOTP – the normal login where a Server PIN is required. 

PINOTPnewpinnewpin – to change the Server PIN, the new PIN is put twice after the 

OTP. 

OTPnewpinnewpin – to set the Server PIN on first use, when no initial PIN was 

programmed, the new PIN is put twice after the OTP. This is also necessary after an 

administrative PIN reset. 

2.5.2.2 Grace Period 

Each Digipass may be given a Grace Period when it is assigned to a Digipass User account. 

The Grace Period is there to allow some time before the User receives the Digipass and learns 

how to use it. The first time that the User logs in successfully with their Digipass, the Grace 

Period is ended. After that, they have to continue to use the Digipass. The Grace Period is time 

limited, so that the User is not able to delay too long before they start to use the Digipass. 

The Grace Period can be set during manual administrative assignment of Digipass as well as 

during Auto-Assignment. However, it is not applicable to Self-Assignment, because the 

User must use the Digipass to complete the Self-Assignment process. 

The Grace Period cannot apply when the Local Authentication setting is Digipass Only. 

During the Grace Period, if OTP validation fails, the static password is checked. If the static 

password is valid, Local Authentication succeeds (but note that Back-End Authentication, if 

used, can subsequently still cause the overall login to fail). 

The password is compared against the Digipass User account's password value. However, if the 

Digipass User account does not have a password set, the password has to be verified with 

Back-End Authentication. If there is no Back-End Authentication and no password in the 

Digipass User account, Grace Period password logins will not work. 

If the passwords do not match and Back-End Authentication is enabled, the password will be 

verified with Back-End Authentication. 



2.5.2.3 Challenge Generation 

There are two modes of Challenge generation for Challenge/Response: 

2-Step Challenge/Response 

This is the only mode possible for RADIUS but it can also be used for Web authentication, 

where Challenge/Response is supported (IIS6 form-based authentication). In this mode, the 

authentication process takes place in two steps. 

First, the User requests a Challenge to be generated for them. The Policy defines how this 

request should be made, with the Request Method and Request Keyword settings (see 

below for more details on Request Methods). The Challenge is generated specifically for their 

Digipass, according to its programming. 

Assuming that the request for the Challenge is accepted and a Challenge is returned, the User 

submits a second step login with the Response to the Challenge as their OTP. This second step 

goes through the whole authentication process again to verify the Response. 

1-Step Challenge/Response 

This mode is possible for Web authentication, where Challenge/Response is supported (IIS6 

form-based authentication). In this mode, the User sees only one logon step. This mode is 

suitable for time-based Challenge/Response, but is less secure for non-time based 

Challenge/Response. If an attacker manages to capture some valid Responses, they can 

repeatedly request new Challenges until one they know comes up again. 

A random Challenge is requested automatically by the IIS Module and presented to the User 

on the login page. A general-purpose Challenge is generated, without reference to any 

particular Digipass' programming. The User logs in with their Response to the Challenge as 

their OTP. 

2.5.2.4 Virtual Digipass OTP Generation 

Using Virtual Digipass, the authentication process takes place in two steps. 

First, the User requests an OTP to be generated and delivered to them. The Policy defines how 

this request should be made, with the Request Method and Request Keyword settings (see 

below for more details on Request Methods). The OTP is generated specifically for their 

Digipass, according to its programming. It is sent to their mobile phone number, as recorded 

in the Digpass User account. 

Backup Virtual Digipass has additional restrictions on usage, to keep the cost of text 

messages down. These are verified before an OTP will be generated. These restrictions are 

described in 5 Digipass. 

Assuming that the request for the OTP is accepted and an OTP is generated and delivered 

successfully, the User submits a second step login with the OTP. This second step goes through 

the whole authentication process again to verify the OTP. 

This process is illustrated below: 



Image 18: Virtual Digipass login 

2.5.2.5 Requesting a Virtual Digipass OTP – User Perspective 

There are three ways a User might request a One Time Password to be delivered with either a 

Primary or Backup Virtual Digipass: 

2-step Login 

Two login prompts are used to provide an easy-to-use login interface for Users with Virtual 

Digipass. The first prompt is used to request an OTP, the second to enter the received OTP. 

This can be used with applications which support 2-step logins eg. Citrix Web Interface, 

RADIUS with support for Challenge/Response. 

Two 1-step Logins 

The User must attempt two logins, the first of which will fail but will initiate the sending of an 

OTP to the User’s mobile. This is used when the 2-step login process is not supported – eg. 

RADIUS without support for Challenge/Response, Web HTTP Basic Authentication. 

OTP Request Site 

Alternatively – especially if a more user-friendly option than the previous is needed - Users can 

go to the OTP Request site when they need an OTP sent to their mobile phone, then login 

normally at the usual login screen. 



2.5.2.6 Request Method and Keyword 

For 2-Step Challenge/Response and Virtual Digipass, the method of requesting a 

Challenge or OTP respectively can be defined in the Policy. The methods for Primary Virtual 

Digipass and Backup Virtual Digipass are defined separately. The request methods are: 

Password – the static password. 

Keyword – a fixed keyword, which can be blank. 

PasswordKeyword – the static password followed by a fixed keyword, with no whitespace 

or separating characters inbetween. 

KeywordPassword – a fixed keyword followed by the static password, with no whitespace 

or separating characters inbetween. 

None – no method, the feature is disabled. 

The static password in the request method is compared against the Digipass User account's 

password value. However, if the Digipass User account does not have a password set, the 

password has to be verified with Back-End Authentication. If there is no Back-End 

Authentication and no password in the Digipass User account, the request methods that use a 

password will not work. 



The methods of requesting these three login processes can be the same. When it recognizes a 

request, the SBR Plug-In will verify that there is a Digipass capable of that login process. If 

there is not, it will ignore the request. 

For example, say that the request methods for Primary and Backup Virtual Digipass are both 

defined as keyword “otp”. A User has a Go 3 with Backup Virtual Digipass enabled. When they 

login with the keyword “otp”, the SBR Plug-In will produce a Backup Virtual Digipass OTP, 

because the User does not have a Primary Virtual Digipass. 



2.5.2.7 Multiple Digipass or Digipass Applications 

A Digipass User may have multiple Digipass assigned to their User account, and/or multiple 

Applications enabled for a Digipass. If so, the SBR Plug-In will need to know which Digipass 

and Digipass Application will be used for a particular login for the User. 

Image 19: Multiple Digipass Assignment 

Once the Policy restrictions on Applications and Digipass Types are taken into account, there 

may still be more than one Digipass Application that could be used. In that case, the SBR Plug- 

In will check the OTP with each one. Any one of them can validate the OTP. 

A Grace Period may be applied to each Digipass assigned to a Digipass User. Because an 

applied Policy might restrict which Digipass can be used during a login, the Grace Period on 

each Digipass is independent of other Digipass. This means that if a User is assigned two 

Digipass, each with a Grace Period of seven days, the User may log in using one Digipass 

within the seven-day period (ending the Grace Period for that Digipass) without affecting the 

Grace Period for the other Digipass. 

Example 

The company has set up Policies which require a Response Only login via the local area 

network, and a Challenge/Response login via the internet – limited to certain employees. 

John has two Digipass assigned to him – a DP300 with the Challenge/Response application 

enabled, and a Go 3 with a Response Only application. The Digipass are both assigned on 

Tuesday. 

John receives his Go 3 on Friday, and immediately uses an OTP to login. His grace period for 

the Go 3 ends at that time – in future he must use the Go 3 when logging into the intranet 

from the LAN. 

Over the weekend, John needs to access the company intranet from home. Because a 

Challenge/Response login is required via the internet and he does not yet have his DP300, 

he uses only his User ID and static password to log in. As he is still within the grace period 

for the DP300, the login is valid. 



2.5.3 Authentication without Digipass 

When the Digipass lookup does not return a Digipass record, authentication processing 

requires a static password check to succeed. In addition, Self-Assignment is possible when 

the Digipass lookup does not return any Digipass. 

2.5.3.1 Static Password Verification 

The password is compared against the Digipass User account's password value. If the static 

password is valid, Local Authentication succeeds (but note that Back-End Authentication, if 

used, can subsequently still cause the overall login to fail). 

However, if the Digipass User account does not have a password set, the password has to be 

verified with Back-End Authentication. If there is no Back-End Authentication and no password 

in the Digipass User account, authentication without Digipass cannot work. Similarly, during 

Dynamic User Registration, where there is no Digipass User account yet, the password has 

to be verified with Back-End Authentication. 



If the Local Authentication setting is Digipass Only, static password verification on its own is 

not permitted. An OTP must be used during login. This is possible using Self-Assignment. 

2.5.3.2 Self-Assignment 

A User is able to assign a Digipass to their Digipass User account using the Self-Assignment 

mechanism, when permitted by the Policy settings. The Assignment Mode setting must be 

Self-Assignment. 

In order for Self-Assignment to succeed, the User needs to provide the following: 

A static password, validated by Back-End Authentication. 

The Serial Number of an available Digipass record. 

A valid OTP for the Digipass. 

A new Server PIN, if required. 

The Self-Assignment process is possible during Dynamic User Registration. It is also possible 

when the Local Authentication setting is Digipass Only. 

Response Only 

For a Digipass that supports Response Only, the User needs to enter the following in the 

password login field, depending on whether a Server PIN is needed or not: 

SERIALNUMBERpasswordOTP – where a Server PIN is not required. 

SERIALNUMBERpasswordPINOTP – where a Server PIN is required. 

SERIALNUMBERpasswordOTPnewpinnewpin – where a Server PIN is required and no 

initial PIN was set. 




For a Digipass that supports only Challenge/Response, this process requires two steps. In 

the first step, the static password and Serial Number are given. This results in a Challenge 

being returned. If the correct Response is given to the Challenge, the Self-Assignment is 

successful. 

Step 1: SERIALNUMBERpassword 

Step 2: OTP 

Serial Number Format 

The SERIALNUMBER may be entered in one of two formats, depending on the Serial No. 

Separator Policy setting. 

No separator specified – the full 10 digit Serial Number must be entered, with no dashes 

(-) or spaces, for example 0097123456. 

Separator value specified – the Serial Number can be entered as written on the back of 

the Digipass, for example 9-712345-6. 



2.6 Back-End Authentication 

Back-End Authentication is a term used to describe the process of checking User credentials 

with another system – in this case, Windows. It is used for various purposes, including: 

Password Replacement – allowing the User to log in with just a One Time Password, in 

an environment where the Windows password is required 

Enabling automatic management features such as Dynamic User Registration and 

Self-Assignment 

Static password verification for Users who do not have a Digipass and for Virtual Digipass 

The Back-End Authentication Policy setting indicates whether to perform Back-End 

Authentication, and if so, when to do it. This setting is overridden by the same setting in the 

Digipass User account, unless that has the value Default. However, this setting in the Digipass 

User account would typically be used only for rare special case Users. 

Using the Windows Group Check in Back-End Mode, this setting can be overridden. If a User 

is not in the list of groups, Back-End Authentication will be performed whether it is enabled or 

not. 

The Back-End Protocol setting indicates whether Back-End Authentication uses Windows or 

RADIUS (not supported in Digipass Plug-In for SBR). 

The possible values for the Back-End Authentication setting are as follows: 

None 

The SBR Plug-In will not utilize Back-End Authentication. 

Always 

The SBR Plug-In will use Back-End Authentication for every authentication request. This is 

necessary if you require RADIUS attributes for each login. 

If Needed 

Back-End Authentication will only be used in situations where Local Authentication is not 

sufficient and to support certain features: 

Dynamic User Registration 


Password Autolearn (see below) 

Requesting a Challenge or Virtual Digipass OTP, when the Request Method includes a 

Password 

Static password authentication, when verifying a Virtual Digipass password-OTP 

combination or during the Grace Period 



2.6.1 Stored Static Password 

The Digipass User account has a Stored Static Password field. When Back-End 

Authentication is used, this field can be used: 

To store the static password required for Back-End Authentication. This means that the 

User does not need to type in the static password at each login, they only need enter the 

OTP. The SBR Plug-In can retrieve the Stored Static Password from the Digipass User 

account and use it for Back-End Authentication. 

To support Password Replacement. Back-End Authentication is used to learn the static 

password so that it can be replayed to the host system (eg. Outlook Web Access) when a 

successful OTP is given. 

Two product features are used to support this usage of the Stored Static Password: Stored 

Password Proxy and Password Autolearn. 

2.6.2 Stored Password Proxy 

When the Stored Password Proxy setting is enabled in the Policy, the SBR Plug-In will 

retrieve the Stored Static Password from the Digipass User account. If Back-End Authentication 

is required for a login, the Stored Static Password will be used. If there is a host system (eg. 

Outlook Web Access), the Stored Static Password will be returned to it, for it to complete its 

login process. 

However, if the User enters a static password in front of their OTP, the static password they 

enter will take precedence over Stored Static Password. In that case, the Stored Static 

Password will not be used at all for that login. 

When the Stored Password Proxy setting is not enabled in the Policy, the Stored Static 

Password will not be used for Back-End Authentication. If Back-End Authentication is required 

for a login, the User will have to enter the static password. This is done in front of the OTP if 

an OTP is also used. Similarly, if there is a host system that requires a static password to be 

returned, the User will have to enter the static password. 

2.6.3 Password Autolearn 

When the Password Autolearn feature is enabled in the Policy, the SBR Plug-In will 

automatically store the static password when it is verified by Back-End Authentication. This can 

happen at any time from Dynamic User Registration onwards. 

If the User's static password has changed in the Back-End Authentication system (Windows or 

the RADIUS server), they need to provide the new static password during their next login. This 

is done in front of the OTP if an OTP is used. When the SBR Plug-In sees that the User has 

entered a static password, if it does not match the Stored Static Password already, Back-End 

Authentication will occur to verify the new password. If it is verified, the Stored Static 

Password will be updated. 

2.7 RADIUS Attributes 

If RADIUS attributes are required for User logins, the SBR Plug-In can support this in two 

ways: 

RADIUS Profile 

An SBR RADIUS Profile can be set for default usage (all Policies), or for individual User 



accounts. The SBR Plug-In will return the name of the required RADIUS Profile to SBR during 

the authentication. This is the most common method of supporting RADIUS attributes with the 

SBR Plug-In. 

If the configured RADIUS Profile is not found in SBR, the authentication request will fail. 

User Attributes 

Individual User attributes may be set for a Digipass User account. This may be in place of, or 

in addition to, setting a RADIUS profile. The SBR Plug-In will return to SBR the name and value 

of any attributes set for a Digipass User during authentication. 

These conditions must be met: 

The attribute(s) set for the Digipass User account must exist in the loaded dictionaries in 


The value set for each attribute must be a valid (eg. must match required data type) 

If these conditions are not met, SBR will fail the login. 

2.7.1 RADIUS Attribute Settings 

Image 20: RADIUS Attribute Settings in SBR Plug-In Configuration 

Attribute Group 

An Attribute Group is specified in the configuration of a SBR Plug-In. When multiple SBR Plug- 

Ins are in use, the specified Attribute Group ensures that only attributes required by the 

specific SBR Plug-In are used. 

Default Profile 

The Default Profile is the name of an existing SBR Profile. It is used where specific user 

attributes or a Profile have not been set for the User being authenticated. 

Profile Attribute Name 

A Profile Attribute Name is specified in the configuration of a SBR Plug-In. When multiple SBR 

Plug-Ins are in use, the specified Profile Attribute Name ensures that only Profiles required by 

the specific SBR Plug-In are used. 



Image 21: RADIUS Attribute Settings in Digipass User Properties 

Usage 

Three options are available for attribute Usage: 

Value 

A Check attribute is used to ensure that an attribute supplied by SBR contains the 

expected value. 

A Return attribute is passed back to SBR when the result of an authentication is 

returned by the SBR Plug-In. 

Profile indicates that the value entered is the name of a Profile existing in SBR. 

The Value set for an attribute will be the required value of the named attribute. For a Profile, 

the Value will be the name of the Profile in SBR. 

Example 

In the two screenshots above, where the SBR Plug-In is configured to use the Attribute 

Group RADIUS and the Profile Attribute Name SBR1, the following user attributes would be 

used because they were created in the RADIUS Attribute Group: 

Callback-Number 

Login-IP-Host 

The VASCOGETTINGSTARTED Profile would be used, because its Profile Attribute Name is set 

to SBR1. The VPN Profile setting would be ignored by the SBR Plug-In because it uses a 

different Profile Attribute Name than the SBR Plug-In is configured to look for. 



2.7.2 RADIUS Attributes Process 

Image 22: Set RADIUS Attributes Process 



2.7.3 Multiple SBR Plug-Ins 

Where multiple SBR Plug-Ins are in use, you may need to use different RADIUS attributes for 

each. There are two basic scenarios that may be applicable: 

Use Different RADIUS Profiles but User Attributes are Identical 

In this scenario, each SBR Plug-In needs to use a different RADIUS Profile, but individual user 

attributes are the same across all SBR Plug-Ins. Or, no user attributes are required. 

Configure each SBR Plug-In to use the same Attribute Group, but different Profile Attribute 

Names. 

Image 23: Multiple SBR Plug-Ins Using Same User Attributes 



Use Different User Attributes 

In this scenario, each SBR Plug-In needs to use different user attributes. 

Configure different Attribute Groups for each SBR Plug-In and, if required, configure different 

Profile Attribute Names to use in specifying Profiles. 

Image 24: Multiple SBR Plug-Ins Using Different User Attributes 



2.8 Supported RADIUS Password Protocols 

The following protocols are supported by Digipass Plug-In for SBR: 

PAP 

CHAP 

MS-CHAP with MPPE (Microsoft Point-to-Point Encryption) 

MS-CHAP2 with MPPE 

Various EAP types 

Some protocols do not support all authentication features of Digipass Plug-In for SBR. See 2.9 

Unsupported by Digipass Plug-In for SBR and the Login Permutations section of the 

Administrator Reference for more information. 

EAP 

Any EAP type which SBR translates to one of the above password protocols can be 

supported. This includes PEAP and EAP-TTLS. 

These steps must be followed to configure the 'Digipass Authentication' Authentication 

Method: 

Enable the 'Handle via Auto-EAP first' option. 

Enable the required EAP types. 

Support for the following have been specifically tested: 

MD5-Challenge 

Microsoft PEAP using EAP-MS-CHAP2 

Cisco PEAP using EAP-Generic-Token 

2.9 Unsupported by Digipass Plug-In for SBR 

2.9.1 Limitations of RADIUS Password Protocols 

Some features of the SBR Plug-In are not supported with CHAP or MS-CHAP. These protocols 

hash login data together, making separation of various entries impossible. 

The unsupported features are outlined below: 

Self-Assignment of Digipass cannot be performed. 

The Server PIN cannot be changed. 

Challenge/Response is not supported. 

Windows Back-End Authentication is not supported unless the User ID and Windows 

password are manually stored, and Stored Password Proxy is enabled. 

Password Autolearn is not supported, as clear text passwords cannot be identified. 

The User Self-Management Web Site, when utilized, can circumvent many of these problems 

by allowing Users to manage their account and Digipass. It uses RADIUS with the PAP 

password protocol. Users can: 

Perform Self-Assignment 

Change their Server PIN 



Change their own Stored Static Password 

2.9.2 Unsupported RADIUS Password Protocols 

MS-CHAP with LM Hash 

The password change mechanism for MS-CHAP and MS-CHAP2 


Digipass Plug-In for SBR Product Guide Administration Interfaces 

3 Administration Interfaces 

The main user interfaces available for administration of Digipass Plug-In for SBR are 

introduced in this section. 

3.1 Administration MMC Interface 

The Administration MMC Interface allows administration of Policy and Component 

records. When an ODBC or embedded database is used as the data store, it is also used to 

administer Digipass, Digipass User account, Domain and Organizational Unit records. 

The following screen includes these additional objects (when using Active Directory, you will 

not see them). 

Image 25: Administration MMC Interface 

To open the Administration MMC Interface, click on the Start Button and select Programs -> 

VASCO -> Digipass Plug-In for SBR3 -> Administration MMC Interface. It can also be 

added to any Microsoft Management Console using the File -> Add/Remove Snap-in... 

menu and adding the Digipass Administration snap-in. 

The differences between the Active Directory and database versions are outlined below. 

3.1.1 Active Directory 

In the tree pane, a Domain node is needed to define the Digipass Configuration Domain 



(the Fully Qualified Domain Name is required). This is configured for you by the installation 

when the SBR Plug-In is on the same machine as the Administration MMC Interface. 

To log in, right-click on the Domain node and select the Connect... menu option. No logon 

screen is presented - an implicit logon to Active Directory will be carried out using your current 

Windows user context. 

The Administration MMC Interface will make an LDAP connection to Active Directory. 

Administration does not take place via the SBR Plug-In. Your administrative permissions will 

depend on the permissions that your Active Directory user account has within Active Directory. 

When do new settings take effect? 

For Active Directory, when settings are changed with this program, the new values will not 

always take effect immediately. This is because the SBR Plug-In keeps Policy and Component 

records in memory caches. The SBR Plug-In will periodically re-read the records (by default, 

every 15 minutes) so that updates do take effect eventually. 

However, you need to take into account the delay of Active Directory Replication, if the 

administration change is made using a different Domain Controller to the one used by the SBR 

Plug-In (especially when there are multiple SBR Plug-Ins in different sites). An SBR Plug-In 

cannot update its cache with new settings until Active Directory Replication has updated them 

on its local Domain Controller. 

Restarting the SBR Plug-In forces it to re-load its caches, so that settings changes take effect 

immediately (assuming that Active Directory Replication is not needed or has completed). 

3.1.2 ODBC or Embedded Database 

In the tree pane, an SBR Plug-In node is needed to specify the location (IP address and port) 

of the SBR Plug-In. This is configured for you by the installation when the SBR Plug-In is on 

the same machine as the Administration MMC Interface. 

To log in, right-click on the SBR Plug-In node and select the Connect... menu option. A logon 

screen is presented – log in using your Digipass User account User ID and password. Once 

your Digipass User account has a Digipass, you will need to use it to log into the 

Administration MMC Interface. 

However, like all authentication processing, the administration logon process is subject to 

Policy settings. You may decide to change the settings in the default VM3 Administration Logon 

Policy, or even select a different Policy. 

The Administration MMC Interface will make an encrypted TCP/IP connection to the SBR Plug- 

In. It will then make an administrative logon request using this connection. If the logon is 

successful an administrative session will be established. Your administrative permissions within 

this session will depend on the Administrative Privileges of your Digipass User account (see 

4 Digipass User Accounts). 


For an ODBC or embedded database, when settings are changed with this program, the new 

values will always take effect immediately. The changes are made through the SBR Plug-In, so 

it will update its caches immediately. 

When multiple SBR Plug-Ins are used with Digipass Plug-In for SBR Replication, all SBR Plug- 

Ins' caches will be updated by the Replication process. 



3.2 Digipass Extension for Active Directory Users & Computers 

The Digipass Extension for Active Directory Users and Computers allows administration 

of Digipass User accounts and Digipass records within the Active Directory Users and 

Computers interface. 

Note 

The Digipass Extension for Active Directory Users and Computers is only used 

when Active Directory is utilized as the data store. 

The extension adds context menu options, User property sheet tabs and a property sheet for 

the Digipass records, as outlined below. 

To open the Active Directory Users and Computers, a shortcut is provided in the Start Menu. 

Click on the Start Button and select Programs -> VASCO -> Digipass Plug-In for SBR 3 

-> Active Directory Users and Computers. On Windows XP and Windows Server 2003, 

where the Saved Queries feature is available, the console file reached from this Start Menu 

shortcut has several Saved Queries pre-loaded. 

However, you can run Active Directory Users and Computers from the usual Administrative 

Tools shortcut or any other saved Microsoft Management Console. In that case, you will need 

to import the Saved Queries into that console if you wish to use them. 

No logon screen is presented by the extension - an implicit logon to Active Directory will be 

carried out using your current Windows user context. It will connect to the same Domain 

Controller as the Active Directory Users and Computers connection. 

The extension will make its own LDAP connection to Active Directory. Administration does not 

take place via the SBR Plug-In. Your administrative permissions will depend on the permissions 

that your Active Directory user account has within Active Directory. 


When settings are changed with the extension, the new values may not always take effect 

immediately. You need to take into account the delay of Active Directory Replication, if the 

administration change is made using a different Domain Controller to the one used by the SBR 

Plug-In (especially when there are multiple SBR Plug-Ins in different sites). An SBR Plug-In 

cannot read new settings until Active Directory Replication has updated them on its local 

Domain Controller. 

3.2.1 Context Menu Extensions – Tree Pane 

Additional context menu options are available on the following containers in the tree pane: 

The Users container 

All Organizational Units 

The Digipass-Pool, Digipass-Reserve and Digipass-Configuration containers 

The main menu option that is useful in this context is the Import Digipass... option. This is 

used to import Digipass records into the selected container. Other options are for showing 

version information, configuring encryption settings and enabling tracing. 

3.2.2 Context Menu Extensions – User Records 

Additional context menu options are available when right-clicking on one or more User records 



in the result pane: 

Assign Digipass... – for single or bulk assignment of Digipass 

Unassign Digipass – to unassign all Digipass from the selected User(s) 

3.2.3 Property Sheet Extensions – User Records 

Additional tabs are available when viewing the property sheet of a User record: 

The Digipass User Account tab contains extra information about the Digipass User 

account required by Digipass Plug-In for SBR. This includes settings such as 

authentication policy overrides, and the date and time that a Digipass User account was 

created. 

The Digipass Assignment tab contains information on all Digipass assigned to the 

Digipass User. These Digipass can be administered from this tab, including unassignment 

or enabling Backup Virtual Digipass. Digipass may also be assigned to the Digipass User 

from this tab. 

Image 26: Digipass Extension for Active Directory Users and Computers 

3.2.4 Digipass Record Administration 

Digipass information may be viewed via the property sheet of its assigned User, or by turning 

on Advanced Features. This allows you to see Digipass records wherever they are located in 

Active Directory (typically in the Digipass-Pool container if unassigned), view properties and 



use a number of context menu actions. 

For more details on these actions, see 5 Digipass. 

The context menu of the Digipass record contains options for bulk management: 

Assign and unassign the Digipass 

Reset, activate, inactivate and delete the Applications 

Reset the PIN and force a PIN change 

Move the Digipass to another Organizational Unit or container 

The property sheet for the Digipass record shows full details of the Digipass and all its 

Applications and enables all administration tasks for the record. 

3.3 SBR Plug-In Configuration 

The SBR Plug-In uses a local XML text file for various configurations settings. This can be 

administered using a graphical user interface referred to as SBR Plug-In Configuration. To 

run it, click on the Start Button and select Programs -> VASCO -> Digipass Plug-In for 

SBR -> Digipass Plug-In for SBR Configuration. 

When settings are changed with this program, the SBR Plug-In must be restarted before the 

new values take effect. On exiting, the program can do this for you. 

The following groups of settings are configured using SBR Plug-In Configuration. For more 

detail, see the Administrator Reference, Configuration Settings section. 

Various IP addresses and port numbers 

Administration session control settings 

Tracing settings 

Active Directory connection settings (if applicable) 

ODBC or embedded database connection settings (if applicable) 

For ODBC or embedded database, some important settings that control User ID and 

Domain resolution: User ID Case Conversion, Windows User Name Resolution and 

the choice of Master Domain 

Audit settings 

Replication settings 

3.4 Digipass TCL Command-Line Administration 

Digipass TCL Command-Line Administration allows interactive command-line and scripted 

administration of Digipass related data. It has a number of possible uses: 

Interactive command-line administration 

Scripted administration 

Complex bulk administration tasks 

Reporting on the data in the data store 

It is an extension of the TCL 8.4 scripting language, and administrators will require a basic 



competence in TCL in order to use the command-line utility. See the Digipass TCL Command- 

Line Administration topic in the Administrator Reference for more information. 


Digipass Plug-In for SBR Product Guide Digipass User Accounts 

4 Digipass User Accounts 

4.1 Digipass User Account Creation 

A Digipass User account can be created in a number of ways: 

4.1.1 Manual Creation 

A Digipass User Account can be created manually by an administrator. 

4.1.2 Dynamic User Registration 

When the SBR Plug-In receives an authentication request for a User without a Digipass User 

account, it can check the credentials with the back-end authenticator (eg. Windows). If the 

authentication is successful with the back-end authenticator, the SBR Plug-In can create a 

Digipass User account automatically for the User. This process is called Dynamic User 

Registration (DUR) and can be enabled via the Administration MMC Interface. 

This feature is commonly used in conjunction with Auto-Assignment, so that the new account 

is immediately assigned a Digipass. 

Note 

ODBC Database (including embedded database): If the data store is casesensitive 

and the SBR Plug-In has not been configured to convert User IDs and 

Domains to upper or lower case, the potential exists for multiple Digipass User 

accounts to be created for a single User. For example, if a User logs in with 

'jsmith' on one occasion, and JSmith on another, two Digipass User accounts 

may be created – jsmith and JSmith. 

This can be avoided by: 

Enabling Windows Name Resolution in the SBR Plug-In Configuration GUI, if 

the underlying user accounts are Windows user accounts. See the ODBC 

Connection and Domains and Organizational Units topics in the 

Administrator Reference for more information. This is highly recommended. 

Configuring the SBR Plug-In to convert all User IDs and domains to upper or 

lower case. See the Encoding and Case-Sensitivity topic in the 


4.1.3 User Self-Management Web Site 

Enabling Dynamic User Registration on a system which includes the User Self-Management 

Web Site will allow Users to create their own Digipass User Account via the web site. 

4.2 Changes to Stored Static Password 

Any changes to a User's Windows or RADIUS server password need to be communicated to the 

SBR Plug-In if Stored Password Proxy is enabled. There are two ways to do this: 

4.2.1 Password Autolearn 

If Password Autolearn is enabled, a User may directly log in with their new static password in 

front of their OTP. If it does not match the static password stored by the SBR Plug-In, it can 

be verified with the back-end authenticator (Windows). If correct, the SBR Plug-In will store 


Digipass Plug-In for SBR Product Guide Digipass User Accounts 

the new static password for future use and authenticate the User. 

4.2.2 User Self-Management Web Site 

When the User Self Management Web Site is utilized, the User may modify the SBR Plug-In's 

record of their stored static password. They must be able to log in according to current settings 

to do this, and the Password Autolearn feature must be enabled. 

4.3 Administration Privileges 


Access is given to administer Digipass-related records based on a User's Active Directory 

privileges. Extra privileges may be granted via the Active Directory Users and Computers 

console. 

An administrator may be assigned permissions based on: 

Type of permission (eg. Read, Create) 

Type of object (eg. Digipass, Policy) 

An administrator may be restricted by Domain or Organizational Unit. 

See the Administrator Reference for more information. 


Administration of data in an ODBC database is performed through the Authentication Server to 

control the administrator's access to data. An administrator may be assigned permissions 

based on: 

Type of permission (eg. Read, Create) 

Type of object (eg. Digipass, Policy) 

The Domain and Organizational Unit in which the administrator account is located will 

determine their range of administration access: 

If the account belongs to an Organizational Unit, the administrator will be able to 

administer User accounts and Digipass belonging to that Organizational Unit. 

If the account does not belong to an Organizational Unit, the administrator will be able to 

administer all Digipass and User accounts in the Domain to which they belong. 

If the account belongs to the Master Domain, the administrator will be able to administer 

all Digipass and User accounts in the database. 

See the Administrator Reference for more information. 


Digipass Plug-In for SBR Product Guide Digipass 

5 Digipass 

This section contains information specific to Digipass, their setup and management on your 

network. 

5.1 Digipass Record Functions 

A number of functions are available to administer Digipass records. These are typically 

required for maintenance – eg. a User has forgotten their Server PIN, or a Digipass has been 

locked. 

5.1.1 Reset Application 

A Digipass Application may need to be reset if the time difference between it and the server 

needs to be recalculated. This would typically be for time-based Response Only Digipass after 

a very long period of inactivity. The 'reset' widens the allowable time window for the next 

login, allowing the User to log in and the SBR Plug-In to calculate the current time shift. 

5.1.2 Set Event Counter 

If the event count for an event-based application has become unsynchronised between the 

Digipass and the server, this function can be used to set the server event count to the event 

count on the Digipass. 

5.1.3 Reset PIN 

If a User’s Server PIN needs to be changed – usually because the User has forgotten it – then 

it can be reset, and the User can create a new Server PIN when they next log in. This may be 

done when unassigning or re-assigning a Digipass. 

5.1.4 Force PIN Change 

This function can be used when an administrator wants a User to change their Server PIN on 

their next login. This may be desirable as a security measure. 

5.1.5 Set PIN 

A User’s Server PIN can be set to a specific value and communicated to the User. 

5.1.6 Unlock Digipass 

If a User incorrectly enters their Digipass PIN into their Digipass a predetermined number of 

times, the Digipass will become locked. Once locked, the assistance of an administrator will be 

required to unlock it. This function allows an administrator to provide the User with an Unlock 

Code to enter into their Digipass. 

5.1.7 Reset Application Lock 

If a User has attempted to log in with incorrect details too many times, the Digipass 

Application used may be locked, depending on Policy settings. This function can be used to set 

the record for the Digipass Application to the status of unlocked. This differs from User 

locking, as the User may still log in with a different Digipass. 



5.1.8 Test a Digipass Application 

Use this function to check that a Digipass Application is working as expected. There is also a 

function to test the Backup Virtual Digipass functionality. 

5.2 Digipass Programming 

A Digipass is programmed using a Digipass Programmer and the necessary software. This may 

be done by your company or by your supplier. 

Common settings which may affect your administration tasks are explained below. 

5.2.1 Digipass PIN 

A Digipass PIN may be required for a Digipass. If set, the PIN must be entered into the 

Digipass before obtaining a One Time Password. This means that just possessing the Digipass 

is not enough to log in to a network – the person logging in must also know the Digipass PIN. 

Digipass PIN settings include: 

An Initial PIN can be set for a Digipass. The PIN must then be sent to the User of the 

Digipass, typically separate from the Digipass delivery. 

First Use PIN Modification allows a Digipass to require a PIN change from the User 

upon first use. 

PIN Change allows a User to change their PIN as desired. 

The PIN Length can be set for a Digipass. 

Digipass Lock sets the number of consecutive faulty PIN entries allowed before the 

Digipass is locked. 

5.2.2 Time/Event-based Digipass Applications 

Response Only 

Response Only Digipass Applications can be either time-based or event-based: 

Time-based 

A time-based Application will change the OTP to be displayed based on the current time. The 

common time step used is 36 seconds – and means that the OTP to be displayed will change 

every 36 seconds, whether or not an OTP has been requested from the Digipass. 

Event-based 

An event-based Digipass Application will display a new OTP each time a request for an OTP is 

made. 


Challenge/Response Digipass Applications can be either time-based or non-time-based: 

Time-based 

A time-based Challenge/Response Digipass Application will generate an OTP based on the 

Challenge given and the current time. The common time step used is 9 hours ('slow 

challenge'). This would mean that if the exact same Challenge were given to a Digipass within 

a 9 hour period, the Digipass Application will generate the same OTP. However, Challenges 

are very rarely repeated within such a time period. 



Non-time-based 

A non-time-based Challenge/Response Digipass Application will generate an OTP based only on 

the Challenge given. 

5.2.3 OTP Length 

The length of the OTP (excluding check digit) generated by the Digipass for Response Only 

and Challenge/Response Digipass Applications. 

Check Digit 

A check digit may be added to each OTP. This is generated from the response and allows for 

faster invalidation of incorrect OTPs. 

5.2.4 Challenge Length 

The length of the Challenge (excluding check digit) which should be expected by the Digipass. 

This is used by the Challenge/Response Digipass Application. 

Check Digit 

A check digit may be expected with each Challenge. This is generated by the server from the 

Challenge and allows the Digipass to reject most invalid Challenges. 

5.3 Digipass Record Settings 

These settings are kept in the record for a Digipass Application, and affect which OTP is 

expected by the SBR Plug-In. 

5.3.1 Time/Event-based Settings 

Time Based 

Specifies whether the algorithm for the Digipass application is time-based (see Time/Eventbased 

Digipass Applications for more information). 

Time Step Used 

The time step used by the Digipass Application (see Time/Event-based Digipass 

Applications for more information). 

Last Time Shift 

Time Shift records any misalignments between the time recorded on the Digipass and the time 

recorded on the server, each time a User logs in. This ensures that if either clock drifts from 

the correct time, an allowance can be made by the SBR Plug-In and the User will still be able 

to log in. If the time drift goes beyond the allowable time window between User logins, the 

Digipass record will have to be reset (this allows for recalculation of the time drift). 

Example 

Time window may be 5 steps in either direction. 

This means that 11 OTPs would be considered valid – the exact OTP for that time, and the 

OTPs for the 5 time steps either side of the exact time. If the OTP given is for a different 

time step, the time shift for that Digipass will be recorded. The next time the User logs in, 

the expected OTP will be calculated based on that time shift. 



Last Event Value 

The current number of uses of the Digipass Application, according to the Digipass. This can 

get out of sync with the number of uses recorded by the SBR Plug-In when: 

login failures occur for other reasons than incorrect OTP 

the Digipass has been used without a login (eg. children have been playing with it) 

The Digipass is being used to log in to two separate systems 

The purpose of this setting is much the same as the Last Time Shift setting – it allows the SBR 

Plug-In to track any shifts between the event count recorded by itself and the Digipass. 

5.3.2 Response Length 

This setting determines the length of the OTP (excluding check digit) expected by the server 

from the Digipass Application. 

Response Check Digit 

Whether a check digit may be expected with each OTP from the Digipass Application. This is 

generated from the response and allows for faster invalidation of incorrect OTPs. 

5.3.3 Server PIN 

The term 'Server PIN' is used to mean a PIN that the user enters into the login password field 

in front of the OTP displayed on the Digipass. It is checked by the authenticating server. The 

'Digipass PIN' referred to earlier indicates a PIN entered into a keypad on the Digipass. That is 

checked by the device itself, and is never transmitted to the server. 

There are a number of Server settings regulating Server PINs: 

PIN Supported 

Whether a PIN must be included in a User's login. 

PIN Change On 

Is a User allowed to change their Server PIN for this Digipass? 

Force PIN Change 

Must the User change their Server PIN the next time they log in? 

PIN Length 

The length of the current Server PIN. 

PIN Minimum Length 

The minimum PIN length required by the Server. 

5.3.4 Backup Virtual Digipass 

Policy and Digipass settings 

Several settings dictate how a User may utilize the Backup Virtual Digipass feature. These 

settings are: 

Enable or disable Backup Virtual Digipass and enable method (eg. Required). 

Time limit/expiry (applies to Time Limited enable only) 

Maximum number of times a User may make use of the Backup Virtual Digipass. 



The above settings may be set both at the Policy level and at the Digipass record level. 

Individual settings override Policy settings for an individual Digipass, but some Policy settings 

(see below) may be used to automatically set Digipass settings which are blank when the 

Backup Virtual Digipass is first utilized by the User. 

Time Limit and Max. Uses/User 

Policy Setting Digipass Setting 

Time Limit Enabled Until 

Max. Uses/User Uses Remaining 

Table 1: Backup Virtual Digipass Policy/Digipass Settings 

If Backup Virtual Digipass is enabled for a Digipass and set to Time Limited, and the Enabled 

Until field in the Digipass property sheet is blank on their first use of the Backup Virtual 

Digipass, their time limit will begin on their first use of the feature. The expiry date (today’s 

date + Time Limit) will then be displayed in the Enabled Until field. 

If a Max. Uses/User is set for the relevant Policy and a Digipass record's Uses Remaining 

field in their User property sheet is blank on their first use of the Backup Virtual Digipass, a 

number (Max Uses/User) will be automatically entered into their Uses Remaining field and 

immediately decremented by 1. 

Note 

If a User has Backup Virtual Digipass enabled with Enabled Until date set and 

their Uses Remaining has been set (automatically or manually), whichever of 

these expires first will disable Backup Virtual Digipass for the User. 

eg. Backup Virtual Digipass is enabled for a User as Time Limited, and the 

server Time Limit setting is 3 days. The Max. Uses/User Policy setting is 5. 

When the User first makes use of the Backup Virtual Digipass, their Enabled 

Until is set to a date 3 days hence and their Uses Remaining to 4. During 

the next 48 hours, they log in 4 more times. Although the User’s time limit 

does not run out for another 24 hours, their Uses Remaining is now 0 and 

Backup Virtual Digipass is disabled. 



5.4 Assigning Digipass to Users 

Digipass may be assigned to Users in a number of ways, depending on the requirements of 

your company. For example, a company with only a few User accounts may use Manual 

Assignment. A larger company needing to distribute large numbers of Digipass may find it 

easier to simply distribute the Digipass and require each User to go through Self-Assignment. 

Note 

Digipass records must be imported into the data store before being assigned to 

Users. 

5.4.1 Self-Assignment 

A Digipass may be assigned to a User by their own action. The User must log in and include 

the serial number, Windows static password and One Time Password. This informs the SBR 

Plug-In of the assignment, and provided that the User enters the details correctly, a link will be 

made between the Digipass record and the User account. A grace period is not used for this 

method. 

Image 27: Self-Assignment Process 



5.4.2 Auto-Assignment 

The SBR Plug-In can automatically assign an available Digipass when a Digipass User account 

is created using Dynamic User Registration (DUR). The correct Digipass must then be 

delivered to the User. A grace period is typically set, which allows a number of days in which 

the User may still log in using only their static password. 

Image 28: Auto-Assignment Process 



5.4.3 Manual Assignment 

A selected Digipass is manually assigned to a specific Digipass User account. The Digipass 

must then be sent out to the User. A grace period is typically set, during which the User may 

still log in using only their static password. 

Image 29: Manual Assignment Process 



5.5 Virtual Digipass Implementation Considerations 

5.5.1 Digipass Assignment Options 

With the introduction of Virtual Digipass, there are several different assignment combinations 

that can be used. The first option in the table below does not utilize Virtual Digipass. The 

others include a Virtual Digipass in either a backup or primary mode. 

Primary Backup 

Digipass None User must log in using a Digipass. 

Digipass Backup Virtual 

Digipass 

Digipass 

(temporarily 

disallowed) 

Primary Virtual 

Digipass 

Table 2: Digipass Options 

5.5.2 Cost 

Backup Virtual 

Digipass 

User usually logs in using a Digipass, but may utilize the Backup 

Virtual Digipass feature where required. Usage of the feature may 

be limited. 

User must log in using the Backup Virtual Digipass feature. This 

might be used while a User’s Digipass is lost, until the Digipass is 

recovered. 

N/A User is assigned a Virtual Digipass and must log in using it. 

Your company will probably need to pay an amount for each text message sent. In some 

countries, mobile phone owners might need to pay an amount for each text message received 

on their mobile phone. This will need to be taken into consideration when deciding how to 

implement Virtual Digipass functionality. 

5.5.3 Security 

Hardware Digipass devices provide the highest level of security. Virtual Digipass provides a 

lower, although still high, level of security. This needs to be weighed against other 

considerations before deciding whether your company will implement Virtual Digipass, and if 

so, how it will be implemented. 

5.5.4 Convenience 

Virtual Digipass is more convenient than a hardware Digipass for many Users. Only one’s 

usual mobile phone is required: there are no extra devices to carry around. Users who do not 

habitually carry their mobile phone with them, though, are likely to find a GO 3 or GO 1 easier 

to transport. 

For Users with the Backup Virtual Digipass enabled, it might be the difference between going 

to work to pick up a forgotten Digipass and getting important work done at home. 

5.5.5 Gateway and account 

Your company will need the use of an text message gateway and an account with the gateway. 

The Message Delivery Component will need configuration information for the gateway and the 

Username and password for the account. Your VASCO supplier can assist with this process. 

5.5.6 Limiting Usage of Virtual Digipass 

Use of Virtual Digipass may be limited by: 

Using Backup Virtual Digipass only. 

Minimizing the number of Users assigned a Primary Virtual Digipass. 



A User’s Primary Virtual Digipass use cannot be limited. 

The Backup Virtual Digipass feature may be enabled as an ‘emergency’ backup for Users who 

have left their primary Digipass at home, or for other reasons do not have access to their 

primary Digipass. Use of this feature can be limited for each Digipass by: 

Time period 

Set a time period in which a User may access the Backup Virtual Digipass. After this period 

has expired, any Virtual Digipass requests from the User will be rejected. If the User is still 

unable to use their Digipass, the time period must then be extended by an administrator. 

Once they have started using their Digipass again, the administrator must reset the time 

period if the User is to be allowed to use Backup Virtual Digipass again. 

Number of Uses 

Set a maximum number of times a User may request an OTP using the Backup Virtual Digipass 

feature. When the User has reached this number of uses, any further OTP requests from the 

User will be rejected. This must be reset by an administrator if further use of the Backup 

Virtual Digipass is required for the User. 

Global and Individual Backup Virtual Digipass settings 

Backup Virtual Digipass options can be set globally or individually, to allow a standard policy 

for all Digipass with exceptions made where necessary. Global settings will affect all Digipass 

whose individual option is set to 'Default'. 

Global options are defined in the Policy that controls authentication. Therefore, by using 

multiple Policies, you have some additional flexibility. 

5.5.6.1 Backup Virtual Digipass Usage Guidelines 

Some questions which will need to be answered before arriving at a Backup Virtual Digipass 

usage guidelines are: 

Will any users have access to Backup Virtual Digipass? 

If so, will all users have access to Backup Virtual Digipass? 

Will usage of Backup Virtual Digipass be limited? If so, how? 

Time-limited 

Limited number of uses 

Some Possible Guidelines 

Guideline Pro Con 

Backup Virtual Digipass disabled for all - enabled 

for individual Users as required. 

Backup Virtual Digipass enabled for all - either 

time/number of usage limit set. 

Backup Virtual Digipass enabled for all - no limits 

set. 

Table 3: Backup Virtual Digipass Example Guidelines 

Low text message costs Manual enable for each User 

and circumstance. Possible 

heavy administration load. 

Predictable text message 

costs 

Administrator may need to reset 

limits frequently – medium 

administration load. 

Lighter administration load Possible high text message 

costs. 



5.5.7 Resetting Virtual Digipass Restrictions 

When a User has reached their limit of Virtual Digipass use, an administrator must reset their 

limit. 

5.5.8 Virtual Digipass Login options 

A decision must be made as to how Users will log in using Virtual Digipass. In particular, Users 

with a hardware Digipass and the Backup Virtual Digipass enabled must be able to request an 

OTP to be sent to their mobile when required, but to login using the hardware Digipass at 

other times. 

The simplest method for the User is to allow a 2-step login process, where the User enters 

their User ID and password only, triggering an OTP Request, and are redirected to a second 

login page to enter the OTP sent to them. To use this method, though, your system must be 

set up to allow 2-step logins. Check with your system administrator if unsure. 

Alternatives to the 2-step login are a sequence of two 1-step logins or the use of the OTP 

Request Site. 

See the Administrator Reference for information on possible login permutation. 

5.5.9 Location of OTP Request Site 

If the OTP Request Site is to be used, its location must be decided. You may choose to install 

the Web Site onto any web server, bearing the following in mind: 

If the Web Site is installed onto a web server in the DMZ, you need to permit TCP/IP 

access from the web server to the SBR Plug-In on port 20003. This is the recommended 

option. 

The Web Site can be used on the Internet, however it would be essential to provide SSL 

(or TLS) encryption for access to it. Otherwise, an attacker could discover static 

passwords and PINs. The other point to take into consideration is that publishing the 

Web Site on the Internet would allow anyone in the world to send requests to the SBR 

Plug-In – this would provide the potential for denial of service and brute force attacks. It 

would be strongly advised to protect the Web Site from general use in some way. 

If the Web Site is installed onto a web server that communicates over a WAN link to the 

SBR Server(s), the WAN link must be encrypted. For example, an IPSEC-based VPN 

connection would be sufficient. 


Digipass Plug-In for SBR Product Guide Components 

6 Components 

The following diagram illustrates how Component records are used to apply different Policies to 

different authentication scenarios: 

Image 30: Component Overview 

6.1 Pre-loaded Components 

One Component record is created during the installation of Digipass Plug-In for SBR: 

SBR Plug-In Component 

A Component is created for the SBR Plug-In, to hold its License Key and provide a default 

Component for Policy selection. The SBR Base Policy is set as the Policy. This Component will 

be checked each time the SBR Plug-In is started, to verify the License Key. If the License Key 

is missing, invalid or expired, all authentication except for administration logons will be 

refused. 

6.2 Licensing 

Each SBR Plug-In needs a license. The License Key is loaded into the corresponding 

Component record, and details of the License Key may be viewed via the Component list 

context menu or property sheet. 


Digipass Plug-In for SBR Product Guide Policies 

7 Policies 

7.1 Policy Inheritance 

Policies may be set up in a hierarchy, where one Policy will inherit most of its attributes from a 

parent Policy, but with some modifications for a slightly different scenario. 

Image 31: Policy Inheritance 

In the example above, all attributes are inherited from the parent Policy, except those 

explicitly set. 



7.1.1 Show Effective Settings 

As the various levels of settings in Policy inheritance can get confusing, functionality is 

available which allows you to view the settings effective for a selected Policy, taking inherited 

settings into account. The text below shows the effective settings for the SBR Windows Self- 

Assignment Policy: 

Effective Policy Settings 

[Local/Back-End Authentication] : 

Local Authentication : Digipass/Password 

Back-End Authentication : If Needed 

Back-End Protocol : Windows : 

[User Accounts] : 

Dynamic User Registration : Yes 

Password Autolearn : No 

Stored Password Proxy : No 

Default Domain : 

User Lock Threshold : 3 

[Windows Group Check] : 

Group Check Option : No Check 

Group List : 

[Digipass Assignment] : 

Assignment Mode : Self-Assignment 

Grace Period (days) : 0 

Serial No. Separator : | 

Search up Organizational Unit Hierarchy : Yes 

[Digipass Settings] : 

Application Names : 

Application Type : No Restriction 

Digipass Types : 

PIN Changed Allowed : Yes 

[1-Step Challenge Response] : 

Enabled : No 

Challenge Length : 0 

Challenge Check Digit : No 

[2-Step Challenge Response] : 

Request Method : Keyword 

Request Keyword : 

[Primary Virtual Digipass] : 

Request Method : None 

Request Keyword : 

[Backup Virtual Digipass] : 

Enabled : No 

Maximum Days : 0 

Maximum Uses : 0 

Request Method : KeywordPassword 

Request Keyword : otp 

[Digipass Control Parameters] : 

Identification Time Window : 20 

Signature Time Window : 24 

Event Window : 20 

Initial Time Window : 6 

Identification Threshold : 0 

Signature Threshold : 0 

Check Challenge Flag : 1 

Level of Online Signature : 0 

Allowed Inactive Days : 0 

You will note that the settings listed above include those set in Policies from which the SBR 

Windows Self-Assignment Policy inherit. 



7.2 Pre-Loaded Policies 

These Policies are created for the SBR Plug-In on installation of the Digipass Plug-In for SBR. 

They provide an example for setting up Policies in a typical environment. 

Table 4: Pre-Loaded Policies 

Policy Name Parent 

Policy 

Base Policy - Globally applicable settings. 

In general, all other Policies 

should inherit from this, 

directly or indirectly. 

SBR Base Policy Base Policy Settings applicable to all 

SBR Plug-In Policies, 

including local 

authentication. In general, 

all other SBR policies 

should inherit from this, 

directly or indirectly. 

SBR Windows Auto- 

Assignment 

SBR Windows Self- 

Assignment 

SBR Base Policy SBR Plug-In model for Auto- 

Assignment with Dynamic 

User Registration, using 

Windows back-end 

authentication and a 

Windows group check. 

SBR Base Policy SBR Plug-In model for Self- 

Assignment with Dynamic 

User Registration, using 

Windows back-end 

authentication. 

Description Non-Default Settings 

User Lock Threshold=3 

PIN Change Allowed=Yes 

Challenge Request Method=Keyword 

Primary VDP Request Method=Password 

Backup VDP Request 

Method=KeywordPassword 

Backup VDP Request Keyword=otp 

Identification Time Window=20 

Event Window=20 

Initial Time Window=6 

Identification Threshold=0 

Local Authentication=None 

Back-End Authentication=None 

DUR=No 

Password Autolearn=No 

Stored Password Proxy=No 

Group Check Mode=No Check 

Assignment Mode=Neither 

Search Up OU Path=No 

Application Types=No Restriction 

1-Step Challenge/Response=No 

1-Step Challenge Check Digit=No 

Backup VDP Enabled=No 

Local Authentication = Digipass/Password 

Back-End Authentication = If Needed 

Back-End Protocol = Windows 

Dynamic User Registration = Yes 

Assignment Mode = Auto-Assignment 

Search up OU Path = Yes 

Grace Period = 7 

Group Check Mode = Passthrough 

Group List = “Digipass Users” 

Back-End Authentication = If Needed 

Back-End Protocol = Windows 

Dynamic User Registration = Yes 

Assignment Mode = Self-Assignment 

Search up OU Path = Yes 

Serial No. Separator = “|” 



7.3 Differences from VACMAN Middleware 2.3 

Some settings used in VACMAN Middleware 2.3 have been modified in Digipass Plug-In for 

SBR. Most Server settings are found in Policies. 

7.3.1 Authenticator Setting 

The Authenticator field from VACMAN Middleware 2.3 has been split into several fields in 

Digipass Plug-In for SBR: 

Local Authentication 

Back-End Authentication 

Back-End Protocol 

Disabled (User setting) 

The correspondence of the other fields is different for (VM) RADIUS and Web: 

VACMAN 

Middleware 2.3 

Setting 

RADIUS 

Digipass Plug-In for SBR Settings 

Local Auth setting Back-End Auth 

setting 

Back-End Protocol 

setting 

Local Server Digipass/Password None No 

Local and Proxy Digipass/Password Always RADIUS No 

Proxy Server None Always RADIUS No 

Local and Windows Digipass/Password Always Windows No 

Windows None Always Windows No 

Disabled Yes 

Web 

Local Server Digipass/Password None No 

Local and Proxy Digipass/Password If Needed Windows No 

Proxy Server None If Needed Windows No 

Local and Windows Digipass/Password If Needed Windows No 

Windows None If Needed Windows No 

Disabled Yes 

Table 5: VACMAN Middleware 2.3 and Digipass Plug-In for SBR Authentication Settings 

Disabled 

checkbox 


Digipass Plug-In for SBR Product Guide Database Integration 

8 Database Integration 

8.1 Active Directory 

8.1.1 What is Stored in Active Directory? 

The following information is stored in Active Directory: 

Digipass User accounts 

Digipass and Digipass Application records 

Digipass configuration records (Policies, Components and Back-End Servers) 

8.1.2 Schema Extensions 

User attributes – vasco-UserExt class 

Extra VASCO attributes are added to an Active Directory User record via an 'auxiliary class' 

vasco-UserExt on the User class. 


The vasco-DPToken class is used to store Digipass attributes. It is also a container, in which 

vasco-DPApplication records for that Digipass are stored. 

Upon assignment to a User, the Digipass record is stored in the same location as the User. 

Policies, Components and Back-End Servers 

Policy, Component and Back-End Server records are stored in vasco-Policy, vasco-Component 

and vasco-BackEndServer objects respectively. They are located in a single “Digipass- 

Configuration” container in a single Domain. 

8.1.3 Digipass Records 

8.1.3.1 Location of Digipass Records 

When a Digipass is assigned to a User, it is moved to the same location as the Digipass User 

account it is assigned to. This makes it easier to set up the permissions necessary for 

delegated administration. 

Note 

A Digipass record will not automatically be moved when the User account to 

which it is assigned is moved to another location. When moving User accounts 

within Active Directory, ensure that the records of any assigned Digipass are 

manually moved to the same location. 

Unassigned Digipass records may be stored in various places in the data store: 

Digipass Pool 

A container called Digipass-Pool is created during installation. This is intended as a general 

store for unassigned Digipass. 

Organizational Units 

If an Organizational Unit structure is used in the data store, Digipass can be loaded or moved 



either into the exact Organizational Units where the User accounts to which they will be 

assigned are located, or into a few key Organizational Units in the hierarchy where they may 

be assigned to Users in lower level Organizational Units. 

Users Container 

When Active Directory is used as the data store, Digipass can be loaded into the Users 

container so they are available for Users in that container. However, it is not recommended to 

use the Users container for either User accounts or Digipass. 

When looking for an available Digipass to assign to a User, the SBR Plug-In will first look in the 

same Organizational Unit as the specific User account. The Search Upwards in 

Organizational Unit hierarchy option, when enabled, allows the SBR Plug-In to search in 

parent Organizational Units and the Digipass Pool container. This option may be set at the 

Policy level for system searches (eg. Auto-Assignment and Self-Assignment) or at the time of 

the search for manual assignment. 

Note 

The SBR Plug-In will always find or assign the closest available Digipass record 

to the selected User record(s). 

8.1.3.2 Delegated Administration in Active Directory 

If the assignment is manual (performed by an administrator), it will only find and successfully 

assign Digipass from locations where the administrator has the correct permissions. The 

administrator must have read permission for Digipass objects in the location to find a Digipass 

record, and if it needs to be moved to the User's location, they must have delete permission 

for Digipass objects to successfully assign the Digipass. If the administrator has sufficient 

permissions to view a Digipass record but not to assign it, the assignment will fail. 

Record 

Location 

Digipass Pool Digipass are available to be assigned to all 

Users, regardless of the Organizational Unit 

structure. 

Only administrators with access to the Digipass 

Pool may view or modify records for unassigned 

Digipass. This also means that only those 

administrators may manually assign Digipass. 

Organizational 

Unit 

Users 

Container 

Pros Cons 

Digipass may be portioned out to various 

Organizational Units. This is particularly useful 

where a company is contracted to provide 

authentication services to multiple companies, 

or where various departments have different 

Digipass quota. 

Digipass can be assigned to any User in the 

Users container. 

Table 6: Summary of Digipass Record Location Options 

An extra permission must be assigned all 

administrators who should be able to assign 

Digipass (if they are not Domain Admins). It is 

not possible to strictly subdivide the unassigned 

Digipass among the Organizational Units 

according to quotas. 

If an Organizational Unit runs out of Digipass to 

assign its Users, more Digipass records must be 

manually moved to the right location. 

Digipass in the Users container are only available 

to User accounts stored there. 



8.1.3.3 Typical Digipass Location Models 

Digipass Pool 

A centralised point of access and importation can be implemented by using the Digipass Pool 

to hold unassigned Digipass records. This option requires less calculation and high-level 

administration, as Digipass records are all imported into one area and there is no need to 

manually move records or calculate the exact number of Digipass required for each 

Organizational Unit or group of Units. However, permissions will need to be set up to permit 

delegated administrators access to move the Digipass out of the container upon assignment. 

The Digipass Pool is treated as the Domain Root by the SBR Plug-In, as Digipass records may 

not be saved in the Domain Root. 

Image 32: Digipass Record Locations - Digipass Pool 

In the diagram above, the SBR Plug-In is shown searching upwards through the Organizational 

Unit structure for available Digipass to assign to a Digipass User in the Organizational Unit B1. 

Because no available Digipass are found in B1, it searches in B, then in the Digipass Pool. 

Administrator 1 needs delegated administrator permissions for the Organizational Unit B and 

its child Organizational Units. They must also have read and delete permissions for Digipass 

objects in the Digipass Pool container. 

Note 

The Search Upwards in Organizational Unit hierarchy option must be 

enabled for this model to function correctly. 



Parent Organizational Units 

Unassigned Digipass can be kept in key Organizational Units, and made available to their lower 

level Organizational Units. This requires a delegated administrator to have permissions not 

only for the Organizational Unit in which the User accounts are stored, but also read, write and 

delete permissions for Digipass objects in the Organizational Unit in which the Digipass are 

stored. 

Image 33: Digipass Record Locations - Parent Organizational Unit 

In the diagram above, the SBR Plug-In can search in the parent Organizational Unit for 

available Digipass. 

The delegated administratration permissions can be set up in two basic ways: 

Administrator 1 has full admin permissions for Organizational Unit B and its child 

Organizational Units. She does not require any other permissions to assign Digipass from 

Organizational Unit B to a User in Organizational Unit B1. 

Administrator 2 has full admin permissions for Organizational Unit A2 only. He has read 

and delete permissions for Digipass objects in Organizational Unit A in order to assign 

Digipass from Organizational Unit A to a User in Organizational Unit A2. 

Note 





Individual Organizational Units 

Digipass can be loaded or moved into each Organizational Unit where and when they are 

required. It is then easy to set up permissions for delegated administrators to assign them 

only within their scope of control. If all Digipass in the Organizational Unit are assigned, more 

Digipass will need to be moved in manually by a Domain Admin before they can be assigned 

by a delegated administrator. 

Image 34: Digipass Record Locations - Individual Organizational Units 

In the diagram above, unassigned Digipass are stored in the exact Organizational Units in 

which they will be assigned. 

Each delegated administrator only requires permissions within their specific Organizational 

Unit(s). 

Note 

The Search Upwards in Organizational Unit hierarchy option does not 

need to be enabled for this model. 

Combination of models 

Digipass may be stored in the Digipass Pool as well as some or all Organizational Units. If no 

unassigned Digipass records are found in the Organizational Unit, and the Search Upwards in 

Organization Unit hierarchy option is enabled, the SBR Plug-In will search upwards to the 

Domain Root and search in the Digipass Pool for an available, unassigned Digipass record. 



8.1.4 Search for Digipass Records 

The Digipass Extension for Active Directory Users and Computers allows you to search for 

specific Digipass records, or Digipass records meeting set criteria. This functionality can be 

useful when you have Digipass records in various places throughout Active Directory. 

Image 35: Digipass Search window 

8.1.5 Permissions Needed by the SBR Plug-In 

The installation process will ensure that the SBR Plug-In has sufficient permissions. This is 

achieved by assigning permissions in the domain to the in-built “RAS and IAS Servers” group. 

It is necessary to make sure that the SBR Plug-In is added to that group. 

8.1.6 Administrative Permissions 

Administrative permissions for SBR Plug-In administrators are controlled using Active Directory 

security properties. See the Permissions Needed by Administrators topic in the 


Domain Administrators may view and edit all Digipass and Digipass User information in their 

domain, plus Digipass Configuration information if the Digipass Configuration Container is 

located in their domain. No permissions setup is required for them. 

Delegated Administrators may view and edit all Digipass and Digipass User information 

within their administrative scope of control. It is necessary to grant them full control, create 



and delete permissions over the Digipass and Digipass Application objects within their scope. 

Reduced Rights Administrators may perform a subset of the administration tasks. 'Property 

sets' are defined with the directory which can be used to enable or limit them in various 

Digipass administration tasks (eg. Access to the Digipass blob). 

8.1.7 Active Directory Command Line Utility 

This utility has to perform several tasks that are needed at various times during installation 

and upgrade if Active Directory is selected, or afterwards for maintenance. Some of the 

commands are run automatically by the installation program, while others are run manually. 

The commands that are run automatically can be run manually also, for example to 

troubleshoot why the installation is not succeeding. 

Command Description 

addschema Extend the Active Directory schema. 

checkschema Check that the schema extensions are all present. 

setupdomain Sets up the Digipass Configuration Container in the specified domain. 

setupaccess Assign permissions to a Windows group including: 

Table 7: DPADadmin tasks 

Full read access to everything in the domain 

Full control over vasco-DPToken objects 

Full control over vasco-DPApplication objects 

Ability to create and delete vasco-DPToken objects 

Full write access to extension attributes on user objects 

This command can optionally be used to also add a machine to the group. 



8.2 ODBC or Embedded Database 

8.2.1 What is Stored in the Data Store? 

The following information is stored in the data store: 

Digipass User accounts 


Digipass configuration records (Policies, Components, Back-End Servers) 

8.2.2 Domains and Organizational Units 

Domains and Organizational Units are included in the ODBC database in a way that mirrors the 

data structure used by Active Directory. 

Image 36: Domain and Organizational Unit Overview 

Organizational Units are designed to hold User accounts and Digipass records. They allow 

grouping of Users according to department, job function, or other criteria. They also allow 

Digipass to be allocated for Auto-Assignment to single or multiple groups of Users. Both 

Domains and Organizational Units can be used to limit administrators to a group of Users 

and/or Digipass. 

8.2.3 Location of Digipass Records 

When a Digipass is assigned to a User, it is moved to the same Organizational Unit as the 

Digipass User account to which it is assigned. 

Note 

When a User account is moved to an Organizational Unit, all Digipass records 

assigned to it will also be moved. 

A Digipass record assigned to a User cannot be moved - the User account must 

be moved. 

Unassigned Digipass records may be allocated to various places in the Organizational Unit 

structure: 

Master Domain 

During installation, a default domain is created. Digipass are imported to the Master Domain, 



and may then be moved to other domains and Organizational Units. 

Organizational Units 

If an Organizational Unit structure is used in the database, Digipass can be moved either into 

the exact Organizational Units where the User accounts to which they will be assigned are 

located, or into a few key Organizational Units in the hierarchy where they may be assigned to 

Users in lower level Organizational Units. 

When looking for an available Digipass to assign to a User, the SBR Plug-In will first look in the 

same Organizational Unit as the specific User account, if the User account belongs to an 

Organizational Unit. The Search Upwards in Organizational Unit hierarchy option, when 

enabled, allows the SBR Plug-In to search in parent Organizational Units and the Digipass Pool 

container. This option may be set at the Policy level for system searches (eg. Auto-Assignment 

and Self-Assignment) or at the time of the search for manual assignment. 

Note 

The SBR Plug-In will always find or assign the closest available Digipass record 

to the selected User record(s). 

If the User account being assigned a Digipass does not belong to an Organizational Unit, the 

SBR Plug-In will look for an available Digipass in the domain which does not belong to an 

Organizational Unit. 



8.2.3.1 Typical Digipass Location Models 

Domain Root 

Digipass records may be stored in the Domain Root while unassigned. 

This option allows a centralised point of access for assignment of Digipass. It also requires less 

calculation and high-level administration - Digipass records are all stored in one area and there 

is no need to manually move records or calculate the exact number of Digipass required for 

each Organizational Unit or group of Units. Administrators must belong to the Domain only 

(not an Organizational Unit) to assign Digipass from the Domain Root. 

Image 37: Digipass Record Locations – Domain Root 

In the diagram above, the SBR Plug-In searches upwards through the Organizational Unit 

structure for available Digipass to assign to a Digipass User in the Organizational Unit B1. 

Because no available Digipass are found in B1, it searches in B, then in the Domain root. 

The administrator account must be located in the domain root (no Organizational Unit) in order 

for this model to work successfully. 

Note 



This option is simplified if an Organizational Unit structure is not used in the database. User 

accounts and Digipass records may all be stored in the Master Domain. The Search Upwards 

in Organizational Unit hierarchy option does not need to be enabled in this case. 



Parent Organizational Units 

Unassigned Digipass can be kept in key Organizational Units, and made available to their lower 

level Organizational Units. 

Image 38: Digipass Record Locations - Parent Organizational Unit 

In the diagram above, the SBR Plug-In can search in the parent Organizational Unit for 

available Digipass. Administrators will need to belong to the parent Organizational Unit. 

Note 





Individual Organizational Units 

Digipass can be loaded or moved into each Organizational Unit where and when they are 

required. If all Digipass in the Organizational Unit are assigned, more Digipass will need to be 

moved in manually by a Domain Admin before they can be assigned. 

Image 39: Digipass Record Locations - Individual Organizational Units 

In the diagram above, unassigned Digipass are stored in the exact Organizational Units in 

which they will be assigned. Administrator accounts belonging to the Organizational Units A1 

and A2 have administration privileges in their own Organizational Unit only. 

Note 

The Search Upwards in Organizational Unit hierarchy option does not 

need to be enabled for this model. 

Combination of models 

Digipass may be stored in the Master Domain as well as some or all Organizational Units. If no 

unassigned Digipass records are found in the Organizational Unit, and the Search Upwards in 

Organization Unit hierarchy option is enabled, the SBR Plug-In will search upwards to the 

Domain Root and search in the Digipass Pool for an available, unassigned Digipass record. 

8.2.4 Permissions Needed by the SBR Plug-In 

The SBR Plug-In will require either: 

a database administrator account for the database, 

ownership of the VASCO tables, or 

permissions to insert, remove, read and modify rows in VASCO tables. 

See the Administrator Reference for more information. This is set up automatically in the case 

of the embedded database option. 



8.2.5 Database Command Line Utility 

This utility has to perform several tasks that are needed at various times during installation 

and upgrade, or afterwards for maintenance. Some of the commands are run automatically by 

the installation program, while others are run manually. The commands that are run 

automatically can be run manually also, for example to troubleshoot why the installation is not 

succeeding. 

Command Description 

addschema Modify the database structure to create the required VASCO tables. 

checkschema Check that the required database modifications and/or table name remappings have been 

completed. 

dropschema Remove all database schema modifications from the database. 

Table 8: DPDBadmin commands 

8.2.6 Additional ODBC Databases 

A synchronized backup database may be set up for the SBR Plug-In. This helps to ensure 

continuous service if the main database fails. The synchronization can be a shadow database, 

a mirror or a replicated copy. 

The required synchronization must be set up according to the instructions provided by the 

database vendor. It is strongly recommended to minimize the synchronization delay. 

Once the database and any synchronization is set up, create a Data Source Name for the new 

database and add it to the SBR Plug-In Configuration GUI. 

Image 40: Additional ODBC databases 

See the Database Connection Handling topic in the Administrator Reference for more 

information. 



8.2.7 Multiple SBR Plug-Ins 

If more than one SBR Plug-In are installed on the system, some additional setup may be 

required. 

Multiple SBR Plug-Ins Using Same Database 

If more than one SBR Plug-In is using the one ODBC database, no additional setup steps are 

required. However, use of a backup database should be considered. 

Image 41: Multiple Plug-Ins Using Single Database 

Multiple SBR Plug-Ins Using Own Database 

If each SBR Plug-In is using its own ODBC database as a data store, replication should be 

performed between SBR Plug-Ins to ensure that each database is kept up to date and to guard 

against data loss. 

8.3 Sensitive Data Encryption 

Sensitive data is encrypted by the Digipass Plug-In for SBR using an embedded key. If 

needed, this encryption may be strengthened by including a custom encryption key. See the 



Digipass Plug-In for SBR Product Guide Licensing 

9 Licensing 

9.1 Overview 

VASCO products are licensed per Component record in the data store. The licensing relies upon 

a License Key which is checked when the SBR Plug-In starts. This License Key is tied to the 

location (IP address) where the SBR Plug-In is installed, and stored in the Component record 

for the SBR Plug-In. The SBR Plug-In will not authenticate a user without a correct License 

Key. 

Evaluation Licenses 

An evaluation license means that you can use its full functionality until the evaluation period 

runs out. At the end of this period, you will need to either uninstall the product or buy a 

permanent license. Contact your distributor or the appropriate VASCO Reseller representative 

to acquire the licences you will need. For your convenience, the evaluation serial number is 

embedded in the installation program. You will still need to obtain and load a license key. 

Client module licenses can also be evaluation (time-limited) licenses. 

9.2 Obtaining and Loading a License Key 

The Digipass Plug-In for SBR installation process will guide you through the process of 

requesting and loading a License Key. However, if for some reason it is not possible to 

complete the licensing at installation time, the Administration MMC Interface can be used to 

obtain and load a License Key for a Component. This process must be completed for each SBR 

Plug-In, and requires an active internet connection to open the Digipass Activation Page. 


Digipass Plug-In for SBR Product Guide Auditing and Tracing 

10 Auditing and Tracing 

10.1 Audit System 

The VASCO Audit System consists of a number of auditing modules which save audit messages 

to a specific format (eg. text file) and an Audit Viewer which can open, display and filter audit 

messages from various sources. 

Audit messages are primarily generated by the SBR Plug-In. They may be recorded by a 

number of different methods: 

Windows Event Log (to be viewed in the Event Log Viewer) 

Text file 

ODBC-compliant database 

Audit messages may also be passed directly to an Audit Viewer as a live feed. 

10.1.1 Configure Auditing Output 

Auditing output from the SBR Plug-In can be configured using the SBR Plug-In Configuration. 

See the Configuration section of the Administrator Reference for more information. 



10.1.2 Audit Viewer 

The Audit Viewer can retrieve messages from several different sources and display audit 

messages from each in separate windows. Audit messages may be filtered by message type, 

date and time, or the contents of specific fields. 



10.1.3 Audit message types 

Type Description 

Error The message contains details about a system, configuration, licensing or some internal error. 

Errors do not include normal processing events such as failed logins. 

Warning Warning messages contain details about potential problems within the system. This could include 

details such as a failed connection attempt to a Domain Controller. 

Information Informational messages provide details about events within the system that need to be recorded 

but do not indicate errors or potential errors. An example of this may be a re-connection to 

Active Directory for load-balancing reasons. 

Success Success messages contain details about processing events that were correctly processed. This 

may include successful authentications or successful administration commands. 

Failure Failure messages contain details about processing events that failed. This may include rejected 

authentications, or administration actions that failed. 

Table 9: Audit message types 

10.1.4 Active Directory Auditing 

Active Directory auditing may be enabled and configured to record access and modifications to 

Digipass-related data used by the SBR Plug-In. See the Active Directory Auditing topic in the 


10.2 Tracing 

The level of tracing for the SBR Plug-In can be configured using the SBR Plug-In Configuration 

utility. Tracing messages will be recorded to a text file. 

See the Tracing section in the Administrator Reference for more information, and instructions 

on configuring tracing for the SBR Plug-In. 


Digipass Plug-In for SBR Product Guide User Self Management Web Site 

11 User Self Management Web Site 

11.1 What is the User Self Management Web Site? 

The User Self Management Web Site allows Users to perform functions which are unavailable 

during a usual login – either because the functionality is disabled within the SBR Plug-In 

configuration, or because CHAP or another protocol is in use which does not allow the 

functionality: 

User Registration and Auto-Assignment 


Password Synchronization 

PIN Change 

Login Test 

The site can also be used to help Users get started with their Digipass while they are still in the 

office and help is available. 


Digipass Plug-In for SBR Product Guide User Self Management Web Site 

Important Note 

The User Self Management Web Site is intended for RADIUS environments, and 

uses the RADIUS protocol to communicate with the SBR Plug-In. If the SBR 

Plug-In is not licensed for RADIUS, you will not be able to use the User Self 

Management Web Site. 

11.2 Customizing the User Self Management Web Site 

The User Self Management Web Site can be customized by modifying the pages provided with 

the installation. You may wish to: 

change the colors and graphics to match your corporate colors/logos. 

integrate the pages into a larger web site. 

translate or customize the text 

Any cosmetic part of the web pages may be modified. Completely new web pages may be 

used, provided that the correct form fields are posted to the CGI program, and query string 

variables are interpreted correctly. Server scripting languages such as PHP or ASP, or any 

other way of generating HTML, can be used. 

See the Web Sites section of the Administrator Reference for more information. 


Digipass Plug-In for SBR Product Guide OTP Request Site 

12 OTP Request Site 

12.1 What is the OTP Request Site? 

The OTP Request site provides a method for Users to request an OTP to be sent to their 

mobile, for use in logging in. 

Image 42: OTP Request Site 

Important Note 

The OTP Request Site is intended for RADIUS environments, and uses the 

RADIUS protocol to communicate with the SBR Plug-In. If the SBR Plug-In is 

not licensed for RADIUS, you will not be able to use the OTP Request Site. 

12.1.1 Customizing the OTP Request Site 

The OTP Request Site is designed to customized in a similar way to the User Self Management 

Web Site. See the Web Sites section of the Administrator Reference for more information. 


Digipass Plug-In for SBR Product Guide Message Delivery Component 

13 Message Delivery Component 

13.1 What is the Message Delivery Component? 

The Message Delivery Component (MDC) interfaces with a gateway service to send a One Time 

Password to a User’s mobile phone. The MDC acts as a service, accepting messages from the 

SBR Plug-In, which are then forwarded to a text message gateway via the HTTP/HTTPS 

protocol. 

Since every gateway uses different submission parameters, a set of configuration values is 

required, which can be administered by the MDC Configuration GUI. 

The MDC service can be started and stopped through the Windows Service Manager Console. 

13.2 Configuration 

To configure gateway settings you will need: 

Gateway details OR a customized configuration file ordered from your VASCO supplier. 

This will need to be imported using the SBR Plug-In Configuration. 

If you will not be using a configuration file, these details are required: 

Protocol to use in connecting to the gateway. 

An address string and port to use in connecting to the gateway. 

The path and filename of a certificate file, if required. 

The required Query String. 

The Query Method (GET or POST) required by the gateway. 

Username and password for the gateway account. 


Digipass Plug-In for SBR Product Guide Index 

Alphabetical Index 

2-step Login.................................................. 33 

Active Directory............................. 13, 50, 72, 78 

Audit............................................................... 

Active Directory Auditing.............................90 

Audit System............................................ 88 

Audit Viewer............................................. 90 

Authentication............................................... 14 

Local........................................................ 29 

Authenticator................................................ 71 

Auto-Assignment...................................... 31, 92 

Backup Virtual Digipass........................ 16, 33, 59 

Challenge..................................................... 33 

Challenge/Response......................... 9, 10, 33, 57 

1-Step Challenge/Response......................... 32 

2-Step Challenge/Response......................... 32 

Non-time-based......................................... 58 

Time-based............................................... 57 

CHAP...................................................... 45, 46 

Check Digit................................................... 58 

Component................................................... 47 

Components..................................12, 13, 72, 79 

Customize..................................................... 93 

Data Migration Tool................................... 14, 17 

Digipass...9, 13, 14, 16, 31, 33, 50, 56, 57, 61-63, 

72, 79 

Digipass Application..................................... 9 

Digipass for Palm....................................... 11 

Digipass for Pocket PC................................ 11 

Digipass for SIM........................................ 11 

Digipass for Windows................................. 11 

Digipass PIN............................................. 57 

Digipass record......................................... 56 

Hardware Digipass....................................... 9 

Login process............................................ 18 

Lookup..................................................... 29 

Programming............................................ 57 

Server PIN................................................ 59 

Software Digipass...................................... 10 

Unlock Digipass......................................... 56 

Virtual Digipass.............................. 13, 16, 33 

Digipass ...................................................... 13 

Digipass Application....................................... 16 

Digipass record.............................................. 61 

Digipass User................................ 50, 62, 72, 79 

Account.................................................... 54 

Account Creation....................................... 54 

Linked...................................................... 30 

Digital Signature........................................ 9, 10 

Domain............................................................ 

ODBC....................................................... 55 

DUR............................................................. 54 

EAP.............................................................. 45 

Encryption.................................................... 86 

Event Value................................................... 59 

Event-based.................................................. 57 

Grace period............................................ 31, 61 

Group Check................................................. 29 

Licensing.......................................................... 

License Key.............................................. 87 

Local Authentication....................................... 29 

Message Delivery Component..................... 13, 95 

MS-CHAP................................................. 45, 46 

MS-CHAP2............................................... 45, 46 

ODBC..................................................... 47, 55 

One Time Password......................... 9, 10, 13, 33 

Length..................................................... 58 

Organizational Unit............................................ 

ODBC....................................................... 55 

OTP Request Site........................... 13, 33, 66, 94 

PAP.............................................................. 45 

Password.......................................................... 

Password Autolearn.................................... 55 

Static Password......................................... 34 


Digipass Plug-In for SBR Product Guide Index 

PIN.................................................................. 

Digipass PIN........................................ 10, 57 

Force PIN Change...................................... 56 

Server PIN.......................................... 31, 59 

Policies......................................................... 68 

Policy........................................................... 29 

Policy record................................................. 

Pre-loaded............................................ 70 

Privileges...................................................... 55 

RADIUS................................................... 14, 33 

RADIUS Client............................................... 14 

RADIUS Client Simulator................................. 14 

Reset............................................................... 

Digipass Application................................... 16 

Reset Application....................................... 56 

Reset Application Lock................................ 56 

Reset PIN................................................. 56 

Response Only...................................... 9, 10, 57 

Schema........................................................ 72 

Self-Assignment....................................... 61, 92 

Serial Number............................................... 61 

Set.................................................................. 

Set Event Counter...................................... 56 

Set PIN.................................................... 56 

Smartcard..................................................... 10 

Stored Password Proxy................................... 54 

Test Digipass Application................................. 57 

Text message.................................................. 9 

Time Shift..................................................... 58 

Time Step..................................................... 58 

Time-based................................................... 57 

Tracing......................................................... 91 

User Self Management Web Site...... 13, 55, 92, 93 

User Self-Management Web Site...................... 54 

Virtual Digipass..................... 9, 13, 16, 31-33, 64 

Backup Virtual Digipass... 11, 16, 32, 33, 64, 65 

Keyword................................................... 34 

OTP......................................................... 32 

Primary Virtual Digipass.............................. 11 

Request Method......................................... 34

DIGIPASS Plug-In for SBR Product Guide A4 - Vasco

Create successful ePaper yourself

Delete template?

Save as template?