Identikey Server Product Guide - Vasco

Identikey Server 

Product Guide 

3.0 

3.1

Disclaimer of Warranties and Limitations of Liabilities 

Disclaimer of Warranties and Limitations of Liabilities 

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, 

including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, 

or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and 

performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to 

you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, 

including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, 

even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third 

party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount 

paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default 

is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the 

exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to 

you. 

Copyright 

Copyright © 2009 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved. 

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any 

means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of 

VASCO Data Security Inc. 

RADIUS Documentation Disclaimer 

The RADIUS documentation featured in this manual is focused on supplying required information pertaining to the 

RADIUS server and its operation in the Identikey Server environment. It is recommended that further information be 

gathered from your NAS/RAS vendor for information on the use of RADIUS. 

Trademarks 

VASCO®, Vacman®, IDENTIKEY®, aXs GUARD, DIGIPASS®, and ® are registered or unregistered 

trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other 

countries. 

Document Version: 1.1

Table of Contents 


1 Overview........................................................................................................................................................ 8 

1.1 What is Identikey Server?.................................................................................................................................... 8 

1.2 What is a Digipass?............................................................................................................................................. 8 

1.3 Types of Digipass................................................................................................................................................ 9 

1.4 Structure of Identikey Server.............................................................................................................................. 14 

1.5 Identikey Server in a RADIUS Environment......................................................................................................... 17 

1.6 Identikey Server in a Web Environment.............................................................................................................. 21 

1.7 Administration Components............................................................................................................................... 23 

1.8 Identikey Server Data Model.............................................................................................................................. 26 

1.9 Integrating Your Systems With Identikey Server................................................................................................. 28 

1.10 SOAP SSL.......................................................................................................................................................... 30 

1.11 Available Guides................................................................................................................................................ 32 

2 User Authentication Process......................................................................................................................... 34 

2.1 Logging in with a Digipass................................................................................................................................. 34 

2.2 Authentication Process Overview....................................................................................................................... 35 

2.3 Identifying the Component Record..................................................................................................................... 36 

2.4 Digipass User Account Lookup and Checks........................................................................................................ 37 

2.5 Local Authentication.......................................................................................................................................... 45 

2.6 Back-End Authentication.................................................................................................................................... 54 

2.7 Authorization Profiles/Attributes......................................................................................................................... 62 

2.8 Host Code Generation........................................................................................................................................ 62 

2.9 Supported RADIUS Password Protocols.............................................................................................................. 63 

2.10 Unsupported by Identikey Server........................................................................................................................ 64 

3 Signature Validation Process......................................................................................................................... 66 

3.1 Signing a Transaction........................................................................................................................................ 66 

3.2 How Do I Generate a Signature?........................................................................................................................ 66 

3.3 Time based signature........................................................................................................................................ 67 

3.4 Event Based Signature....................................................................................................................................... 67 

3.5 Static Signature................................................................................................................................................. 68 

3.6 Signature Verification Process............................................................................................................................ 68 

3.7 Policy Settings................................................................................................................................................... 70 

4 Software Digipass Provisioning..................................................................................................................... 71 

4.1 Software Digipass Provisioning Overview........................................................................................................... 71 

Identikey Server Product Guide 3


4.2 Provisioning Scenarios....................................................................................................................................... 74 

4.3 DP110 Provisioning Overview............................................................................................................................ 81 

4.4 What are the steps in registration of a Software Digipass?................................................................................. 85 

4.5 What are the steps in activation?....................................................................................................................... 87 

4.6 Reactivation ...................................................................................................................................................... 88 

5 Administration Interfaces.............................................................................................................................. 89 

5.1 Data Administration........................................................................................................................................... 89 

5.2 System Administration....................................................................................................................................... 94 

5.3 What do I need to use?...................................................................................................................................... 95 

6 Digipass User Accounts................................................................................................................................ 96 

6.1 Digipass User Account Creation......................................................................................................................... 96 

6.2 Changes to Stored Static Password.................................................................................................................... 97 

6.3 Administration Privileges....................................................................................................................................97 

7 Digipass....................................................................................................................................................... 98 

7.1 Importing Digipass............................................................................................................................................. 98 

7.2 Assigning Digipass to Users............................................................................................................................... 98 

7.3 Digipass Record Functions............................................................................................................................... 101 

7.4 Digipass Programming..................................................................................................................................... 103 

7.5 Digipass Record Settings................................................................................................................................. 105 

7.6 Virtual Digipass Implementation Considerations............................................................................................... 108 

8 Client Components..................................................................................................................................... 111 

8.1 Component Types............................................................................................................................................ 111 

9 Server Components.................................................................................................................................... 113 

9.1 Server Component........................................................................................................................................... 113 

10 Policies....................................................................................................................................................... 114 

10.1 Policy Inheritance............................................................................................................................................ 114 

10.2 Pre-Loaded Policies......................................................................................................................................... 117 

11 Reporting................................................................................................................................................... 121 

11.1 Reporting Overview......................................................................................................................................... 121 

11.2 Report Definition.............................................................................................................................................. 122 

11.3 Standard Reports............................................................................................................................................. 125 

11.4 Custom Reports............................................................................................................................................... 126 



11.5 Report Generation Process............................................................................................................................... 126 

11.6 Report Usage and Change Permissions............................................................................................................ 127 

11.7 Making Data Available to Reports..................................................................................................................... 128 

12 Identikey Data Store................................................................................................................................... 129 

12.1 Active Directory............................................................................................................................................... 129 

12.2 ODBC Database............................................................................................................................................... 137 

12.3 Sensitive Data Encryption................................................................................................................................ 148 

13 Licensing.................................................................................................................................................... 149 

13.1 Overview......................................................................................................................................................... 149 

13.2 Obtaining and Loading a License Key............................................................................................................... 149 

14 Auditing and Tracing................................................................................................................................... 150 

14.1 Audit System................................................................................................................................................... 150 

14.2 Tracing............................................................................................................................................................ 152 

15 Message Delivery Component..................................................................................................................... 153 

15.1 What is the Message Delivery Component?...................................................................................................... 153 

15.2 Starting the Message Delivery Component....................................................................................................... 153 

16 User Self Management Web Site................................................................................................................. 154 

16.1 What is the User Self Management Web Site?.................................................................................................. 154 

16.2 Customizing the User Self Management Web Site............................................................................................ 155 


Illustration Index 


Image 1: GO 3...................................................................................................................................................................................................................10 

Image 2: GO 5...................................................................................................................................................................................................................10 

Image 3: GO 6...................................................................................................................................................................................................................10 

Image 4: DP 585...............................................................................................................................................................................................................11 

Image 5: DP 260...............................................................................................................................................................................................................11 

Image 6: DP 270...............................................................................................................................................................................................................11 

Image 7: DP 810...............................................................................................................................................................................................................12 

Image 8: DP 805...............................................................................................................................................................................................................12 

Image 9: DP 110...............................................................................................................................................................................................................13 

Image 10: Structure of Identikey Server............................................................................................................................................................................14 

Image 11 : SSL handshake process..................................................................................................................................................................................32 

Image 12 : Login Methods................................................................................................................................................................................................34 

Image 13: Authentication Process Overview......................................................................................................................................................................35 

Image 14: Name Resolution with Active Directory.............................................................................................................................................................39 

Image 15: Name Resolution with ODBC database.............................................................................................................................................................40 

Image 16 - Dynamic User Registration Process.................................................................................................................................................................44 

Image 17: User Account Link............................................................................................................................................................................................46 

Image 18: Virtual Digipass Login.......................................................................................................................................................................................49 

Image 19: Multiple Digipass Assignment...........................................................................................................................................................................51 

Image 20: The steps in Back-End Authentication for Novell eDirectory and ADAM............................................................................................................59 

Image 21: Steps of Signature Verification Process ...........................................................................................................................................................68 

Image 22: Steps of Provisioning........................................................................................................................................................................................73 

Image 23: Digipass for Mobile Scenario 1 process ...........................................................................................................................................................75 

Image 24: Digipass for Web Scenario 1 Process ..............................................................................................................................................................77 



Image 27: DP110 Scenario 1............................................................................................................................................................................................82 

Image 28: DP110 Scenario 2............................................................................................................................................................................................84 

Image 29: Steps of Software Digipass Registration...........................................................................................................................................................85 

Image 30: Steps of Software Digipass Activation...............................................................................................................................................................87 

Image 31: Self Assignment Process .................................................................................................................................................................................99 

Image 32: Auto Assignment Process ..............................................................................................................................................................................100 

Image 33: Manual Assignment Process ..........................................................................................................................................................................101 

Image 34: Policy Inheritance...........................................................................................................................................................................................114 



Image 35: Reporting Structure........................................................................................................................................................................................121 

Image 36: Report Grouping.............................................................................................................................................................................................124 

Image 37: Report Generation Process ............................................................................................................................................................................126 

Image 38: Digipass Record Locations - Digipass Pool.....................................................................................................................................................132 

Image 39: Digipass Record Locations - Parent Organizational Unit..................................................................................................................................133 

Image 40: Digipass Record Locations - Individual Organizational Units...........................................................................................................................135 

Image 41: Domains and Organizational Units..................................................................................................................................................................137 

Image 42: Digipass Record Locations – Domain Root.....................................................................................................................................................139 

Image 43: Digipass Record Location – Parent Organizational Unit...................................................................................................................................140 

Image 44: Digipass Record Location s – Individual Organizational Units..........................................................................................................................141 

Image 45: Additional ODBC databases............................................................................................................................................................................143 

Image 46: Multiple Identikey Server Using Single Database............................................................................................................................................144 

Image 47: Replication between a Primary and Backup Identikey Server..........................................................................................................................145 

Image 48: Replication between Primary, Backup, and Disaster Recovery in Identikey Server..........................................................................................146 

Image 49: Replication between three Identikey Servers..................................................................................................................................................147 

Image 50: Complex Identikey Server Replication Scenario..............................................................................................................................................147 

Image 51: Audit System Overview...................................................................................................................................................................................150 

Image 52: Audit Viewer...................................................................................................................................................................................................151 

Image 53: User Self Management Web Site....................................................................................................................................................................154 


1 Overview 

1.1 What is Identikey Server? 

Overview 

Identikey Server is a server product designed to support the deployment, use and administration of VASCO 

Digipass technology. It can be easily integrated with existing applications using a Software Developer Kit (SDK). 

Identikey Server provides support for the following primary functions: 

Digipass One Time Password Authentication 

Digipass Signature Validation 

Software Digipass Provisioning 

Administration and Reporting 

Auditing 

Identikey Server is designed to be easily usable with Web applications and has a Web-based Administration 

interface. 

1.2 What is a Digipass? 

A Digipass is a device for providing One Time Passwords and Digital Signatures to a User. 

A Digipass may be provided to each person whom an organization wishes to be able to log into their system using 

a One Time Password (OTP). The User obtains an OTP from the Digipass to use instead of, or as well as, a static 

password when logging in. 

In addition, a Digipass may be provided for the user to sign transaction data. The user enters key details of the 

transaction into their Digipass and receives a signature. They enter the signature into a transaction confirmation 

page in order to confirm that they authorize the transaction. 

Virtual Digipass is a mechanism where an OTP is generated by the server and sent by text message to the User's 

mobile phone. In this case, a physical Digipass device is not needed. 

A Software Digipass may be installed onto your computer, or onto a mobile device such as a Blackberry or Javaenabled 

mobile phone. It can be used to generate an OTP or a Signature in the same way as a physical Digipass 

device. 


1.3 Types of Digipass 

Overview 

Each Digipass is programmed with at least one Digipass Application and a unique secret. The Digipass Application 

uses this secret when generating One Time Passwords and Signatures. 

Each type of Digipass Application generates One Time Passwords or Signatures from different data, and in slightly 

different ways: 

Response Only 

Creates a One Time Password based on the current date and time or on the number of uses (events). 

Challenge/Response 

Creates a One Time Password (also referred to as a 'Response') based on a numerical challenge given on a login 

page. This may be either a challenge custom-created for the specific Digipass, or a randomly created challenge. 

The One Time Password may also be based on the date and time. 

Digital Signature 

Digital Signature Digipass Applications are typically used in online banking. The Digipass generates a unique code 

- referred to as a 'Digital Signature' - based on a number of transaction data fields entered, plus (optionally) the 

date and time or number of uses (events). 

Multi-Mode 

Multi-mode Digipass are Digipass that are capable of being used in all of the above modes. This setting is used 

mainly for Digipass for Web. 


1.3.2 Hardware Digipass 

Overview 

Hardware Digipass are devices specifically designed for creation of One Time Passwords and Digital Signatures. 

Depending on the model supplied, they may be used for Response Only, Challenge/Response and Digital Signature 

methods. 

The three basic types of hardware Digipass are: 

Digipass without keypads 

These are the simplest type of Digipass. They have a triggering mechanism - typically a button or action, such as 

pulling the Digipass open - which causes a One Time Password to be generated. They have only one Application, 

which is always Response Only. 

Image 1: GO 3 Image 2: GO 5 

Image 3: GO 6 


Digipass with keypads 

Overview 

These are typically capable of supporting more than one Application, and can be programmed so that a PIN must 

be entered before a One Time Password or Digital Signature may be generated. 

Image 4: DP 585 Image 5: DP 260 

Image 6: DP 270 


Smartcard reader Digipass 

Overview 

These provide two-factor authentication based on smartcard technology in a similar way to the above two types. 

The smartcard itself provides the 'secret' that is used to generate OTPs and Digital Signatures. 

1.3.3 Software Digipass 

Image 7: DP 810 Image 8: DP 805 

Software Digipass may be installed onto a Blackberry, Java-enabled mobile phone or other mobile device. The User 

then accesses a Digipass application to obtain a One Time Password or Digital Signature. They typically support 

Response Only, Challenge/Response or Digital Signature Digipass Applications. 

Distribution of Software Digipass is controlled by Identikey Server using Provisioning scenarios. See 4 Software 

Digipass Provisioning for more information. 

Digipass for Web 

Digipass for Web is a Java applet that runs on your internet browser. Digipass for Web can generate One Time 

Passwords and Digital Signatures. Digipass for Web supports the Multi-Mode Application type. 

Digipass for Mobile 

Digipass for Mobile is a Java applet that will run on your Java enabled mobile phone or Blackberry. Digipass for 

Mobile can generate One Time Passwords and Digital Signatures. 

1.3.4 Hardware/Software Digipass 

The Digipass 110 is currently the only Digipass available which combines the security of a hardware Digipass with 

the portability of a software Digipass. It consists of a secure USB stick used with a Java applet on the User's 


computer. It holds the cryptographic information used in generating One Time Passwords for the User. 

Overview 

Distribution of the Java applet used with the DP 110 is handled by Identikey Server in the same way as Software 

Digipass. See 4 Software Digipass Provisioning for more information. 

1.3.5 Virtual Digipass 

Image 9: DP 110 

Virtual Digipass can be used instead of hardware Digipass tokens, or as a backup mechanism when a User has 

mislaid their hardware Digipass. Using Virtual Digipass means that a User may receive a One Time Password on 

their mobile phone via text message. 

There are two forms of Virtual Digipass available: 

Primary Virtual Digipass are treated by Identikey Server almost identically to hardware and software Digipass - a 

record of each Primary Virtual Digipass must be imported into the data store, and may then be assigned to a User 

automatically or manually. The User will typically log in with their User ID and static password, have a text 

message sent to their mobile phone, and then enter the One Time Password from the text message in the second 

stage of their login. 

The Backup Virtual Digipass feature allows a User to request a One Time Password sent to their mobile phone if 

they do not have their usual Digipass at hand. It may be limited by number of uses or days of use - eg. a User may 

be limited to 2 days' usage, after which they will again need to use their usual Digipass to log in. 


1.4 Structure of Identikey Server 

Overview 

The diagram below shows the basic structure of an organization's existing applications integrated with Identikey 

Server. 

Image 10: Structure of Identikey Server 


1.4.1 Customer Web Applications 

Overview 

Identikey Server provides support for web applications through an SDK based on the standard SOAP protocol. 

These applications may cover operational tasks such as authentication and signature validation, provisioning of 

Software Digipass or administration of Identikey Server. 

SOAP over HTTPS is supported, versions 1.1 and 1.2. 'Document Literal' binding is used. A variety of SOAP client 

SDKs have been tested. 

1.4.2 Remote Access Clients 

Identikey Server supports the RADIUS protocol (according to RFC 2865) for remote network access authentication, 

to the same level as VACMAN Middleware 3.0. Some applications are written using RADIUS as an authentication 

protocol, and these applications will also be supported. 

The SEAL protocol is a proprietary VASCO protocol used by the VASCO authentication modules. At the time of 

writing this includes the Digipass Packs for Citrix Web Interface, Outlook Web Access and IIS Basic Authentication. 

Identikey Server supports these SEAL client applications to the same level as VACMAN Middleware 3.0. 

1.4.3 Identikey Server 

The Identikey Server is a Service which receives and processes requests from the various client components. It 

may refer to a Back-End System for a part of the processing tasks. 

Identikey Server has a modular architecture incorporating the following key concepts: 

1.4.3.1 Communicator Modules 

For each protocol by which requests can be received, a Communicator module is present. Each Communicator can 

be enabled or disabled as preferred, subject to support in the license. The following Communicators are present: 

1.4.3.2 Scenario Modules 

SOAP (requires a license option) 

RADIUS (requires a license option) 

SEAL (does not require a license option) 

For each major group of functionality in the Identikey Server, a Scenario module is present. Each Scenario can be 

enabled or disabled as preferred, subject to support in the license. The following Scenarios are present: 

Authentication (requires a license option) 

Signature Validation (requires a license option) 


1.4.4 Back-End Systems 

Provisioning (requires a license option) 

Administration (does not require a license option) 

Reporting (does not require a license option) 

Replication (does not require a license option) 

Administration (does not require a license option) 

Audit Scenarios (does not requrire a license option) 

Configuration (does not require a license option) 

Overview 

A Back-End System is used as an authority for user accounts and static passwords, before a user account is 

created in Identikey Server and the user starts to use a Digipass. In addition, for RADIUS it may be used to provide 

RADIUS attributes back to the RADIUS client, as Identikey Server does not provide RADIUS attribute support on its 

own. 

See 2.6 Back-End Authentication for more information. 

1.4.5 Database Server 

Identikey Server uses Active Directory or an ODBC-compliant database to store administration and configuration 

data. 

An embedded PostreSQL database is included in the installation package. 


1.5 Identikey Server in a RADIUS Environment 

Overview 

Identikey Server can be used in a RADIUS environment in a number of ways, depending on your company's 

requirements. 

In the following scenarios, a RADIUS Client may be a dial-up NAS (Network Access Server), firewall/VPN appliance, 

Wireless Access Point, or another device that uses the RADIUS protocol for user authentication. Some software 

applications can also use RADIUS for authentication, for example Microsoft Internet Security and Acceleration 

Server (ISA), and can therefore also act as RADIUS Clients. 

In the RADIUS protocol, 'attributes' are used for authorization and configuration of the remote access session in 

many cases. Identikey Server is specialized in providing strong authentication using Digipass, but is not designed 

to provide authorization. If authorization attributes are required, a RADIUS server product is used in conjunction 

with Identikey Server. 

1.5.1 Stand-alone: No RADIUS Attributes Required 

In this scenario, Identikey Server is used on its own, without a RADIUS server. 

Identikey Server can generally be used without a RADIUS server if: 

RADIUS attributes are not required 

One of the supported password protocols is used: PAP, CHAP, MS-CHAPv1, MS-CHAPv2 


1.5.2 Proxy Target: RADIUS Server Acts as Proxy 

Overview 

In this scenario, a RADIUS server acts as a proxy for authentication, effectively delegating the authentication 

process to Identikey Server. The RADIUS server provides the authorization attributes after Identikey Server has 

accepted the user credentials. 

A RADIUS server can forward authentication to Identikey Server if: 

The RADIUS server supports the proxying of authentication while returning attributes itself 

The RADIUS server can forward the authentication request using one of the supported password protocols is 

used: PAP, CHAP, MS-CHAPv1, MS-CHAPv2 

The RADIUS server supports an Access-Challenge response from Identikey Server, if required. The Access- 

Challenge mechanism is used for Challenge/Response and Virtual Digipass, although it is still possible to use 

Virtual Digipass without that mechanism. 

If the RADIUS server is capable, this scenario allows Identikey Server to operate in an environment that uses 

certificate-based EAP protocols such as PEAP and EAP-TTLS. To make this work, the RADIUS server decrypts the 

user credentials into a simpler protocol before forwarding the request to Identikey Server. 


1.5.3 Intermediary: RADIUS Server as Back-End Server 

Overview 

In this scenario, Identikey Server will forward requests to a RADIUS server in order to retrieve authorization 

attributes, after validating the One Time Password. It is necessary to provide a static password to the RADIUS 

server to achieve this. Therefore, there are two methods of implementing this: 

1.5.3.1 Log in with OTP Only 

Using this method, the User only enters their OTP (including a PIN if used). Identikey Server has to learn the static 

password for the User, so that when the User gives the correct OTP, it can send the static password to the RADIUS 

server. 

This method can be used if: 

One of the supported password protocols is used: PAP, CHAP, MS-CHAPv1, MS-CHAPv2 

The static passwords can be 'learnt' by Identikey Server 

If PAP is used, Identikey Server has the ability to learn the static passwords automatically. The User has to perform 

at least one login with their static password – if the RADIUS server accepts the password, Identikey Server can 

learn it. 

However, if one of the other password protocols is used, this process is not possible. In that case, there are a few 

other ways in which the passwords can be learnt, through administrative data entry or using the User Self- 

Management Web Site. 


1.5.3.2 Log in with Password and OTP 

Overview 

Using this method, the User enters their static password and OTP at each login. Identikey Server validates the OTP 

and if correct, forwards the static password to the RADIUS server. 

This method can be used if: 

The PAP password protocol is used, because CHAP and MS-CHAP hash the password and OTP together 

inseparably 


1.6 Identikey Server in a Web Environment 

1.6.1 Soap Integration 

Overview 

Identikey Server has a SOAP module that can be used to integrate Identikey Server with web applications. The 

Identikey Server SOAP interface allows the following Identikey Server functions to be integrated into web 

applications: 

User Authentication 

Signature validation 


Administration 

Reporting 

1.6.2 IIS Module 

In an IIS Web environment, Identikey Server can also use a component that plugs into Internet Information Services 

(IIS) to intercept authentication requests. This component, the IIS Module, verifies the credentials with Identikey 

Server first. Normally this means verification of the One Time Password (OTP). If the OTP is valid, the static 

password is given back to IIS as if the user had entered it, and the normal web site authentication process 

completes the login. 

To enable verification by Identikey Server it is necessary to provide a static password, typically the Windows 

password, to IIS. Therefore, there are two methods of implementing this: 

1.6.3 Log in with OTP only 

Using this method, the User only enters their OTP (including a PIN if used). Identikey Server has to learn the static 

password for the User, so that when the User gives the correct OTP, it can give the static password back to IIS. 


Overview 

Identikey Server has the ability to learn the static passwords automatically if they are Windows passwords. The 

User has to perform at least one login with their static password – if this password is validated by Windows, 

Identikey Server can learn it. 

The same process can also be used if the static passwords are held in a RADIUS server – however, the Identikey 

Server license must have RADIUS support activated for this to be enabled. 

This process is not possible if the static passwords are not Windows or RADIUS passwords. In that case, 

administrative entry is required for the passwords. 


1.6.4 Log in with Password and OTP 

Overview 

Using this method, the User enters their static password and OTP at each login. Identikey Server validates the OTP 

and if correct, returns just the static password to IIS. 

This method may be necessary when the static passwords are not Windows passwords, for example they may be 

Novell passwords. It also may be suitable if you do not want Identikey Server to store your users' Windows 

passwords (although they are strongly encrypted). 

1.7 Administration Components 

1.7.1 Web Administration 

A web-based administration application is provided with Identikey Server to enable administrators to carry out the 

majority of administration functions for the system. The Web Administration package allows administrators to 

perform tasks such as: 

Administer User accounts 

Administer Digipass 

Define the organizational structure 

Manage Policies 

Create and run reports 

Manage Client components 


Manage and Configure the Identikey Server 

Overview 

The Web Administration application uses the Identikey Server's SOAP administration interface to manage data. 

1.7.2 Digipass Extension for Active Directory Users and Computers 

An extension to Active Directory Users and Computers is available. This extension allows administration of Digipass 

User accounts and Digipass records where Identikey Server uses Active Directory as its data store. 

1.7.3 The Audit System 

1.7.3.1 The Audit Viewer 

1.7.4 Reporting 

The Audit System tracks operations carried out by Identikey Server. Each operation generates audit messages that 

are written to either a text file or a database. 

Audit information can be used to generate reports, for example, the number of failed authentications over a certain 

period. Audit information can also be used by Identikey Server system administrators to monitor system 

performance, or suspicious activity. 

System administrators can use the Audit Viewer program to view Audit information. It allows System administrators 

to filter the audit information to make it easier to view and understand. The Audit Viewer also allows you to view 

audit information from different sources. 

Using the Audit Viewer information helps system administrators to troubleshoot effectively, and to keep track of 

significant events in the system. 

The Web Administration package contains a reporting module. This module contains the tools required to run a set 

of standard reports and to create and run custom reports. 

Reports may be based on User account and Digipass data as well as audit data. Formatting templates can be used 

to convert the output into the preferred format, using XSLT. 

1.7.5 Digipass TCL Command-Line Administration 

An extension to TCL is used for command-line administration tasks. The full power of TCL scripting can be used in 

order to automate bulk or regular administration tasks. A stand-alone TCL interpreter is also provided so that this 

functionality can be used where there is no TCL environment present already. 

The TCL extension uses the Identikey Server to manage the data store. It uses the SEAL protocol to communicate 

with the Identikey Server. 


1.7.6 Identikey Server Configuration 

Overview 

The Identikey Server uses a local XML text file to store certain configuration settings. These can be managed using 

a graphical user interface program. 

There is also a Configuration Wizard program available to carry out certain maintenance tasks such as changing 

the IP address of the server. 


1.8 Identikey Server Data Model 

Overview 

Identikey Server can use either an ODBC database (including the embedded PostgreSQL database) or Active 

Directory as its data store. The data model will vary slightly between ODBC and Active Directory stores. 

1.8.1 Digipass record 

The following kinds of record are stored in the Identikey Server data store: 

A Digipass record must exist in the data store for each Digipass in use. This record contains: 

Information about the Digipass (eg. serial number and model) 

The names and programming parameters of Applications in the Digipass 

The status of various options (eg. Digipass lock) 

Some of the information in this record is encrypted together in what is called the 'Digipass Blob'. There is one 

'Blob' per Application. 

1.8.2 Digipass User account record 

Each User who will be logging in using Digipass authentication will require a Digipass User account. The Digipass 

User account record contains information needed by Identikey Server such as authentication settings. A Digipass 

must be assigned to a Digipass User account before it can be used for authentication. 

Administrative privileges are assigned to Digipass User accounts and therefore a Digipass User account is needed 

for each administrator. 

1.8.3 Component record 

1.8.4 Policy record 

Component records are created to represent: 

Identikey Servers 

Authentication, Signature and Provisioning client components 

Administration client components 

They are used for the following main purposes: 

For clients, to indicate that it is permitted to process a request from that client and to specify a Policy (see 

below) to be used 

For RADIUS Clients, to hold the Shared Secret 

To hold a License Key for Identikey Servers and IIS Modules 


Overview 

Policies specify various settings that affect the request handling processes. Each request is handled according to a 

Policy that is identified by the applicable Component record. 

There are many Policy settings including the following examples: 

Whether Local and/or Back-End authentication should be used 

Whether various automatic management features should be used 

The Digipass Application types required 

Backup Virtual Digipass settings 

1.8.5 Back-End Server record 

1.8.6 Domain record 

A Back-End Server record is required when a RADIUS or LDAP server is to be used by Identikey Server for 

authentication. It is possible to create more than one Back-End Server record, for fail-over purposes. You can also 

allocate different Back-End Servers for different user domains. 

Domains form the basis for the Organizational Structure in an ODBC database. Where Identikey Server uses Active 

Directory as its data store, the standard Active Directory Domains are used instead. 

Active Directory 

Identikey Server operates within the pre-existing Active Directory domain and Organizational Unit structure. Each 

Digipass User and Digipass must belong to a domain in Active Directory. 

User IDs must be unique within a domain, but may be repeated between domains. 

While Digipass User account and Digipass records can belong to any domain, a single domain is identified during 

installation as the Digipass Configuration Domain. This domain is used to store the Component, Policy and Back- 

End Server records. It is also used as a default domain for user lookup, when no domain is specified. 

ODBC Database 

Domains perform the following functions: 

allow different user groups to be separated 

provide the ability to limit administrator activities to the administrator's own domain (delegated administration) 

allocate unassigned Digipass records to different Domains, for example to mirror the geographic location of the 

devices 

Each Digipass User and Digipass must belong to a domain. One domain is identified as the Master Domain – this 

will be the default domain when none is specified. In addition, administrators in the Master Domain can be given 

rights to access data in all domains, where other administrators are limited to data in their own domain. 

User IDs must be unique within a domain, but may be repeated between domains. Digipass serial numbers must 


e unique in the database. 

1.8.7 Organizational Unit record 

Overview 

Organizational Units, like Domains, are handled differently depending on whether the Identikey Server uses Active 

Directory or an ODBC database as its data store. 

Active Directory 

Where Identikey Server uses Active Directory as its data store, the standard Active Directory Organizational Units 

are used instead. 

Digipass User accounts and Digipass records are normally stored in Organizational Units or the Users container. A 

special container called Digipass-Pool is created during installation to hold unassigned Digipass, although they can 

be located in Organizational Units instead. 

Administration duties may be assigned to administrators per Organizational Unit, in the same way that regular user 

administration is delegated at that level. 

ODBC Database 

Where Identikey Server uses an ODBC database as its data store, Organizational Units allow further 

compartmentalisation of Digipass User accounts, Digipass records and administration duties. Organizational Units 

are included to: 

provide the ability to limit administrator activities to the administrator's own Organizational Unit (delegated 

administration) 

allocate unassigned Digipass records to different Organizational Units, for example to mirror the geographic 

location of the devices 

Digipass User accounts and Digipass records may belong to an Organizational Unit, but this is not mandatory. 

1.9 Integrating Your Systems With Identikey Server 

1.9.1 SOAP Interfaces 

SOAP interfaces are provided to support the following functions: 

User Authentication 

Signature Validation 


Administration 

Reporting 


1.9.2 RADIUS 

You need to acquire the SDK for SOAP for further information. 

Overview 

RADIUS support is present for authentication (Access-Requests) using PAP, CHAP, MS-CHAP and MS-CHAP2. 

MPPE keys are generated for MS-CHAP and MS-CHAP2. 

If you have an existing RADIUS Server, Identikey Server can use it as a Back-End System in order to retrieve 

RADIUS attributes from it. Alternatively, you can use the RADIUS Server as an authority to permit dynamic creation 

of user accounts in Identikey Server and verification of static passwords. 

1.9.3 Custom Back-End Integration 

You can write your own plug-in Engine to attach Identikey Server to your own back end system. This would be used 

primarily as an authority to permit dynamic creation of user accounts in Identikey Server and for verification of 

static passwords. 

Refer to the SDK Overview Guide for further information. 

1.9.4 Back-End Integration 

There are a number of systems that can be used as Back-Ends to Identikey Server. These back-ends can be used 

as an authority on authentication data. 

The following back-ends can be used: 

Microsoft Active Directory 

Microsoft ADAM 

Novell e-Directory 

Refer to 2.6 Back-End Authentication for further information. 


1.10 SOAP SSL 

1.10.1 What is SSL? 

Overview 

SSL stands for Secure Sockets Layer, which is a cryptographic protocol that provides secure communications over 

the Internet for e-mail, web browsing and, in this case, connection of two web-based applications via SOAP. 

SSL is the method by which a client can obtain a secure connection to a SSL-enabled server. The SSL-enabled 

server can identify itself to the client in a trusted manner before any information is passed between the client and 

the SSL-enabled server. 

1.10.2 Terms Used in SSL 

Some of the terms used in describing the function of SSL are specific to SSL and cryptography. Listed below are 

some of the terms used in this chapter, and what they mean: 

1.10.3 How Does SSL work? 

Handshake Procedure - The client machine and the SSL-enabled server establish a trusted and secure 

connection before any sensitive information is passed between them 

Certificate - The certificate in this context is an encrypted file attached to a message. 

Certificate Authority - a trusted third party used to issue the certificates. Each browser will have a list of 

trusted Certificate Authorities it can use to check against the signature on a certificate. 

Public Key - A key used to encrypt and decrypt information that is known to the SSL-enabled server and clients 

that use it. 

Private Key - A key known only to the SSL-enabled server that is used to decrypt information. 

Symmetrical Encryption - encryption that uses only one key to encrypt and decrypt information. 

Asymmetric Encryption - encryption that uses two keys to encrypt and decrypt information. 

1. A client initiates a connection using a handshake procedure. The client connects to an SSL-enabled server 

(the server), requesting a secure connection. 

2. The server sends back an encrypted certificate which usually contains the server name, the Certificate 

Authority and the server's public key. 

3. The client decrypts the certificate using the server's public key. The client checks the Certificate Authority 

against its browser's list of trusted Certificate Authorities. 

4. The client then encrypts a random number using the server's public key and sends this back to the server. 

This will be the secret that the client and server use to encrypt information passed between them. 

5. The server then decrypts the random number using the private key. The nature of the public and private 

keys is that information encrypted with the public key can only be decrypted by the private key. 


6. Information encrypted using the generated secret is passed between the client and server. 

If any part of the handshake procedure fails the whole handshake procedure will fail. 

1.10.4 SSL, SOAP and Identikey Server 

Overview 

If you want to write SOAP interfaces for Identikey Server, the server side of SSL is mandatory. The SOAP client 

must utilize SSL to verify the server when attempting to connect. 

When setting up the SOAP Communication Protocol on the Identikey Server Configuration application, you can 

specify whether the client certificate is required: 

Never - the client certificate is never required. 

Optional - the client certificate is optional 

Required - The client certificate is required 

Required - Signed Address Only - The Server must include its IP address in the certificate. The client will 

match this IP address against that of the server it is connecting to. If they don't match the handshake will fail. 

Similarly, the client certificate must include the IP address of the client. The Server will check the IP address 

from the client certificate against the client it is establishing a connection with, and the handshake will fail if 

the two IP addresses don't match. 

The Identikey Server Configuration application provides a test SSL certificate. The test SSL certificate is time 

limited so it will expire after a period of time. When the test SSL certificate expires you can recreate it from the 

configuration application. Alternatively purchase an SSL certificate with a longer expiry period. 


Image 11 : SSL handshake process 

Overview 

The Identikey Server Configuration application SOAP Communication protocol page also contains a check box 

labelled Re-Verify on Re-Negotiation. Check this box to force the connection between SOAP and the Identikey 

Server to be re-verified each time a connection is established. Please note that this may cause problems with 

performance and so should not be checked unless absolutely necessary. 

1.11 Available Guides 


The following Identikey Server guides are available: 

Product Guide 

Overview 

The Product Guide will introduce you to the features and concepts of Identikey Server and the various options you 

have for using it. 

Getting Started Guide 

The Getting Started Guide will lead you through a standard setup and testing of key Identikey Server features. 

Windows Installation Guide 

Use this guide when planning and working through an installation of Identikey Server in a Windows environment. 

Linux Installation Guide 

Use this guide when planning and working through an installation of Identikey Server in a Linux environment. 

Administrator Reference 

In-depth information required for administration of Identikey Server. This includes references such as data attribute 

lists, backup and recovery and utility commands. 

Performance and Deployment Guide 

Contains information on common deployment models and performance statistics. 

Help Files 

Context-sensitive help accompanies the Administration Web Interface and Digipass Extension for Active Directory 

Users and Computers. 

Identikey Server SDK Programmers Guide 

In-depth information required to develop using the SDK. 


2 User Authentication Process 

2.1 Logging in with a Digipass 

User Authentication Process 

The diagram below shows a typical login process for the three basic login methods supported by Identikey Server. 

Image 12 : Login Methods 


2.2 Authentication Process Overview 

Identikey Server Authenticates logins in two basic ways: 

Using information from its data store ('local' authentication) 

Asking a Back-End system for verification of information ('back-end' authentication) 


The exact authentication process used by Identikey Server will vary depending on settings in the applicable Policy 

and Digipass User account. The diagram below shows the basic process followed when authenticating a Digipass 

User login. 

Image 13: Authentication Process Overview 


2.3 Identifying the Component Record 

The component making an authentication request will be identified using: 


Component Type – A name provided by the SOAP application, or a fixed name such as RADIUS Client, Citrix 

Web Interface, Outlook Web Access or Administration Program 

Location – the source IP address of the request 

The component lookup and verification processes are a little different according to the type of component, as 

outlined below. 

2.3.1 RADIUS Client Component Check 

For a RADIUS Client, the following component checks are made: 

Component Record exists 

A Component record for the RADIUS Client must exist, otherwise the request is discarded without responding: 

Type = RADIUS Client 

Location = the source IP address of the request OR if there is no RADIUS client at the specified location, 

Location = default 

Shared Secret is set 

The Component record must have a Shared Secret value set, otherwise the request is discarded without 

responding. 

Any RADIUS Client which does not have an explicit Component record will be handled using the “default” RADIUS 

Client Component if it exists. 

2.3.2 IIS Module Component Check 

For an IIS Module Component the following component checks are made: 

Component Record exists 

A Component record for the IIS module must exist, otherwise the request is discarded without responding: 

Type = IIS module 

Location = the source IP address of the request 


2.4 Digipass User Account Lookup and Checks 

Identikey Server performs a number of checks before proceeding to local authentication. 

2.4.1 User ID and Domain Resolution 


In Identikey Server, Digipass User accounts are identified using a User ID and a Domain, not just a User ID. There 

are a few ways to do this: 

2.4.1.1 Windows Name Resolution 

In Windows environments, there are a few ways to provide these details when logging in: 

Using NT4-style domain qualification in front of the User ID: DOMAIN\userid 

Using User-Principal-name (e.g. userid@domain) 

With separate User ID and Domain fields (this is not possible using RADIUS) 

When Digipass User accounts correspond to Windows user accounts, the Windows Name Resolution feature can 

be used to support these three login formats. With ODBC or an embedded database, it is optional whether to user 

Windows Name Resolution or not. However, if the Windows Name Resolution process is enabled and fails, the 

login is rejected. Therefore, a login with a User ID that does not correspond to a Windows user account will be 

rejected. 

With this feature enabled, Windows is used to resolve the NT4-style and User-Principal-Name User ID formats. 

Windows Name Resolution is enabled using the Identikey Server Configuration program. Click the Configure 

Advanced Settings button on the ODBC Connection tab to get the Advanced Settings dialog; check the Use 

Windows User Name Resolution checkbox. 

2.4.1.2 Simple Name Resolution 

When Windows Name Resolution is not used, the following formats are available: 

Using a similar format to User-Principal-Name: user@domain 

With separate User ID and Domain fields 

If the user@domain format is used for the User ID, the Identikey Server will look for a Domain record with the name 

given after the @. If the Domain is found, the @domain part will be stripped from the User ID before the 

authentication process continues. If it is not found, the User ID will be left as user@domain, and no Domain will be 

identified. In that case, the Default Domain processing will be used, as described next. 


2.4.1.3 Default Domain 


Using either Windows or Simple Name Resolution, if none of the above formats are used, only the User ID is given, 

with no Domain qualification. It is still necessary to identify the Domain in order to look up the Digipass User 

account. 

The Default Domain can be configured in the following ways: 

In the Policy record, the Default Domain field can be set. If this is set, it will be used when no Domain has 

been identified by the Windows or Simple Name Resolution. 

When the Policy has no Default Domain set, the Master Domain will be used. 

2.4.1.4 Active Directory User Account 

When Active Directory is used as the data store, Digipass User accounts are always attached to Active Directory 

User accounts. Therefore, if an authentication request is received for a User who does not have an account in 

Active Directory, the request is rejected. 

This is not mandatory for an ODBC or embedded database. 


2.4.1.5 Summary – Active Directory 


The full process of User ID and Domain name resolution is illustrated in the following diagram, for the case where 

Active Directory is the data store: 

Image 14: Name Resolution with Active Directory 


2.4.1.6 Summary – ODBC Database 

The full process of User ID and Domain name resolution is illustrated in the following diagram. 

Image 15: Name Resolution with ODBC database 



2.4.2 Windows Group Check (optional) 


Specific Windows Groups can be selected for authentication by the Identikey Server when all Users are Windows 

accounts. This Windows Group Check feature might be used when: 

Deploying Digipass in stages. Users are not required to log in using a Digipass until they are put into a 

Windows group. They can be put into the group in manageable stages. 

Two-factor authentication is needed only for access to sensitive data, which has been granted to certain Users 

(for example, administrators). Only this group of people will require Digipass, and will be authenticated by the 

Identikey Server. Other Users will be authenticated by another authentication method. 

Most Users will have Digipass and be permitted to log in to the system, but some Users should not be 

authenticated under any circumstances. 

Authentication is needed for the live Audit Viewer connection to the Identikey Server, when using Active 

Directory as the data store. The Group Check can be used to limit which users are allowed to connect, for 

example to the Domain Admins group. 

When the Group Check is active, Users who are in one of the defined groups go through the full authentication 

process. However, there are a few Group Check Modes that control the outcome for Users who are not in one of 

the groups. The Group Check Mode is defined in the Policy. 

One or more Windows Group names must be defined in a Group List in the Policy. Group membership is checked 

within the User's own domain only, therefore these Groups must exist in each domain where there are Users who 

need to be included in a Group. 

2.4.2.1 'Pass Back' Mode 

Important Note 

When the Group Check is used, if the Group Check fails, the login will fail. This will occur for a 

user who is unknown to Windows. 

The following Group Check Modes are available: 

The full name in the Policy property sheet for this mode is: 

Pass requests for users not in listed groups back to host system 

The Identikey Server does not handle authentication for Users who are not in one of the defined groups. These 

Users are handled by the host system (eg. IIS). In effect, this means that they do not need to have Digipass User 

accounts and they do not need to use a Digipass to log on. As soon as the Group Check indicates that the User is 

not to be handled, authentication processing stops and the 'not handled' result is returned. 

This mode is suitable for staged deployment of Digipass and for the case where only certain Users need strong 

(Digipass) authentication. 


2.4.2.2 'Reject' Mode 

2.4.2.3 'Back-End' Mode 


Reject requests for users not in listed groups 


The Identikey Server rejects authentication immediately for Users who are not in one of the defined groups. 

This mode is suitable for restricting which Users are permitted to log in. 


Use only Back-End Authentication for users not in listed groups 

This mode can be used when Back-End Authentication is set up (see 2.6 Back-End Authentication). 

The Identikey 

Server will just use Back-End Authentication for Users who are not in one of the defined groups. For example, if 

RADIUS Back-End Authentication is used, the job of authenticating Users not in the defined groups is delegated to 

the RADIUS server. No lookup will be carried out for the Digipass User account, and no further Local 

Authentication will be carried out. 

Back-End Authentication will be used for the out-of-group Users even if the Policy setting for Back-End 

Authentication is set to None. In that case, the in-group Users would be authenticated only by Local 

Authentication, while the out-of-group Users would be authenticated only by Back-End Authentication. However, it 

is necessary to define the Back-End Protocol Policy setting. 

This mode is suitable for staged deployment of Digipass and for the case where only certain Users need strong 

(Digipass) authentication. 

2.4.3 Digipass User Account Lookup 

The Identikey Server checks that the User attempting to log in has a Digipass User account in the Identikey Server 

data store. The User ID and Domain Resolution performed earlier determines the search criteria to look up the 

Digipass User account. 

If a Digipass User account is found, the Disabled and Locked indicators are checked. If either is set to Yes, the 

authentication request is rejected immediately. 

If no Digipass User account is found, then Policy settings will determine whether the Identikey Server continues 

processing or rejects the authentication request: 

If Local Authentication is required, a Digipass User account must exist. It is only possible to proceed if the 

Dynamic User Registration feature is enabled. This is explained further below. 

If Local Authentication is not required, authentication processing can proceed without a Digipass User 

account. 

If the Local Authentication Policy setting is None, no Local Authentication is required. If it is set to 


Digipass/Password or Digipass Only, Local Authentication is required. 

2.4.4 Dynamic User Registration 


Dynamic User Registration (DUR) allows Digipass User accounts to be created automatically when their 

credentials are validated by Back-End Authentication. The correct static password will be sufficient to permit a 

Digipass User account to be created. DUR saves the administrative work of manually creating or importing Digipass 

User accounts. 

It is typically used in conjunction with: 

the Digipass Auto-Assignment feature, which will assign the next available Digipass to the new Digipass User 

account as it is created, or 

the Digipass Self-Assignment feature, which will allow the new User to assign a Digipass to their account as 

part of their login process 

For more details on these Digipass assignment features, see 7 Digipass. 

In order to control the creation of new accounts, DUR can be used with: 

the Windows Name Resolution feature (mandatory for Active Directory). This will prevent more than one 

Digipass User account being created for the same Windows User account, when they use different User ID 

formats to log in 

the Windows Group Check feature, so that a staged creation of Digipass User accounts and assignment of 

Digipass is achieved 

A typical DUR process using Auto-Assignment and the Windows Group Check is illustrated below. 


Image 16 - Dynamic User Registration Process 



2.5 Local Authentication 


Local Authentication is a term used to describe the Identikey Server authenticating a User based on information in 

its data store. Typically the Digipass One Time Password is required, but in other cases a static password may be 

sufficient. 

The Local Authentication Policy setting indicates whether to perform Local Authentication, and if so, whether a 

static password is permitted. This setting is overridden by the same setting in the Digipass User account, unless 

that has the value Default. However, this setting in the Digipass User account would typically be used only for rare 

special case Users. 

Using the Windows Group Check in Back-End Mode, this setting can be overridden. If a User is not in the list of 

groups, no Local Authentication will be performed. 

The possible values for the Local Authentication setting are as follows: 

None 

No Local Authentication will take place. 

Digipass/Password 

A Digipass One Time Password or static password may be verified. As a general rule, until a User starts to use a 

Digipass, they may continue to authenticate with their static password. 

Digipass Only 

A Digipass One Time Password must be verified. Users without Digipass will not be able to log in. However, Self- 

Assignment is still possible, as an OTP is used as part of the process. 

2.5.1 Digipass Lookup 

The first step of Local Authentication is to search for Digipass records applicable to the login. Normally, this is a 

simple search for all Digipass assigned to the Digipass User account. However, there are exceptions: 

2.5.1.1 No Digipass User Account 

If there is no Digipass User account, no search will be done. This can occur if Dynamic User Registration is 

enabled. 

2.5.1.2 Policy Restrictions 

The Policy can specify restrictions on which types of Digipass and/or Digipass Applications may be used. Any 

combination of the following restrictions can be defined: 



Application Names - a list of named Applications. Only Digipass that have one or more of the named 

Applications will be usable. 

Application Type - either Response Only, Challenge/Response or Multi-Mode. Only Digipass with that 

Application Type will be usable, except Multi-Mode will match all application types. 

Digipass Type - a list of models such as DPGO3, DP260. Only Digipass from the listed models will be usable. 

Therefore, it is possible that a Digipass User account that has a Digipass assigned is not able to use that Digipass 

to log in, when a certain Policy applies. They will be regarded as a User without a Digipass in that case. In a 

different kind of login, a different Policy may apply, with no restrictions. Then they would be treated as a User with 

a Digipass. 

For example, a company has Go 3 Digipass (DPGO3) and Primary Virtual Digipass (DPVTL). The Outlook Web 

Access login permits both, so its Policy does not restrict Digipass Types. However the RADIUS VPN login requires 

the Go 3, so its Policy specifies Digipass Type = DPGO3. 

2.5.1.3 Linked User Accounts 

If a person has two Digipass User accounts, for example an administrative account and a 'normal user' account, 

the two accounts can be linked together. This provides the ability for the two accounts to share a Digipass. The 

Digipass is assigned to one of the accounts, then the other account is linked to it. 

Digipass record 

Attached 

to main 

User 

account 

Digipass User 

account 1 

User can log into 

either account 

using the same 

Digipass 

Image 17: User Account Link 

User Account Link 

Digipass User 

account 2 

When an authenticating Digipass user account is linked to another, the search for Digipass will be done for the 

other account. In the example above, Digipass User account 2 is linked to Digipass User account 1. The Digipass is 

assigned to Digipass User account 1. When Digipass User account 1 logs in, the Digipass search is for that 

account. When Digipass User account 2 logs in however, the Digipass search is for Digipass User account 1. 


2.5.2 Authentication with Digipass 

2.5.2.1 Server PIN 

2.5.2.2 Grace Period 


When the Digipass lookup returns at least one Digipass record, authentication processing requires a valid One 

Time Password to succeed, unless: 

All Digipass found are within a Grace Period. This feature is described below. 

The User successfully requests a Challenge for Challenge/Response (see below). 

The User successfully requests a Virtual Digipass One Time Password (see below). 

A Server PIN may be required in addition to the One Time Password. The Server PIN is entered during login with 

the OTP - instead of a Digipass PIN, which is entered into the Digipass device. In some cases a new Server PIN 

may need to be set. This gives the following permutations: 

OTP - the normal login where a Server PIN is not required. 

PINOTP - the normal login where a Server PIN is required. 

PINOTPnewpinnewpin - to change the Server PIN, the new PIN is put twice after the OTP. 

OTPnewpinnewpin - to set the Server PIN on first use, when no initial PIN was programmed, the new PIN is put 

twice after the OTP. This is also necessary after an administrative PIN reset. 

Each Digipass may be given a Grace Period when it is assigned to a Digipass User account. The Grace Period is 

there to allow some time before the User receives the Digipass and learns how to use it. The first time that the 

User logs in successfully with their Digipass, the Grace Period is ended. After that, they have to continue to use the 

Digipass. The Grace Period is time limited, so that the User is not able to delay too long before they start to use the 

Digipass. 

The Grace Period can be set during manual administrative assignment of Digipass as well as during Auto- 

Assignment. However, it is not applicable to Self-Assignment, because the User must use the Digipass to 

complete the Self-Assignment process. 

The Grace Period cannot apply when the Local Authentication setting is Digipass Only. 

During the Grace Period, if OTP validation fails, the static password is checked. If the static password is valid, Local 

Authentication succeeds (but note that Back-End Authentication, if used, can subsequently still cause the overall 

login to fail). 

The password is compared against the Digipass User account's password value. However, if the Digipass User 

account does not have a password set, the password has to be verified with Back-End Authentication. If there is no 

Back-End Authentication and no password in the Digipass User account, Grace Period password logins will not 

work. 



If the passwords do not match and Back-End Authentication is enabled, the password will be verified with Back- 

End Authentication. 

2.5.2.3 Challenge Generation 

There are two modes of Challenge generation for Challenge/Response: 

2-Step Challenge/Response 

This mode can be used for Web authentication, where Challenge/Response is supported. In this mode, the 

authentication process takes place in two steps. 

First, the User requests a Challenge to be generated for them. The Policy defines how this request should be 

made, with the Request Method and Request Keyword settings (see below for more details on Request Methods). 

The Challenge is generated specifically for their Digipass, according to its programming. 

Assuming that the request for the Challenge is accepted and a Challenge is returned, the User submits a second 

step login with the Response to the Challenge as their OTP. This second step goes through the whole 

authentication process again to verify the Response. 

1-Step Challenge/Response 

This mode is also possible for Web authentication, where Challenge/Response is supported. In this mode, the User 

sees only one logon step. This mode is suitable for time-based Challenge/Response, but is less secure for nontime 

based Challenge/Response. If an attacker manages to capture some valid Responses, they can repeatedly 

request new Challenges until one they know comes up again. 

A random Challenge is requested automatically by the Web Application and presented to the User on the login 

page. A general-purpose Challenge is generated, without reference to any particular Digipass' programming. The 

User logs in with their Response to the Challenge as their OTP. 

2.5.2.4 Virtual Digipass OTP Generation 

Using Virtual Digipass, the authentication process takes place in two steps. 

First, the User requests an OTP to be generated and delivered to them. The Policy defines how this request should 

be made, with the Request Method and Request Keyword settings (see below for more details on Request 

Methods). The OTP is generated specifically for their Digipass, according to its programming. It is sent to their 

mobile phone number, as recorded in the Digipass User account. 

Backup Virtual Digipass has additional restrictions on usage, to keep the cost of text messages down. These are 

verified before an OTP will be generated. These restrictions are described in 7 Digipass. 

Assuming that the request for the OTP is accepted and an OTP is generated and delivered successfully, the User 

submits a second step login with the OTP. This second step goes through the whole authentication process again 

to verify the OTP. 

This process is illustrated below: 


Image 18: Virtual Digipass Login 

2.5.2.5 Requesting a Virtual Digipass OTP - User Perspective 


There are three ways a User might request a One Time Password to be delivered with either a Primary or Backup 

Virtual Digipass: 

2-step Login 

Two login prompts are used to provide an easy-to-use login interface for Users with Virtual Digipass. The first 

prompt is used to request an OTP, the second to enter the received OTP. This can be used with applications which 

support 2-step logins eg. Citrix Web Interface, RADIUS with support for Challenge/Response. 

Two 1-step Logins 

The User must attempt two logins, the first of which will fail but will initiate the sending of an OTP to the User’s 

mobile. This is used when the 2-step login process is not supported - eg. RADIUS without support for 

Challenge/Response, Web HTTP Basic Authentication. 


OTP Request Site 


Alternatively - especially if a more user-friendly option than the previous is needed - Users can go to the OTP 

Request site when they need an OTP sent to their mobile phone, then login normally at the usual login screen. 

2.5.2.6 Request Method and Keyword 

For 2-Step Challenge/Response and Virtual Digipass, the method of requesting a Challenge or OTP respectively 

can be defined in the Policy. The methods for Primary Virtual Digipass and Backup Virtual Digipass are defined 

separately. The request methods are: 

Password - the static password. 

Keyword - a fixed keyword, which can be blank. 

PasswordKeyword - the static password followed by a fixed keyword, with no whitespace or separating 

characters inbetween. 

KeywordPassword - a fixed keyword followed by the static password, with no whitespace or separating 

characters inbetween. 

None - no method, the feature is disabled. 

Note 

If Password is set for the Request Method, and a User's Digipass is still within the Grace Period, 

Identikey Server may process the authentication with the password only and not as a 2-Step 

Challenge/Response or Virtual Digipass login. 

The static password in the request method is compared against the Digipass User account's password value. 

However, if the Digipass User account does not have a password set, the password has to be verified with Back- 

End Authentication. If there is no Back-End Authentication and no password in the Digipass User account, the 

request methods that use a password will not work. 



The methods of requesting these three login processes can be the same. When it recognizes a request, the 

Identikey Server will verify that there is a Digipass capable of that login process. If there is not, it will ignore the 

request. 

For example, say that the request methods for Primary and Backup Virtual Digipass are both defined as keyword 

“otp”. A User has a Go 3 with Backup Virtual Digipass enabled. When they login with the keyword “otp”, the 

Identikey Server will produce a Backup Virtual Digipass OTP, because the User does not have a Primary Virtual 

Digipass. 


2.5.2.7 Multiple Digipass or Digipass Applications 


A Digipass User may have multiple Digipass assigned to their User account, and/or multiple Applications enabled 

for a Digipass. If so, the Identikey Server will need to know which Digipass and Digipass Application will be used 

for a particular login for the User. 

Image 19: Multiple Digipass Assignment 

Once the Policy restrictions on Applications and Digipass Types are taken into account, there may still be more 

than one Digipass Application that could be used. In that case, the Identikey Server will check the OTP with each 

one. Any one of them can validate the OTP. 

A Grace Period may be applied to each Digipass assigned to a Digipass User. Because an applied Policy might 

restrict which Digipass can be used during a login, the Grace Period on each Digipass is independent of other 

Digipass. This means that if a User is assigned two Digipass, each with a Grace Period of seven days, the User 

may log in using one Digipass within the seven-day period (ending the Grace Period for that Digipass) without 

affecting the Grace Period for the other Digipass. 

Example 

The company has set up Policies which require a Response Only login via the local area network, and a Challenge/Response login 

via the internet – limited to certain employees. 

John has two Digipass assigned to him – a DP300 with the Challenge/Response application enabled, and a Go 3 with a Response 

Only application. The Digipass are both assigned on Tuesday. 

John receives his Go 3 on Friday, and immediately uses an OTP to login. His grace period for the Go 3 ends at that time – in future 

he must use the Go 3 when logging into the intranet from the LAN. 



Over the weekend, John needs to access the company intranet from home. Because a Challenge/Response login is required via the 

internet and he does not yet have his DP300, he uses only his User ID and static password to log in. As he is still within the grace 

period for the DP300, the login is valid. 

2.5.3 Authentication without Digipass 

When the Digipass lookup does not return a Digipass record, authentication processing requires a static password 

check to succeed. In addition, Self-Assignment is possible when the Digipass lookup does not return any Digipass. 

2.5.3.1 Static Password Verification 

2.5.3.2 Self-Assignment 

The password is compared against the Digipass User account's password value. If the static password is valid, 

Local Authentication succeeds (but note that Back-End Authentication, if used, can subsequently still cause the 

overall login to fail). 

However, if the Digipass User account does not have a password set, the password has to be verified with Back- 

End Authentication. If there is no Back-End Authentication and no password in the Digipass User account, 

authentication without Digipass cannot work. Similarly, during Dynamic User Registration, where there is no 

Digipass User account yet, the password has to be verified with Back-End Authentication. 



If the Local Authentication setting is Digipass Only, static password verification on its own is not permitted. An 

OTP must be used during login. This is possible using Self-Assignment. 

A User is able to assign a Digipass to their Digipass User account using the Self-Assignment mechanism, when 

permitted by the Policy settings. The Assignment Mode setting must be Self-Assignment. 

In order for Self-Assignment to succeed, the User needs to provide the following: 

A static password, validated by Back-End Authentication. 

The Serial Number of an available Digipass record. 

A valid OTP for the Digipass. 

A new Server PIN, if required. 

The Self-Assignment process is possible during Dynamic User Registration. It is also possible when the Local 

Authentication setting is Digipass Only. 

Response Only 

For a Digipass that supports Response Only, the User needs to enter the following in the password login field, 


depending on whether a Server PIN is needed or not: 

SERIALNUMBERpasswordOTP – where a Server PIN is not required. 

SERIALNUMBERpasswordPINOTP – where a Server PIN is required. 


SERIALNUMBERpasswordOTPnewpinnewpin – where a Server PIN is required and no initial PIN was set. 


For a Digipass that supports only Challenge/Response, this process requires two steps. In the first step, the static 

password and Serial Number are given. This results in a Challenge being returned. If the correct Response is given 

to the Challenge, the Self-Assignment is successful. 

Step 1: SERIALNUMBERpassword 

Step 2: OTP 

Serial Number Format 

The SERIALNUMBER may be entered in one of two formats, depending on the Serial No. Separator Policy setting. 

No separator specified – the full 10 digit Serial Number must be entered, with no dashes (-) or spaces, for 

example 0097123456. 

Separator value specified – the Serial Number can be entered as written on the back of the Digipass, for 

example 9-712345-6. 


2.6 Back-End Authentication 


Back-End Authentication is a term used to describe the process of checking User credentials with another 

system. It is used primarily for: 

Enabling automatic management features such as Dynamic User Registration and Self-Assignment 

Static password verification for Users who do not have a Digipass and for Virtual Digipass 

Retrieval of RADIUS attributes from a RADIUS server 

Password Replacement - allowing the User to log in with just a One Time Password, in an environment where 

the Windows password is required (eg. Outlook Web Access) 

Identikey Server supports Back-End Authentication with the following systems: 

Windows 



Novell e-Directory 

RADIUS 

Custom solution (requires SDK) 

An Identikey Server can authenticate Windows Users via Windows or LDAP Active Directory Back-End 

Authentication. Windows Back-End Authentication should be used where the Identikey Server is installed on a 

Windows machine which is a member server of the Windows domain. LDAP Back-End Authentication may be used 

where the machine on which it is installed is either not a member server of the Windows domain, or running a 

Linux operating system. 

The Back-End Authentication Policy setting indicates whether to perform Back-End Authentication, and if so, 

when to do it. This setting is overridden by the same setting in the Digipass User account, unless that has the value 

Default. However, this setting in the Digipass User account would typically be used only for rare special case Users. 

Using the Windows Group Check in Back-End Mode, this setting can be overridden. If a User is not in the list of 

groups, Back-End Authentication will be performed whether it is enabled or not. 

The Back-End Protocol setting indicates which type of Back-End Authentication is to be used. 

The possible values for the Back-End Authentication setting are as follows: 

None 

The Identikey Server will not utilize Back-End Authentication. 

Always 

The Identikey Server will use Back-End Authentication for every authentication request. This is necessary if you 

require RADIUS attributes for each login. 


If Needed 


Back-End Authentication will only be used in situations where Local Authentication is not sufficient and to support 

certain features: 

Dynamic User Registration 

Self-Assignment 

Password Autolearn (see below) 

Requesting a Challenge or Virtual Digipass OTP, when the Request Method includes a Password 

Static password authentication, when verifying a Virtual Digipass password-OTP combination or during the 

Grace Period 

2.6.2 Stored Static Password 

The Digipass User account has a Stored Static Password field. When Back-End Authentication is used, this field 

can be used: 

To store the static password required for Back-End Authentication. This means that the User does not need to 

type in the static password at each login, they only need enter the OTP. The Identikey Server can retrieve the 

Stored Static Password from the Digipass User account and use it for Back-End Authentication. 

To support Password Replacement. Back-End Authentication is used to learn the static password so that it can 

be replayed to the host system (eg. Outlook Web Access) when a successful OTP is given. 

Two product features are used to support this usage of the Stored Static Password: Stored Password Proxy and 

Password Autolearn. 

2.6.3 Stored Password Proxy 

When the Stored Password Proxy setting is enabled in the Policy, the Identikey Server will retrieve the Stored 

Static Password from the Digipass User account. If Back-End Authentication is required for a login, the Stored 

Static Password will be used. If there is a host system (eg. Outlook Web Access), the Stored Static Password will 

be returned to it, for it to complete its login process. 

However, if the User enters a static password in front of their OTP, the static password they enter will take 

precedence over Stored Static Password. In that case, the Stored Static Password will not be used at all for that 

login. 

When the Stored Password Proxy setting is not enabled in the Policy, the Stored Static Password will not be used 

for Back-End Authentication. If Back-End Authentication is required for a login, the User will have to enter the static 

password. This is done in front of the OTP if an OTP is also used. Similarly, if there is a host system that requires a 

static password to be returned, the User will have to enter the static password. 


2.6.4 Password Autolearn 


When the Password Autolearn feature is enabled in the Policy, the Identikey Server will automatically store the 

static password when it is verified by Back-End Authentication. This can happen at any time from Dynamic User 

Registration onwards. 

If the User's static password has changed in the Back-End Authentication system, they will need to provide the new 

static password during their next login. This is done in front of the OTP if an OTP is used. When the Identikey 

Server sees that the User has entered a static password, if it does not match the Stored Static Password already, 

Back-End Authentication will occur to verify the new password. If it is verified, the Stored Static Password will be 

updated. 

2.6.5 Back-End Server Records 

A Back-End Server record is required for RADIUS and LDAP-based Back-End authentications. It contains 

connection information for the system to be used. Typically, only one Back-End Server record will be required for 

LDAP Back-End Authentication, whereas RADIUS Back-End Authentication will require a record per RADIUS Server 

to be used. 

2.6.5.1 Fail-over Strategy 

Each Back-End Server record is assigned a Priority. This comes into effect when multiple Back-End Servers are 

available, and the Identikey Server must decide which to use for a Back-End Authentication request. It will attempt 

to connect to the Back-End Server with the highest Priority rating. If it is not available after the set No. of Retries, 

the Identikey Server will attempt to connect to the Back-End Server with the next-highest Priority rating. 

If the Identikey Server repeatedly fails to get a response from a Back-End Server, it will ignore it for some minutes 

before trying it again. Therefore, a temporary slow response will not prevent the Identikey Server from using a 

Back-End Server. But a consistent availability problem will cause it to stop using the Back-End Server for a while, 

when it has an alternative. 

2.6.5.2 Domain-Specific Back-End Servers 

Back-End Server records may be configured for use with a specific Domain. This may be useful when multiple 

Back-End servers exist with different groups of User records on each. 

When the Identikey Server has to choose a Back-End Server, it will search for those records in the Domain 

identified by the User ID and Name Resolution process. If any are found, it will only use those Back-End Servers 

for that Domain. If none are found, it will use the Back-End Servers that are not assigned to a Domain. 


2.6.6 RADIUS Back-End Authentication 


Identikey Server can pass RADIUS return attributes from the Back-End server to the client. Back-End Authentication 

is supported with the following protocols: 

PAP 

CHAP 

MS-CHAP 

MS-CHAP2 with MPPE key generation 

Note 

Identikey Server does not provide stand-alone RADIUS attribute support. 

2.6.7 Microsoft Active Directory Back-End Authentication using LDAP protocol 

Note 

For instructions on setting up a Back-End Server record for an Active Directory server, see the 

Administration Web Interface online help. 

When using Microsoft Active Directory with Identikey Server for Back-End Authentication: 

The Domain Controllers must be Windows Server 2003 or higher. 

Microsoft Windows 2000 is not supported 

If the global catalog is set up (via Administration Web Interface -> Back End -> Settings) and no back-end 

components have been defined, domain discovery via the global catalog will be used to search for the User. If 

domain discovery via the global catalog is to be used, Users must be set up in the same Domain on Active 

Directory as they are on Identikey Server 

The Identikey Server must be configured to use the DNS server containing the DNS records of the Active 

Directory server or an entry has to be present in the host file that maps the IP of the Active Directory domain 

controller to the fully qualified domain name of the domain controller. On Linux this has to be configured on 

both the host OS and chroot level. 

Note 

The Active Directory back end may be configured to authenticate Active Directory users via an 

instance of ADAM that has been installed on the domain controller, with the condition that the 

user's Identikey Server domain and Active Directory domain have the same name. The ADAM 


instance will automatically delegate authentication to Active Directory 

The steps in Back-End Authentication for Active Directory are: 


1. Identify the Active Directory Domain Controller using the LDAP Back End Server entries in the data store or 

the Global Catalog. 

Supported User Logon Format for Microsoft Active Directory- 

Userid Format Source of Userid 

UserID SAMAccountName attribute of the user 

MYREALM\userid Fully qualified domain name + SAMAccountName attribute of the user 

userid@mydomain.com SamAccountName attribute of the user + fully qualified domain name 

2. Identikey Server will bind to the directory server that handles the authentication request it will use the UserID 

and the password specified in the authentication request received by the Identikey Server. If the bind 

succeeds, the user authentication is deemed to be successful. If the bind fails, the authentication is deemed 

to have failed. 

Note 

Identikey Server only supports SASL.Digest-MD5 binding as the client authentication mechanism 

for binding with the supported Back-End authentication servers. 

2.6.8 Novell e-Directory Back End Authentication using LDAP protocol 

Note 

For instructions on setting up a Back-End Server record for an e-Directory server, see the 


The version of Novell e-Directory used for LDAP Back-End Authentication on Identikey Server must be version 8.7 

or higher. 

The following rules must be followed to set up Novell e-Directory for LDAP Back-End Authentication on Identikey 

Server: 

If anonymous binding is disabled on the eDirectory server the Security Principal DN has to be an eDirectory 

account that has the necessary permissions to search the directory for the user accounts that have to be 

authenticated. 

Each userid has to be unique below the search Base Distinguished name in the LDAP structure. 



Partitioning is not supported, although exactly the same search Base Distinguished name may be used on 

different servers. 

Novell e-Directory must be enabled with Universal Password. 

Supported User Logon Format for Novell e-Directory- 


UserID Userid of the user 

MYREALM\userid Fully qualified domain name + Userid of the user 

userid@mydomain.com Userid attribute of the user + fully qualified domain name 

The steps in Back-End Authentication for Novell eDirectory are: 

1. Identify the eDirectory server based on the eDirectory Back-End entries in Identikey Server. 

2. Bind to eDirectory using the security principal DN and password defined for the eDirectory back-end if 

principal details specified. 

3. Search eDirectory for the FQDN of the user that has to be authenticated (starting from the Base Search DN). 

4. Try to authenthicate with eDirectory using a bind with the FQDN and password of the user to be 

authenticated 

Note 



Image 20: The steps in Back-End Authentication for Novell eDirectory and ADAM 


2.6.9 ADAM Back End Authentication using LDAP protocol 

Note 


For instructions on setting up a Back-End Server record for an ADAM server, see the 




The following rules must be followed to set up ADAM for LDAP Back-End Authentication on Identikey Server: 

If anonymous binding is disabled the security Principal DN has to be an ADAM account that belongs to the 

READERS role 

Note 

ADAM back end authentication is not available for users in an instance of ADAM that has been 

installed on a Domain Controller or on a machine that is a member of the domain. 

Supported User Logon Format for ADAM- 


UserID Common name of the user 

MYREALM\userid Fully qualified domain name + common name of the user 

userid@mydomain.com Common name attribute of the user + fully qualified domain name 

The steps in Back-End Authentication for ADAM are: 

1. Identify the ADAM server based on the ADAM Back-End entries in Identikey Server. 

2. Bind to ADAM using the security principal DN and password defined for the ADAM back-end if principal 

details specified. 

3. Search ADAM for the FQDN of the user that has to be authenticated (starting from the Base Search DN). 

4. Try to authenthicate with ADAM using a bind with the FQDN and password of the user to be authenticated 

Note 




2.7 Authorization Profiles/Attributes 


A Web Application using SOAP may retrieve authorization data from Digipass User Accounts. For example, a 

lookup key in the web application's database. 

Some IIS Modules utilise User attributes to allow a web site to retrieve authorization information from local 

Windows accounts. 

Individual User attributes may be set for a Digipass User account. The Identikey Server will return these attributes 

to the Web Application during authentication if requested. 

2.7.1 User Attribute Settings 

Attribute Group 

An Attribute Group is specified by the Web Application as a parameter to the authorization request. When multiple 

IIS Modules are in use, the specified Attribute Group ensures that only attributes required by the specific Web 

Application are used. 

Name 

A name for the attribute as expected by the Web Application. 

Usage 

Value 

Basic indicates that the attribute is for use by the IIS 6 Module for Basic Authentication. 

Other options are available for Digipass Plug-In for SBR and are not relevant for Identikey Server. 

The Value set for an attribute will be the required value of the named attribute. 

2.8 Host Code Generation 

If the Web Application requests a Host Code and the Digipass is capable of generating one then Identikey Server 

will generate a Host Code and the application will display it to the User. The User generates a Host Code on their 

Digipass and checks that it is the same as the one on the screen. 

Host Code generation is passed as a parameter in the authentication request. There are two options: 

Optional - only return a Host Code if the Digipass is Host Code capable 

Required - Digipass must be Host Code capable or the request will fail. 


2.9 Supported RADIUS Password Protocols 

The following protocols are supported by Identikey Server: 

PAP 

CHAP 

MS-CHAP with MPPE (Microsoft Point-to-Point Encryption) 

MS-CHAP2 with MPPE 


Some protocols do not support all authentication features of Identikey Server. See 2.10 Unsupported by Identikey 

Server and the Login Permutations section of the Administrator Reference for more information. 


2.10 Unsupported by Identikey Server 

2.10.1 Limitations of RADIUS Password Protocols 


Some features of the Identikey Server are not supported with CHAP or MS-CHAP. These protocols hash login data 

together, making separation of various entries impossible. 

The unsupported features are outlined below: 

Self-Assignment of Digipass cannot be performed. 

The Server PIN cannot be changed. 

Challenge/Response is not supported. 

Windows Back-End Authentication is not supported unless the User ID and Windows password are manually 

stored, and Stored Password Proxy is enabled. 

Password Autolearn is not supported, as clear text passwords cannot be identified. 

The User Self-Management Web Site, when utilized, can circumvent many of these problems by allowing Users to 

manage their account and Digipass. It uses RADIUS with the PAP password protocol. Users can: 

Perform Self-Assignment 

Change their Server PIN 

Change their own Stored Static Password 

2.10.2 Unsupported RADIUS Password Protocols 

MS-CHAP with LM Hash 

The password change mechanism for MS-CHAP and MS-CHAP2 

EAP 

2.10.3 Limitations of International Character Support 

A number of Identikey Server components provide international character support, and some limitations apply: 

Database 

International character support in the database is dependent on the individual database driver. See the Encoding 

and Case Sensitivity topic in the Administrator Reference for more information. 

RADIUS 

International character support in the Identikey Server using the RADIUS protocol is dependent on the RADIUS 

Client(s) being used. If a RADIUS Client uses UTF-8 encoding, international characters will be fully supported. If a 

RADIUS Client uses a localized encoding (eg. ISO-8859-13), the same locale setting must be configured on each 


machine. 

Web 


For the Digipass Pack for OWA Basic Authentication and the Digipass Pack for OWA Forms Authentication, 

international character support is limited to a single configured encoding. See the Guide for the specific Digipass 

Pack for more information. 

DPADMINCMD 

DPADMINCMD supports international characters, but your console window must be able to support the characters 

or they will not display correctly. 

2.10.4 Limitations of Web Basic Authentication 

Some features of the Identikey Server are not supported with the HTTP Basic Authentication mechanism. This 

mechanism does not support a 2-step login process. 

The unsupported features are outlined below: 

Challenge/Response is not supported. 


3 Signature Validation Process 

3.1 Signing a Transaction 

Signature Validation Process 

Identikey Server will allow you to sign transaction data using a Digipass that is set up to generate digital signatures. 

A digital signature is based on transaction details entered into the Digipass. The Digipass uses the transaction 

details and an embedded secret to generate a signature, which is typically entered into a confirmation page to 

proceed with the transaction. This signature will be validated by the server – if it is incorrect the transaction will 

not be permitted to proceed. 

3.2 How Do I Generate a Signature? 

Signature generation will be an application on your Digipass. 

1. Select the Signature application on your Digipass. 

2. Enter the required transaction details. Digipass can be programmed to accept up to eight transaction data 

fields such as: 

transaction amount 

transaction ID 

destination account number 

3. The Digipass will generate a signature and display it on its screen. Enter the generated signature into the 

transaction you are signing and submit the transaction. 

3.2.1 Real Time Signature Validation 

Real Time Signature Validation is signature validation that is performed in real-time, such as through an online 

banking application. 

A typical scenario is where a User creates a transaction, say, paying a bill on a banking website. The transaction 

requires a signature so the User enters the relevant details into their Digipass. The Digipass produces a signature 

and the User enters this into the website and then submits the transaction. The transaction details and signature 

are verified by Identikey Server and a status message is returned straight to the web page the User is on. The 

User knows within the time it takes to process a normal transaction whether or not the transaction they submitted 

has been verified. 


3.2.2 Deferred Signature Validation 


Deferred time Signature Validation is signature validation that is not performed in real time. An example scenario 

may be that a User submits a transaction online with the signature generated by the Digipass. The transaction will 

then enter a queue to be verified. The User receives a message that the transaction has gone into a queue. A 

batch job picks up the transaction and verifies it against the policies and details of the Digipass. The User may not 

know until minutes or hours later that the transaction has been signed and verified. It is important in this case for 

the User to keep a record of the time the transaction was submitted, as this may be important if the transaction is 

challenged. 

3.3 Time based signature 

The signature application may be time based. This means that the Digipass will generate a different signature for 

the same input data at different times. 

The signature validation procedure relies on the time on the Digipass and the time on Identikey Server being 

synchronized to within an acceptable tolerance. Each time a One Time Password or a signature is generated the 

Identikey Server records the difference in times between the Digipass and itself. The time based signature 

validation procedure also uses Time Steps to verify signatures. A Time Step is a setting which specifies the 

number of seconds between generations of a One Time Password on a Digipass. The Identikey Server will use the 

time step and the known difference in time between itself and the Digipass to verify signatures. 

Use the STimeWindow policy setting to set the tolerance allowable for signature verification. 

Time based signatures can be real-time or deferred. If deferred time based signatures are used they may be reverified 

at a later date by comparing the input details against the signature produced by the Digipass, as long as 

the time the transaction was performed is known. 

3.4 Event Based Signature 

The signature application may be event based. This means that it contains a numeric counter that increases every 

time a signature is generated. 

The signature process relies on an event counter to enable each signature to be unique. The Digipass and 

Identikey Server need to have synchronized event counters. The tolerance for the difference between the event 

counters can be set by using the Event Windows policy setting. 

During Real Time Signature Validation the event counter on Identikey Server is updated with the value used by the 

Digipass, to keep the two event counter values synchronized. 

During Deferred Time Signature Validation the event counters for transactions generated on the Digipass may get 

out of step with the event counter held on Identikey Server. Setting the Event Window policy setting will enable 

signed transactions to be processed in any order without causing a verification error. 


3.5 Static Signature 


These signatures are generated using neither time or event counter. They will always produce the same signature 

for the same input. There is no difference between real-time and deferred time with these signatures. 

3.6 Signature Verification Process 

Digital Signatures are verified by Identikey Server using a number of specific checks. 

Image 21: Steps of Signature Verification Process 

3.6.1 Component Checks 

Identikey Server will try to identify the application from which the request for registration came. There must be a 

component record on the data store for that application. A client component record must exist for the Signature 

Verification application and location from which it connects to the server. The component type is set as a 

parameter by the application; the location is the source IP address of the SOAP address. 


3.6.2 Policy Checks 


Identikey Server identifies the policy to use in the signature authentication from the client component record and 

checks the validity of the policy. 

3.6.3 User Account Lookup and Checks 

Identikey Server checks the User Account to : 

Ensure that the User ID and Domain have been defined 

Perform the Windows Group Check if necessary 

Check whether a User Account exists 

Check whether the User account is disabled or locked if it already exists. 

Dynamic User Registration is NOT possible. If the User Account does not exist then the check will fail. 

3.6.4 Signature Validation 

3.6.5 Finalization 

A search is performed for a Digipass that is assigned to the User that fulfils the Signature policy limits. If more 

than one Digipass is found the list is filtered by using the Serial Number for the Digipass, which will have to be 

passed into the signature process as a parameter. Allowance should be made when designing the web page that 

will allow transactions to be signed, to make sure that Users with more than one Digipass can enter a Serial 

Number to identify which one is being used. 

When the correct Digipass is identified the Digipass type is checked. The Digipass type must be either 'SG' 

(Signature) or 'MM' (Multi Mode) to allow signatures. The signature is then verified and a response is produced. 

The relevant parts of the Data Store are updated after the signature validation has been carried out successfully. A 

response is produced. The Audit data is updated with the transactions that took place and the result of those 

transactions. 

If the Web Application requests a Confirmation Code and the Digipass is capable of generating one then Identikey 

Server will generate a Confirmation Code and the application will display it to the User. The User generates a 

Confirmation Code on their Digipass and checks that it is the same as the one on the screen. 

Confirmation Code generation is passed as a parameter in the authentication request. There are two options: 

Optional - only return a Confirmation Code if the Digipass is Confirmation Code capable 

Required - Digipass must be Confirmation Code capable or the request will fail. 


3.7 Policy Settings 


There are specific Policy settings for signature verification. See the Policy Properties topic in the Field Listings 

section of the Administration Reference for information on these settings. 

Event Window - the allowable difference between the Digipass event counter and Identikey Server event 

counter. 

OnlineSG – specifies how signatures will be verified. 

STimeWindow - Shows the acceptable difference in time between the time set on the Digipass and the time 

set on Identikey Server for signatures. The lowest value is 2, the highest is 500. 


4 Software Digipass Provisioning 

4.1 Software Digipass Provisioning Overview 

4.1.1 What is a Software Digipass? 


Software Digipass are software versions of Digipass that provide authentication and signature functions for Javaenabled 

mobile devices and web browsers. They generate a One Time Password or Digital Signature for you in the 

same way as a hardware Digipass. See 1.3 Types of Digipass for more information. 

Each Software Digipass requires: 

Software installed on the client device 

An applet for Digipass for Mobile 

An applet for Digipass for Web 

An applet for DP110 

A unique activation code 

Each Software Digipass will have to be installed on the host device, then activated using an activation code. It can 

then be used to generate One Time Passwords and Digital Signatures. 

4.1.2 Software Digipass Types 

The following types are supported by the Provisioning function in Identikey Server: 

Digipass for Mobile 

The Digipass for Mobile is a Java applet that runs on any Java enabled mobile phone or BlackBerry. You can use it 

to generate a One Time Password or Digital Signature on demand. 

Digipass for Web 

The Digipass for Web is a Java applet that runs on your internet browser using cookies for data storage. You 

must therefore have cookies enabled on your internet browser. Digipass for Web will also generate a One Time 

Password or Digital Signature on demand. 

DP110 

The DP110 is a hybrid Digipass. This means that there is a hardware component, and a software component. A 

Java applet runs on your internet browser, and a USB stick is plugged in to the same machine. These two 

components together will generate a One Time Password on demand. 


4.1.3 What is Provisioning? 


The term 'Provisioning' in Identikey Server refers to delivery, registration, and activation of the software. The three 

steps of provisioning are: 

1. Software Delivery 

You are free to deliver the software in any way you choose. You can either deliver software to Users, or allow 

them to download the software from a secure site. 

The code required for activation of the Software Digipass or DP110 - the Activation Code - may be delivered 

'online' to the Software Digipass application or DP110 that requires it, or it may be delivered 'offline' 

Online delivery 

Online delivery means that the Activation Code is delivered directly to the application that is going to use it. If the 

Activation Code is delivered in this way the User will never see it. This option is available for Digipass for Web, 

DP110, and Digipass for Mobile 2.5. 

Offline Delivery 

Offline delivery means delivering the Activation Code using a mechanism such as email, text message or fax. 

In Digipass for Web the Activation Code will typically be delivered in an email containing a link. The applet reads 

the Activation Code from the link. 

2. User/Digipass Registration 

The Digipass records must be imported from a DPX file before Registration can occur. 

Each Software Digipass User requires a Digipass User account on Identikey Server. The User accounts can either 

be imported into Identikey Server, created individually, or created dynamically during registration if Dynamic User 

Registration is available. 

For Software Digipass to work, a Digipass record needs to be allocated to the User account. This can be done in 

two ways: 

a. Manually by an Administrator using, for example, the Web Administration interface. 

b. Automatically. This is where the Digipass is assigned to the User account during the Registration 

process. This will allocate the first Digipass of the correct type and functional ability that it can to the 

User. In Identikey Server this functionality is known as Auto Assignment. See the Digipass chapter in 

the Product Guide for more details. 

The second step of Registration is to generate an activation code and send it to the User. 

3. Activate Software 

Each Software Digipass needs to be activated before it can be used. This means that Identikey Server is informed 

that all the components are in place for the Software Digipass and you are ready to use it. 

There are two stages to activation: 


a. Delivering the Activation Code to the software 

b. Sending the first One Time Password to the server. 

Image 22: Steps of Provisioning 

4.1.4 Which Server Components implement Provisioning? 


There are two main components and one optional component required to implement Provisioning: 

Web Application - Customer written. 

The Web Application controls the user interaction during Provisioning. The Web Application uses the SOAP SDK to 

communicate with Identikey Server. Refer to the SOAP SDK documentation for more information. 

The Web Application: 

Can make the Software Digipass software available for download 

Has to arrange delivery of the Activation Code to the User 

Sends the first One Time Password to Identikey Server 

Identikey Server 

Identikey Server handles Digipass User accounts and Digipass records. It generates Activation Codes, verifies One 

Time Passwords and stores static passwords. 

Back-End System 

The Back-End System can be used by Identikey Server for Dynamic User Registration and/or static password 

verification. See 2.6 Back-End Authentication for more information. 


4.2 Provisioning Scenarios 


The following scenarios show how Provisioning will work for different Digipass in different situations. Refer to the 

table below for the scenario that best fits your requirements: 

Scenarios User account 

on Identikey 

Server 

Digipass for 

Mobile 1 

Digipass for 

Web 1 

Digipass for 

Web 2 

Digpass for 

Web 3 

User knows 

Static 

Password 

Local Auth Back-End 

Auth 

Provisioning Policy 

Digipass 

Type 

Back-End 

Protocol 

Y Y None None MOB25 - - 

Y Y None None WEB10 - - 

Y Y Digipass Only or 

Digipass/ 

Password 

N Y Digipass Only or 

Digipass/ 

Password 

None WEB10 - - 

Always or If 

Needed 

WEB10 Windows, 

RADIUS, 

LDAP, 

custom 

DP110 1 Y Y None DP110 - - 

DP110 2 N Y None Always DP110 Windows, 

RADIUS, 

LDAP, 

custom 

4.2.1 Digipass for Mobile 

Scenario 1 - Activation codes are encrypted with pre-loaded static password 

Pre-Conditions 

The User account has been created on Identikey Server 

The User knows their static password 

The static password has been imported into Identikey Server 

The provisioning policy has been defined with the following settings 

No Local Authentication (Digipass/Password) 

No Back-End Authentication (None) 

Digipass type 'MOB25' 

Dynamic 

User 

Registration 

Enabled 

Identikey Server Product Guide 74 

-

Image 23: Digipass for Mobile Scenario 1 process 

Procedure 


The User enters their mobile number and their mobile type (Java or BlackBerry) into the Provisioning website. The 

Provisioning webserver sends an Text Message to the mobile number which contains the URL to be used to 

download the DP4Moble applet. The User uses the URL to download the Digipass for Mobile applet, and then 

installs the applet on their mobile phone. The User enters their User ID into the applet, and the applet sends a 



registration request to the webserver, which sends a registration request to Identikey Server. Identikey Server 

assigns the Digipass for Mobile Digipass to the user, generates an encrypted activation code and sends it to the 

Digipass for Mobile applet. 

When the User has the serial number and activation code the second part of the activation can take place. The 

User enters their static password into the Software Digipass to activate it. The One Time Password is then 

generated and submitted to the Provisioning Server and from this server to Identikey Server to complete the 

activation procedure. 

A response will be received on the mobile phone indicating whether the activation has been successful. 

4.2.2 Digipass for Web 

There are three scenarios that can be employed when activating Digipass for Web. They all have different preconditions. 

Which scenario is employed will depend on how Identikey Server is implemented. 

Scenario 1 – Activation codes are encrypted with pre-loaded static passwords 

Pre-conditions. 

User account has been created on Identikey Server 

The User knows their static password 


Provisioning policy defined with the following settings: 

No Local Authentication (None) 

No Back-end Authentication (None) 


Process 

Image 24: Digipass for Web Scenario 1 Process 

Procedure 


The User enters their user ID, email address and PIN on the website. If registration is successful the Digipass for 

Web applet is provided with the serial number of the Digipass that is to be activated and an encrypted activation 

code. Note that the PIN is not sent to the server but is used locally by the Digipass for Web applet. 

The User will have to re-enter their User ID, PIN and password to decrypt the Activation Code and complete 



activation. The applet decrypts the Activation Code, activates itself and sends a One Time Password to the server. 

A response will be received indicating whether the activation has been successful. 

Options 

To make sure that the User changes their static password, extra fields can be added to the second page in this 

scenario. Fields can be added to the input page so that the User can enter a new static password, and then enter 

it again for confirmation. The User needs to do this so that the original password can only be used once, for 

activation. The new password can be used for re-activation. See Reactivation section below. 

Scenario 2 – Pre-Loaded User Accounts and Static Passwords 

Pre-conditions. 

the User account has been created on Identikey Server 

the User knows their static password 


The provisioning policy has been defined with the following settings: 

Process 

Local Authentication (Digipass Only or Digipass/Password) 

No Authentication (None) 


Procedure 

The User enters their user ID, email address, static password and PIN on the registration website. If registration is 

successful the serial number of the Digipass that is to be activated and an activation code are delivered to the 

Digipass for Web applet. 

The User re-enters the User ID and PIN. Digipass for Web generates a One Time Password and then submits this 

with the serial number to the server. Activation then takes place. 


Options 




activation. The new password can be used for re-activation. See Reactivation section below. 


Scenario 3 – Dynamic Registration using Back-End System 

Pre-conditions 

the User account has not been created on Identikey Server 

the User knows their static password for their account in the Back-End system 

The Provisioning policy has been defined with the following settings: 



Local Authentication (Digipass Only or Digipass/Password) 

Back-End Authentication (Always or If Needed) 


Back-End Protocol (Windows, RADIUS, LDAP Back-End authentication, or Custom name) 

Dynamic User Registration EnabledProcess 



Procedure 


The procedure very similar to scenario 2; the User will not see a difference. The difference for the Identikey Server 

is that the Back-End system is used to verify the User Id and Password. If they are OK, and account is created 

automatically in Identikey Server. 

Options 




activation. The new password can be used for re-activation. See 4.6 Reactivation section below. 

4.3 DP110 Provisioning Overview 

4.3.1 Scenario 1 

The DP110 is a hardware/software combination Digipass. It does not require any software to be installed on the 

client side to enable it to run, but it does require the correct policy settings to be provided, followed by activation. 

There are two scenarios that can be employed when activating a DP110. They both have different pre-conditions. 

Which scenario is used will depend on how Identikey Server is implemented. 


User account created 

User knows historical secret 

Historical Secret imported in Identikey Server (as static password) 

Provisioning policy defined with following settings: 

Local Authentication 

NO Back-End authentication 

Digipass type is 'DP110' 


Process 

Image 27: DP110 Scenario 1 

Procedure 


The User opens the browser on his PC, and goes to the registration page of the DP110 provisioning website. The 

DP110 provisioning website generates a challenge which will be used to encrypt the new server PIN. The User 

enters their user ID, static password, new server PIN, confirmation of new server PIN, and DP110 serial number on 

the registration website. The DP110 Applet generates a Challenge Encrypted Static Password (CESPR) using the 

generated challenge and the new server PIN. 


4.3.2 Scenario 2 


On the server side, the CESPR is verified. If verification is successful the DP110 is assigned to the User, and the 

initial PIN is set. The Digipass Grace Period is set according to pre-defined parameters. The activation page is 

returned if the provisioning is successful, or an error message will be returned if the provisioning is not successful. 


User Account NOT created 

User knows historical secret to allow authentication by a legacy back-end system 

Provisioning policy defined with the following settings: 

NO local authentication (None) 

Back-End authentication (Always) 

Digipass type DP110 


Process 

Image 28: DP110 Scenario 2 



Procedure 


The User enters their user ID, static password, challenge, CESPR, and DP110 serial number on the registration 

website. On the server side, the user is authenticated on the Back-End. If the Back-End authentication is 

successful the User is then registered to Identikey Server using Dynamic User Registration. The DP110 is then 

assigned to the User, and the initial PIN is set. The Digipass Grace Period is set according to pre-defined 

parameters. 


4.4 What are the steps in registration of a Software Digipass? 

Image 29: Steps of Software Digipass Registration 

4.4.1 Identify Component 

Identikey Server will try to identify the application from which the request for registration came. A client 


4.4.2 Identify Policy 


component record must exist for the Provisioning application and location from which it connects to the server. 

The component type is set as a parameter by the application; the location is the source IP address of the SOAP 

request. 

Identikey Server identifies the policy to use in the registration from the client component record and checks the 

validity of the policy. The following settings on the policy will not be used as they are not relevant to Provisioning. 

Digipass Assignment Settings 

Challenge Settings 

4.4.3 Digipass User Account Lookup and Checks 

Identikey Server checks the User Account to: 

4.4.4 Local Authentication 

Ensure that the User Account and Domain have been defined 

Perform the Windows Group Check if necessary 

Check whether a User Account exists 

Check whether the User account is disabled or locked if it already exists. 

Local Authentication is an optional step in Software Digipass Registration. If Local Authentication is performed a 

static password MUST be entered. The static password will be verified against the static password held against 

the User Account. If the static password is not verified or no User Account exists or the User Account exists but 

has no password recorded against it, the registration will fail if Back-End Authentication is not enabled. 

If Back-End Authentication is enabled then the Back-End system will verify the password. If the password is 

verified but there is no User Account in Identikey Server, an account will be created. Dynamic User Registration 

must be enabled for this to succeed. 

4.4.5 Back-End Authentication 

The static password will be authenticated by the Back-End system. If the Back-End System does not verify the 

credentials, Registration will fail. 

4.4.6 Digipass Assignment 

The Registration process will perform the following steps: 

Search for an applicable Digipass according to the criteria on the policy associated with the User account that 


is capable of activation. 


If one was not found, Assign the first applicable and available Digipass record to the User Account F 

4.4.7 Activation Code Generation 


The reactivation restrictions are checked. If this is a reactivation and reactivation is allowed, then the User Account 

and the Digipass record already exist in Identikey Server and will be used in the following steps. 

The Activation Code is generated using the first capable application in the Digipass. The Activation Code may be 

encrypted with the User's password if the password was not verified by Local and Back-End authentication. 

In the finalization step the created Users and assignment are confirmed to the Data Store. Records are written to 

the Audit system to record the actions that have taken place, and the results. A response is sent to the User to 

confirm registration or to show an error message if activation failed. 

4.5 What are the steps in activation? 

Image 30: Steps of Software Digipass Activation 

4.5.1 Identify Policy, Component, and Digipass User Account Lookup and Checks 



The activation process performs the same Identify Policy and Digipass User Account Lookup and Checks as the 

registration process, except that the User Account MUST already exist. 

4.5.2 Verify One Time Password 

4.5.3 Activation 


4.6 Reactivation 

The One Time Password is verified against the Digipass record. 

The Digipass is set to ACTIVE in the data store and the grace period will end, if one was set. 

In the Finalization step the activation is confirmed to the Data Store. Records are written to the Audit system to 

record the actions that have taken place, and the results. A response is sent to the User to confirm activation or 

show an error message if activation failed. 

From time to time software Digipass will have to be reactivated. This may occur rarely for Digipass for Mobile, 

such as when the User buys a new mobile phone, or it may occur more often for Digipass for Web, such as when 

the User clears the cookies in their browser 

Reactivation is carried out in the same way as the original activation, but the User account will already exist with a 

capable Digipass assigned. The registration process will use the assigned Digipass to generate the Activation 

Code. 

Configuration Settings can be set up to set the following limits: 

Activation Limit - this will limit the number of activations that can be performed on one Software Digipass. 

Minimum Interval - This sets the minimum time interval between reactivations. 

Maximum Locations - This sets the maximum number of locations a Software Digipass can be activated from, 

such as home, office, laptop. This only applies to Digipass for Web. 

Note 

The activation limits apply to all activation attempts. If an activation fails in the second stage this 

will still count as an activation, and will count against the activation limits. 

These settings are defined in the Scenarios Section of the Identikey Server Configuration 


5 Administration Interfaces 

Administration Interfaces 

The main user interfaces available for administration of Identikey Server are introduced in this section. 

5.1 Data Administration 

Where Identikey Server uses an ODBC database – including the embedded PostgreSQL database – as its data 

store, all data administration can be carried out using the Administration Web Interface. Where Identikey Server 

uses Active Directory as its data store, Digipass User accounts and Digipass records are administered via the 

Active Directory Users and Computers Snap-In, rather than the Administration Web Interface. 

Active Directory Users 

and Computers Snap-In 

Administration Web 

Interface 

ODBC Database - Digipass Users 

Digipass 

Policies 

Clients 

Back End Servers 

Organization 

Reports 

System 

Active Directory Digipass Users 

Digipass 

5.1.1 Administration Web Interface 

Policies 

Clients 


Reports 

System 

The Administration Web Interface is a web-based administration tool. 

Data available for 

administration in the 

Administration Web 

Interface 

ODBC Database Active Directory 

Users 

Digipass 

Policies 

Clients 


Organization 

Reports 

System 

Policies 

Clients 


Reports 

System 


Note 


Only Administrators have access to the Administration Web Interface. If you do not have 

Administrator access you will not be able to use the Administration Web Interface. 

User Accounts 

If Identikey Server uses an ODBC database – including the embedded PostgreSQL database – as its data store, the 

Administration Web Interface can be used for the following tasks: 

Import Digipass User accounts singly or in bulk 

Create Digipass User accounts 

Edit Digipass User accounts 

Disable Digipass User accounts 

Delete Digipass User accounts 

Search for User Accounts 

The Administration Web Interface allows you to search for Digipass User account records in a number of ways: 

Search directly by entering the User ID 

Search for the User that a specific Digipass belongs to by searching for the Digipass and double clicking on the 

User on the Digipass details screen 

You can enter the first few characters of the User ID followed by a wildcard (*). A results list will be provided 

from which you can select the User required. 

Digipass Record Administration 

If Identikey Server uses an ODBC database – including the embedded PostgreSQL database – as its data store, the 

Administration Web Interface can be used for the following tasks: 

Import Digipass either individually or in bulk 

Create Digipass records 

Reset Digipass 

Reset PIN for a Digipass 

Assign Digipass 

Unassign Digipass 

Activate and deactivate applications for Digipass 

Unlock a Digipass 

Search for Digipass Records 

The Administration Web interface allows you to search for Digipass in a number of ways: 


You can search directly for the Digipass by entering the Digipass Serial Number 


You can search for Digipass that belong to a User by searching on the User and then double clicking on the 

Digipass on the User Details Screen 

You can enter the first few numbers of the Digipass Serial Number followed by a wildcard (*). This will provide 

you with a list from which you can select the Digipass you require. 

Policy 

You can search based on the description field of a Digipass record. 

Policy records can be edited, created or deleted using the Administration Web Interface. 

New Policy records can be created using a wizard. 

Client Records 

The Administration Web Interface allow you to create, manage, and delete Client Records. 

Back End Server records 

The Administration Web Interface can be used to edit, create or delete Back End Server Records, and configure 

general Back End authentication settings. 

Domain and Organizational Unit Records 

Use the Administration Web Interface to add, maintain, or delete a Domain or an Organizational Unit. 

Reports 

The Administration Web Interface allows you to run existing reports and to create new reports. See 11 Reporting 

for more details 

System 

The System tab allows you to administer the system. You can add or remove Identikey Servers, administer the 

licence, configure the Identikey Server and manage administrative sessions. 

5.1.1.2 Starting the Administration Web Interface 

Ensure that the web server service (Windows) or daemon (Linux) is running. Open a browser window and type in 

the IP address and port number used by the Administration Web Interface. You will need to log in with an Identikey 

Server administrator account. 


5.1.2 Digipass Extension for Active Directory Users & Computers 


The Digipass Extension for Active Directory Users and Computers allows administration of Digipass User 

accounts and Digipass records within the Active Directory Users and Computers interface. 

Note 

The Digipass Extension for Active Directory Users and Computers is only available where Active 

Directory is utilized as the data store. 

The extension adds context menu options, User property sheet tabs and a property sheet for the Digipass records, 

as outlined below. 

Connection 

No logon screen is presented by the extension - an implicit logon to Active Directory will be carried out using your 

current Windows user context. It will connect to the same Domain Controller as the Active Directory Users and 

Computers connection. 

The extension will make its own LDAP connection to Active Directory. Administration does not take place via the 

Identikey Server. Your administrative permissions will depend on the permissions that your Active Directory user 

account has within Active Directory. 

When do new settings take effect? 

When settings are changed with the extension, the new values may not always take effect immediately. See 2.4 

Active Directory Replication Issues in the Administration Reference Guide for more information. 

5.1.2.2 Context Menu Extensions 

VASCO context menu options are available on the following containers in the tree pane: 

The Users container 

All Organizational Units 

The Digipass-Pool, Digipass-Reserve and Digipass-Configuration containers 

Additional context menu options are available when right-clicking on one or more User records in the result pane: 

5.1.2.3 User Property Sheet Extensions 

Additional tabs are available when viewing the property sheet of a User record: 

The Digipass User Account tab contains extra information about the Digipass User account required by 

Identikey Server. This includes settings such as authentication policy overrides, and the date and time that a 


Digipass User account was created. 


The Digipass Assignment tab contains information on all Digipass assigned to the Digipass User. These 

Digipass can be administered from this tab, including unassignment or enabling Backup Virtual Digipass. 

Digipass may also be assigned to the Digipass User from this tab. 

The Provisioning tab contains features related to the distribution and special administration of software 

Digipass and DP 110. 

5.1.2.4 Digipass Record Administration 

Digipass information may be viewed via the property sheet of its assigned User, or by turning on Advanced 

Features. This allows you – dependent on permissions - to see Digipass records wherever they are located in 

Active Directory (typically in the Digipass-Pool container if unassigned), view properties and use a number of 

context menu actions. 

For more details on these actions, see 7 Digipass. 

The context menu of the Digipass record contains options for bulk management. 

The property sheet for the Digipass record shows full details of the Digipass and all its Applications and enables all 

administration tasks for the record. 

Search for Digipass Records 

The Digipass Extension for Active Directory Users and Computers allows you to search for specific Digipass 

records, or Digipass records meeting set criteria. This functionality can be useful when you have Digipass records 

in various places throughout Active Directory. 

5.1.3 Digipass TCL Command-Line Administration 

Digipass TCL Command-Line Administration allows interactive command-line and scripted administration of 

Digipass related data. It has a number of possible uses: 

Interactive command-line administration 

Scripted administration 

Complex bulk administration tasks 

Reporting on the data in the data store 

It is an extension of the TCL 8.4 scripting language, and administrators will require a basic competence in TCL in 

order to use the command-line utility. See the Digipass TCL Command-Line Administration topic in the 

Administrator Reference for more information. 


5.2 System Administration 

5.2.1 Identikey Server Configuration 


The Identikey Server uses a local XML text file for various configuration settings. This can be administered using a 

graphical user interface referred to as Identikey Server Configuration, or via the Administration Web Interface. 

To run the Identikey Server Configuration tool, go to the install directory and run Identikey Server Configuration. 

When settings are changed with this program, the Identikey Server must be restarted before the new values take 

effect. The program will do this for you when you exit. 

The following groups of settings are configured using Identikey Server Configuration. For more detail, see the 

Administrator Reference, Configuration Settings section. 

Communication Protocols - Set up SOAP, RADIUS, or SEAL protocols 

Scenarios 

5.2.2 Audit Viewer 

5.2.3 Admintool.jar 

Plug-ins - define your Back-End Authentication plug-in engines 

Database Storage - add additional ODBC databases with optional encryption settings 

Auditing - Enable/Disable audit methods 

Replication - Specify Replication settings. 

Use the Audit Viewer to view Audit Messages. Audit messages consist of warnings and errors generated by 

Identikey Server. 

The Admintool.jar tool can be used to configure the Administration Web Interface. It allows: 

Modifications to the list of Identikey Servers which may be administered from the Administration Web Interface 

Configuration of SSL certificates 

5.2.4 Configuration Wizard 

The Configuration Wizard is run initially after installation set-up mode. After installation it can be run in 

maintenance mode. Use it to change IP addresses and modify other configuration settings. See the Administrator 

Reference, Configuration Settings section for more information. 


5.3 What do I need to use? 

5.3.1 Helpdesk 


The administration interface needed depends on the tasks required, and the data store used by Identikey Server. 

If Identikey Server uses an ODBC database as its data store, you will typically use the Administration Web 

Interface. 

If Identikey Server uses Active Directory as its data store, you will typically use the Digipass Extension for Active 

Directory Users and Computers. 

5.3.2 User/Digipass Administrator 

The main tools you will use are: 

Web Administration Interface 

Digipass Extension for Active Directory Users and Computers (AD only) 

Digipass TCL Command Line Administration 

Authentication Server Configuration 

5.3.3 System Administration 

The main tools you will use are: 

Identikey Server Configuration 

Audit Viewer 

Configuration Wizard 


6 Digipass User Accounts 

6.1 Digipass User Account Creation 

A Digipass User account can be created in the following ways: 

6.1.1 Manual Creation 

Use the Administration Web Interface to import Users from a file 

Digipass User Accounts 

Manually create User records using the Create User function on the Administration Web Interface 

Dynamically during processing if Dynamic User Registration is enabled 

A Digipass User Account can be created manually by an administrator using the Administration Web Interface. 

6.1.2 Dynamic User Registration 

When the Identikey Server receives an authentication request for a User without a Digipass User account, it can 

check the credentials with the back-end authenticator (eg. Windows). If the authentication is successful with the 

back-end authenticator, the Identikey Server can create a Digipass User account automatically for the User. This 

process is called Dynamic User Registration (DUR) and can be enabled via the Administration Web Interface. 

This feature is commonly used in conjunction with Auto-Assignment, so that the new account is immediately 

assigned a Digipass. 

Note 

ODBC Database (including embedded database): If the data store is case-sensitive and the 

Identikey Server has not been configured to convert User IDs and Domains to upper or lower 

case, the potential exists for multiple Digipass User accounts to be created for a single User. For 

example, if a User logs in with 'jsmith' on one occasion, and JSmith on another, two Digipass 

User accounts may be created – jsmith and JSmith. 

This can be avoided by: 

Enabling Windows Name Resolution in the Identikey Server Configuration GUI, if the 

underlying user accounts are Windows user accounts. See the ODBC Connection and 

Domains and Organizational Units topics in the Administrator Reference for more information. 

This is highly recommended. 


Digipass User Accounts 

Configuring the Identikey Server to convert all User IDs and domains to upper or lower case. 

See the Encoding and Case-Sensitivity topic in the Administrator Reference for more 

information. 

6.2 Changes to Stored Static Password 

If Stored Password Proxy is enabled, any changes to a User's password on a back-end system need to be 

communicated to the Identikey Server. This can be done using Password Autolearn. 

6.2.1 Password Autolearn 

If Password Autolearn is enabled, a User may directly log in with their new static password in front of their OTP. If 

it does not match the static password stored by the Identikey Server, it can be verified with the back-end 

authenticator. If correct, the Identikey Server will store the new static password for future use and authenticate the 

User. 

6.3 Administration Privileges 

Administration of data in an ODBC database is performed through the Authentication Server to control the 

administrator's access to data. An administrator may be assigned permissions based on: 

Type of permission (eg. Read, Create) 

Type of object (eg. Digipass, Policy) 

The Domain and Organizational Unit in which the administrator account is located will determine their range of 

administration access: 

If the account belongs to an Organizational Unit, the administrator will be able to administer User accounts and 

Digipass belonging to that Organizational Unit. 

If the account does not belong to an Organizational Unit, the administrator will be able to administer all 

Digipass and User accounts in the Domain to which they belong. 

If the account belongs to the Master Domain, the administrator may be able to administer all Digipass and User 

accounts in the database. This depends on the 'Acces Data in All Domains' Privilege, which is only available to 

administrators in the Master Domain. 

See the Administrator Reference for more information. 


7 Digipass 

7.1 Importing Digipass 

Digipass 

Digipass records may be imported into Identikey Server via its Administration Web Interface. Digipass can be 

imported either one at a time, or many can be imported at one time. 

The Digipass that are to be imported must be downloaded to a file in the .dpx format. The Digipass Import Wizard 

guides you through the steps of importing Digipass from the .dpx file. You can specify the applications that will be 

available with the imported Digipass, and whether the imported Digipass will be set as Active or Inactive on 

import. You can also specify if existing Digipass will be updated with the data from the .dpx import file. 

7.2 Assigning Digipass to Users 

Digipass may be assigned to Users in a number of ways, depending on the requirements of your company. For 

example, a company with only a few User accounts may use Manual Assignment. A larger company needing to 

distribute large numbers of Digipass may find it easier to simply distribute the Digipass and require each User to go 

through Self-Assignment. 

Note 

Digipass records must be imported into the data store before being assigned to Users. 


7.2.1 Self-Assignment 

Digipass 

A Digipass may be assigned to a User by their own action. The User must log in and include the serial number, 

static password and One Time Password. This informs the Identikey Server of the assignment, and provided that 

the User enters the details correctly, a link will be made between the Digipass record and the User account. A 

grace period is not used for this method. 

Image 31: Self Assignment Process 


7.2.2 Auto-Assignment 

Digipass 

The Identikey Server can automatically assign an available Digipass when a Digipass User account is created using 

Dynamic User Registration (DUR). The correct Digipass must then be delivered to the User. A grace period is 

typically set, which allows a number of days in which the User may still log in using only their static password. 

Image 32: Auto Assignment Process 

7.2.3 Manual Assignment 

A selected Digipass is manually assigned to a specific Digipass User account. The Digipass must then be sent out 


Digipass 

to the User. A grace period is typically set, during which the User may still log in using only their static password. 

Image 33: Manual Assignment Process 

7.3 Digipass Record Functions 

A number of functions are available to administer Digipass records. These are typically required for maintenance – 

eg. a User has forgotten their Server PIN, or a Digipass has been locked. 

7.3.1 Reset Application 

A Digipass Application may need to be reset if the time difference between it and the server needs to be 

recalculated. This would typically be for time-based Response Only Digipass after a very long period of inactivity. 

The 'reset' widens the allowable time window for the next login, allowing the User to log in and the Identikey Server 


to calculate the current time shift. 

7.3.2 Set Event Counter 

7.3.3 Reset PIN 

Digipass 

If the event count for an event-based application has become unsynchronised between the Digipass and the 

server, this function can be used to set the server event count to the event count on the Digipass. 

If a User’s Server PIN needs to be changed – usually because the User has forgotten it – then it can be reset, and 

the User can create a new Server PIN when they next log in. This may be done when unassigning or re-assigning 

a Digipass. 

7.3.4 Force PIN Change 

7.3.5 Set PIN 

This function can be used when an administrator wants a User to change their Server PIN on their next login. This 

may be desirable as a security measure. 

A User’s Server PIN can be set to a specific value and communicated to the User. 

7.3.6 Unlock Digipass 

If a User incorrectly enters their Digipass PIN into their Digipass a predetermined number of times, the Digipass will 

become locked. Once locked, the assistance of an administrator will be required to unlock it. This function allows 

an administrator to provide the User with an Unlock Code to enter into their Digipass. 

7.3.7 Reset Application Lock 

If a User has attempted to log in with incorrect details too many times, the Digipass Application used may be 

locked, depending on Policy settings. This function can be used to set the record for the Digipass Application to 

the status of unlocked. This differs from User locking, as the User may still log in with a different Digipass. 

7.3.8 Test a Digipass Application 

Use this function to check that a Digipass Application is working as expected. There is also a function to test the 

Backup Virtual Digipass functionality. This works for either One Time Password or Signature. 

7.3.9 Reset Activation 

Use this function to reset the Event Counter, Activation time and Activation location on a Digipass. 


7.4 Digipass Programming 

7.4.1 Digipass PIN 

Digipass 

A Digipass is programmed using a Digipass Programmer and the necessary software. This may be done by your 

company or by your supplier. 

Common settings which may affect your administration tasks are explained below. 

A Digipass PIN may be required for a Digipass. If set, the PIN must be entered into the Digipass before obtaining a 

One Time Password. This means that just possessing the Digipass is not enough to log in to a network – the 

person logging in must also know the Digipass PIN. 

Digipass PIN settings include: 

An Initial PIN can be set for a Digipass. The PIN must then be sent to the User of the Digipass, typically 

separate from the Digipass delivery. 

First Use PIN Modification allows a Digipass to require a PIN change from the User upon first use. 

PIN Change allows a User to change their PIN as desired. 

The PIN Length can be set for a Digipass. 

Digipass Lock sets the number of consecutive faulty PIN entries allowed before the Digipass is locked. 

7.4.2 Time/Event-based Digipass Applications 

Response Only 

Response Only Digipass Applications can be either time-based or event-based: 

Time-based 

A time-based Application will change the OTP to be displayed based on the current time. The common time step 

used is 36 seconds – and means that the OTP to be displayed will change every 36 seconds, whether or not an 

OTP has been requested from the Digipass. 

Event-based 

An event-based Digipass Application will display a new OTP each time a request for an OTP is made. 


Challenge/Response Digipass Applications can be either time-based or non-time-based: 

Time-based 

A time-based Challenge/Response Digipass Application will generate an OTP based on the Challenge given and the 

current time. The common time step used is 9 hours ('slow challenge'). This would mean that if the exact same 

Challenge were given to a Digipass within a 9 hour period, the Digipass Application will generate the same OTP. 


However, Challenges are very rarely repeated within such a time period. 

Non-time-based 

Digipass 

A non-time-based Challenge/Response Digipass Application will generate an OTP based only on the Challenge 

given. 

Signature 

Time-based 

The signature application may be time based. This means that the Digipass will generate a different signature for 

the same input data at different times. 

Event-based 

7.4.3 OTP Length 

The signature application may be event based. This means that it contains a numeric counter that increases every 

time a signature is generated. 

Neither Time- nor Event-based 

These signatures are generated using neither time or event counter. They will always produce the same signature 

for the same input. There is no difference between real-time and deferred time with these signatures. 

The length of the OTP (excluding check digit) generated by the Digipass for Response Only and 

Challenge/Response Digipass Applications. 

Check Digit 

A check digit may be added to each OTP. This is generated from the response and allows for faster invalidation of 

incorrect OTPs. 

7.4.4 Challenge Length 

The length of the Challenge (excluding check digit) which should be expected by the Digipass. This is used by the 

Challenge/Response Digipass Application. 

Check Digit 

A check digit may be expected with each Challenge. This is generated by the server from the Challenge and 

allows the Digipass to reject most invalid Challenges. 

7.4.5 Signature Length 

The length of the Signature generated by the Digipass. 


7.4.6 Signature Data Fields 

Digipass 

These are the data fields that may be provided when signing a transaction. There may be from 1 to 8 fields, each 

with a minimum length of 0 and a maximum length of 16. 

Check Digit 

A check digit is optional. 

7.5 Digipass Record Settings 

These settings are kept in the record for a Digipass Application, and affect which OTP is expected by the Identikey 

Server. 

7.5.1 Time/Event-based Settings 

Time Step Used 

The time step used by the Digipass Application (see Time/Event-based Digipass Applications for more information). 

Last Time Shift 

Time Shift records any misalignments between the time recorded on the Digipass and the time recorded on the 

server, each time a User logs in. This ensures that if either clock drifts from the correct time, an allowance can be 

made by the Identikey Server and the User will still be able to log in. If the time drift goes beyond the allowable 

time window between User logins, the Digipass record will have to be reset (this allows for recalculation of the time 

drift). 

Example 

Time window may be 5 steps in either direction. 

This means that 11 OTPs would be considered valid – the exact OTP for that time, and the OTPs for the 5 time steps either side of 

the exact time. If the OTP given is for a different time step, the time shift for that Digipass will be recorded. The next time the User 

logs in, the expected OTP will be calculated based on that time shift. 

Last Event Value 

The current number of uses of the Digipass Application, according to the Digipass. This can get out of sync with 

the number of uses recorded by the Identikey Server when: 

Login failures occur for other reasons than incorrect OTP 

The Digipass has been used without a login (eg. children have been playing with it) 

The Digipass is being used to log in to two separate systems 


7.5.2 Server PIN 

Digipass 

The purpose of this setting is much the same as the Last Time Shift setting – it allows the Identikey Server to track 

any shifts between the event count recorded by itself and the Digipass. 

The term 'Server PIN' is used to mean a PIN that the user enters into the login password field in front of the OTP 

displayed on the Digipass. It is checked by the authenticating server. The 'Digipass PIN' referred to earlier indicates 

a PIN entered into a keypad on the Digipass. That is checked by the device itself, and is never transmitted to the 

server. 

There are a number of Server settings regulating Server PINs: 

PIN Supported 

Whether a PIN must be included in a User's login. 

PIN Change On 

Is a User allowed to change their Server PIN for this Digipass? 

Force PIN Change 

Must the User change their Server PIN the next time they log in? 

PIN Length 

The length of the current Server PIN. 

PIN Minimum Length 

The minimum PIN length required by the Server. 

7.5.3 Backup Virtual Digipass 

Policy and Digipass settings 

Several settings dictate how a User may utilize the Backup Virtual Digipass feature. These settings are: 

Enable or disable Backup Virtual Digipass and enable method (eg. Required). 

Time limit/expiry (applies to Time Limited enable only) 

Maximum number of times a User may make use of the Backup Virtual Digipass. 

The above settings may be set both at the Policy level and at the Digipass record level. Individual settings override 

Policy settings for an individual Digipass, but some Policy settings (see below) may be used to automatically set 

Digipass settings which are blank when the Backup Virtual Digipass is first utilized by the User. 


Time Limit and Max. Uses/User 

Policy Setting Digipass Setting 

Time Limit Enabled Until 

Max. Uses/User Uses Remaining 

Table 1: Backup Virtual Digipass Policy/Digipass Settings 

Digipass 

If Backup Virtual Digipass is enabled for a Digipass and set to Time Limited, and the Enabled Until field in the 

Digipass property sheet is blank on their first use of the Backup Virtual Digipass, their time limit will begin on their 

first use of the feature. The expiry date (today’s date + Time Limit) will then be displayed in the Enabled Until 

field. 

If a Max. Uses/User is set for the relevant Policy and a Digipass record's Uses Remaining field in their User 

property sheet is blank on their first use of the Backup Virtual Digipass, a number (Max Uses/User) will be 

automatically entered into their Uses Remaining field and immediately decremented by 1. 

Note 

If a User has Backup Virtual Digipass enabled with Enabled Until date set and their Uses 

Remaining has been set (automatically or manually), whichever of these expires first will disable 

Backup Virtual Digipass for the User. 

eg. Backup Virtual Digipass is enabled for a User as Time Limited, and the server Time Limit 

setting is 3 days. The Max. Uses/User Policy setting is 5. When the User first makes use of 

the Backup Virtual Digipass, their Enabled Until is set to a date 3 days hence and their Uses 

Remaining to 4. During the next 48 hours, they log in 4 more times. Although the User’s time 

limit does not run out for another 24 hours, their Uses Remaining is now 0 and Backup Virtual 

Digipass is disabled. 


7.6 Virtual Digipass Implementation Considerations 

7.6.1 Digipass Assignment Options 

7.6.2 Cost 

7.6.3 Security 

Digipass 

With the introduction of Virtual Digipass, there are several different assignment combinations that can be used. 

The first option in the table below does not utilize Virtual Digipass. The others include a Virtual Digipass in either a 

backup or primary mode. 

Primary Backup 

Digipass None User must log in using a Digipass. 

Digipass Backup Virtual Digipass User usually logs in using a Digipass, but may utilize the Backup 

Virtual Digipass feature where required. Usage of the feature may 

be limited. 

Digipass (temporarily 

disallowed) 

Backup Virtual Digipass User must log in using the Backup Virtual Digipass feature. This 

might be used while a User’s Digipass is lost, until the Digipass is 

recovered. 

Primary Virtual Digipass N/A User is assigned a Virtual Digipass and must log in using it. 

Table 2: Digipass Options 

7.6.4 Convenience 

Your company will probably need to pay an amount for each text message sent. In some countries, mobile phone 

owners might need to pay an amount for each text message received on their mobile phone. This will need to be 

taken into consideration when deciding how to implement Virtual Digipass functionality. 

Hardware Digipass devices provide the highest level of security. Virtual Digipass provides a lower, although still 

high, level of security. This needs to be weighed against other considerations before deciding whether your 

company will implement Virtual Digipass, and if so, how it will be implemented. 

Virtual Digipass is more convenient than a hardware Digipass for many Users. Only one’s usual mobile phone is 

required: there are no extra devices to carry around. Users who do not habitually carry their mobile phone with 

them, though, are likely to find a GO 3 or GO 1 easier to transport. 

For Users with the Backup Virtual Digipass enabled, it might be the difference between going to work to pick up a 

forgotten Digipass and getting important work done at home. 


7.6.5 Gateway and account 

Digipass 

Your company will need the use of an text message gateway and an account with the gateway. The Message 

Delivery Component will need configuration information for the gateway and the Username and password for the 

account. Your VASCO supplier can assist with this process. 

7.6.6 Limiting Usage of Virtual Digipass 

Use of Virtual Digipass may be limited by: 

Using Backup Virtual Digipass only. 

Minimizing the number of Users assigned a Primary Virtual Digipass. 

A User’s Primary Virtual Digipass use cannot be limited. 

The Backup Virtual Digipass feature may be enabled as an ‘emergency’ backup for Users who have left their 

primary Digipass at home, or for other reasons do not have access to their primary Digipass. Use of this feature 

can be limited for each Digipass by: 

Time period 

Set a time period in which a User may access the Backup Virtual Digipass. After this period has expired, any 

Virtual Digipass requests from the User will be rejected. If the User is still unable to use their Digipass, the time 

period must then be extended by an administrator. Once they have started using their Digipass again, the 

administrator must reset the time period if the User is to be allowed to use Backup Virtual Digipass again. 

Number of Uses 

Set a maximum number of times a User may request an OTP using the Backup Virtual Digipass feature. When the 

User has reached this number of uses, any further OTP requests from the User will be rejected. This must be reset 

by an administrator if further use of the Backup Virtual Digipass is required for the User. 

Global and Individual Backup Virtual Digipass settings 

Backup Virtual Digipass options can be set globally or individually, to allow a standard policy for all Digipass with 

exceptions made where necessary. Global settings will affect all Digipass whose individual option is set to 

'Default'. 

Global options are defined in the Policy that controls authentication. Therefore, by using multiple Policies, you have 

some additional flexibility. 

7.6.6.2 Backup Virtual Digipass Usage Guidelines 

Some questions which will need to be answered before arriving at a Backup Virtual Digipass usage guidelines are: 

Will any users have access to Backup Virtual Digipass? 

If so, will all users have access to Backup Virtual Digipass? 


Will usage of Backup Virtual Digipass be limited? If so, how? 

Time-limited? 

Limited number of uses? 

Some Possible Guidelines 

Guideline Pro Con 

Backup Virtual Digipass disabled for all - 

enabled for individual Users as required. 

Backup Virtual Digipass enabled for all - 

either time/number of usage limit set. 

Backup Virtual Digipass enabled for all - 

no limits set. 

Table 3: Backup Virtual Digipass Example Guidelines 

7.6.7 Resetting Virtual Digipass Restrictions 

Low text message costs Manual enable for each User and 

circumstance. Possible heavy 

administration load. 

Digipass 

Predictable text message costs Administrator may need to reset limits 

frequently – medium administration 

load. 

Lighter administration load Possible high text message costs. 

When a User has reached their limit of Virtual Digipass use, an administrator must reset their limit. 

7.6.8 Virtual Digipass Login options 

A decision must be made as to how Users will log in using Virtual Digipass. In particular, Users with a hardware 

Digipass and the Backup Virtual Digipass enabled must be able to request an OTP to be sent to their mobile when 

required, but to login using the hardware Digipass at other times. 

The simplest method for the User is to allow a 2-step login process, where the User enters their User ID and 

password only, triggering an OTP Request, and are redirected to a second login page to enter the OTP sent to 

them. To use this method, though, your system must be set up to allow 2-step logins. Check with your system 

administrator if unsure. 

Alternatives to the 2-step login are a sequence of two 1-step logins or the use of a specific web page to request an 

OTP, separate from the login page screen. 

See the Administrator Reference for information on possible login permutation. 


8 Client Components 

8.1 Component Types 

8.1.1 SOAP Client Programs 

Client Components 

SOAP client programs will not be called 'SOAP clients' . The program itself specifies the type, as a parameter to 

each request. A client component record must exist for this type at the location (IP address) where the application 

runs. The policy in the component record will be used for all processing of requests from this client. 

8.1.2 Administration Program 

8.1.3 RADIUS Client 

Creating a Component record for a VASCO administration program - either the Web Administration Interface or the 

Audit Viewer - allows a Policy to be set for connections from that program. 

A Component record MUST exist for each Web Administration Interface or any other administration program 

using SOAP. 

For the Identikey Server SEAL interface for TCL and the Audit Viewer, SEAL Require administration client 

component registration configuration setting determines whether an Administration Program component must 

be provided or not. 

A RADIUS Client Component record is required when clients will be sending authentication requests to the 

Identikey Server using the RADIUS protocol. The Identikey Server will check the Component record to find: 

The Shared Secret to use in communicating with the RADIUS Client. 

The Policy to apply to the authentication request. 

A default RADIUS Client Component record is automatically created during installation of Identikey Server. This can 

be deleted and specific records created for each location. 

Note 

The default RADIUS Client created during installation will be given a Shared Secret of default. 


8.1.4 IIS Module 

Client Components 

A Component record is required for any IIS Modules used with Identikey Server. The Component record will be 

checked whenever the IIS Module sends an authentication request to the Identikey Server. The Identikey Server 

will check: 

That the Component record contains a valid License Key for a Client module 

Which Policy to apply to the authentication request 

The following client types fall under this category: 

Citrix Web Interface 

Outlook Web Interface 

IIS 6 Module 


9 Server Components 

9.1 Server Component 

Server Components 

A Server Component record holds the License Key for a specific Identikey Server. This Component record will be 

checked when the Identikey Server is started. The Identikey Server will check for: 

License Key. If the License Key is missing, invalid or expired, all authentication except for administration logons 

will be refused. The following items need to be supported in the Licence Key: 

RADIUS 

SOAP 

Authentication scenario 

Signature Validation scenario 

Provisioning scenario 

The Policy to use for SEAL administration logins. If an ODBC database (including the embedded PostgreSQL 

database) is used as the data store, the Policy will be applied to all administration logins (including live audit 

connections) for which an Administration Program Component record is not found. 

A Server Component record is automatically created for each Identikey Server as it is installed. 


10 Policies 

10.1 Policy Inheritance 

Policies 

Policies may be set up in a hierarchy, where one Policy will inherit most of its attributes from a parent Policy, but 

with some modifications for a slightly different scenario. 

Image 34: Policy Inheritance 


Policies 

In the example above, all attributes are inherited from the parent Policy. The attributes shown in the child policies 

above are explicitly set, which make the policy different from the parent policy. The explicitly set attributes in the 

child policies override those of the parent policies. 

10.1.1 Show Effective Settings 

As the various levels of settings in Policy inheritance can get confusing, functionality is available which allows you 

to view the settings effective for a selected Policy, taking inherited settings into account. The text below shows the 

effective settings for the Identikey Server RADIUS Self-Assignment Policy: 

Effective Policy Settings 

[Local/Back-End Authentication] 

Local Authentication : Digipass/Password 

Back-End Authentication : Always 

Back-End Protocol : RADIUS 

User Accounts] 

Dynamic User Registration : Yes 

Password Autolearn : Yes 

Stored Password Proxy : Yes 

Default Domain: (none) 

User Lock Threshold : 3 

[Windows Group Check] 

Group Check Option : No Check 

Group List: (none) 

[Digipass Assignment] 

Assignment Mode : Self-Assignment 

Grace Period (days) : 0 

Serial No. Separator : | 

Search up Organizational Unit Hierarchy : Yes 

[Digipass Settings] 

Application Names 

Application Type : No Restriction 

Digipass Types 

PIN Changed Allowed : Yes 

[1-Step Challenge Response] 

Enabled : No 

Challenge Length : 0 

Challenge Check Digit : No 

[2-Step Challenge Response] 

Request Method : Keyword 

Request Keyword 

[Primary Virtual Digipass] 

Request Method : Password 

Request Keyword 

[Backup Virtual Digipass] 

Enabled : No 

Maximum Days : 0 

Maximum Uses : 0 

Request Method : KeywordPassword 

Request Keyword : otp 

[Digipass Control Parameters] 

Identification Time Window : 20 


Policies 

Signature Time Window:24 

Event Window : 20 

Initial Time Window : 6 

Identification Threshold : 0 

SignatureThreshold : 0 

Check Challenge Flag : 1 

Level of Online Signature : 0 

Allowed Inactive Days : 0 

You will note that the settings listed above include those set in Policies from which the Identikey Server RADIUS 

Self-Assignment Policy inherits. 


10.2 Pre-Loaded Policies 

Policies 

These Policies are created for the Identikey Server on installation of the Identikey Server. They provide an example 

for setting up Policies in a typical environment. 

Table 4: Pre-Loaded Policies 

Policy Name Parent Policy Description Non-Default Settings 

Base Policy - Globally applicable settings. In 

general, all other Policies should 

inherit from this, directly or 

indirectly. 

Identikey Administration 

Logon 

Base Policy Settings for an administration 

logon including Audit Viewer live 

connection. Separated from the 

main authentication policies to 

avoid accidental interference. 

Locking is off to reduce the 

chance of a lock-out. 

User Lock Threshold=3 

PIN Change Allowed=Yes 

Challenge Request Method=Keyword 

Primary VDP Request 

Method=Password 

Backup VDP Request 

Method=KeywordPassword 

Backup VDP Request Keyword=otp 

Identification Time Window=20 

Check Challenge Mode=1 

Event Window=20 

Sync Window=6 

Online Signature Level= 0 

Identification Threshold=0 

Local Authentication=None 

Back-End Authentication=None 

DUR=No 

Password Autolearn=No 

Stored Password Proxy=No 

Group Check Mode=No Check 

Assignment Mode=Neither 

Search Up OU Path=No 

Application Types=No Restriction 

1-Step Challenge/Response=No 

1-Step Challenge Check Digit=No 

Backup VDP Enabled=No 

Local 

Authentication=Digipass/Password 

User Lock Threshold=0 



Identikey Local 

Authentication 

Identikey Windows 

Password Replacement 

Identikey Microsoft AD 


Identikey Novell e- 

Directory Password 

Replacement 

Identikey Microsoft 

ADAM Password 

Replacement 


Auto-Assignment 


Auto Assignment 

Base Policy Settings applicable to all Identikey 

Server authentication Policies, 

including local authentication. In 

general, all other Identikey Server 

Policies using local authentication 

should inherit from this, directly or 

indirectly. 










Password 

Replacement 



Identikey Server model for 

password replacement and 

Dynamic User Registration, using 

Windows back-end authentication 

and a Windows group check. 


password replacement for 



password replacement for Novell 

e-Directory 

Identiky Server model for 

password replacement for 


Identikey Server model for Auto- 

Assignment based on the 

Windows password replacement 

model. 

Identikey Server model for Auto 

Assignment for Microsoft Active 

Directory 

Local 

Authentication=Digipass/Password 

Back-End Authentication=Always 

Back-End Protocol=Windows 

DUR=Yes 

Assignment Mode=Neither 

Group Check Mode=Pass Back 

Group List=Digipass Users 

Password Autolearn=Yes 

Stored Password Proxy=Yes 

Local Auth=Default 

Backend Auth=Always 

Backend Protocol=Microsoft AD 

DUR=Yes 



Policies 



Backend Protocol=Novell e-Directory 

DUR=Yes 





Backend Protocol=Microsoft ADAM 



Assignment Mode=Auto-Assignment 

Search Up OU Path=Yes 

Grace Period=7 


Backend Auth=If Needed 

Backend Protocol=Microsoft AD 

Assignment Mode=Auto-Assignment 

Search-Up-OU-Path=Yes 




ADAM Auto Assignment 

Identikey Windows Self- 

Assignment 


Self Assignment 


ADAM Self Assignment 


Directory Self 

Assignment 

Identikey RADIUS 


Identikey RADIUS Auto- 

Assignment 

Identikey RADIUS Self- 

Assignment 

Identikey Back-End 



ADAM Password 

Replacement 


Password 

Replacement 


AD Password 

Replacement 


ADAM Password 

Replacement 


Directory Password 

Replacement 







Identikey Server model for Auto 

Assignment for Microsoft ADAM 

Identikey Server model for Self- 

Assignment based on the 

Windows password replacement 

model. 


Assignment for AD Password 

Replacement 


Assignment for ADAM Password 

Replacement 

Identikey Server model for selfassignment 

for Novell e-Directory 


password replacement and 

Dynamic User Registration using a 

RADIUS server for back-end 

authentication. 

Identikey Server model for Auto- 

Assignment based on the RADIUS 

password replacement model. 


Assignment based on the RADIUS 

password replacement model. 

Base Policy Identikey Server model for only 

Back-End Authentication. Change 

the back-End Protocol to the one 

required. 

Policies 

Local Auth = Default 

Backend Auth = If Needed 

Backend Protocol = Microsoft ADAM 

Assignment Mode = Auto-Assignment 

Search-Up-OU-Path = Yes 

Assignment Mode=Self-Assignment 


Self Assignment Separator=| 


Backend Auth = Always 

Backend Protocol = Microsoft AD 

Assignment Mode = Self-Assignment 



Backend Auth = If Needed 

Backend Protocol = Microsoft ADAM 




Backend Auth = Always 

Backend Protocol = Novell e-Directory 



Backend Authentication=Always 

Backend Protocol=RADIUS 



Grace Period=7 





Self Assignment Separator=| 

Backend Protocol=RADIUS 

Backend Authentication=Always 



Identikey DP110 

Provisioning 1 

Identikey DP110 


Identikey DP4Mobile 

Register 

Identikey DP4Web 






Identikey Deferred Time 

signature Verfication 

Identikey Real-Time 

signature verfication 1 





Base Policy Identikey Digipass for Web 

Provisioning model scenario 1 - 

Activation codes are encrypted 

with pre-loaded static passwords. 

Base Policy Identikey DP110 Provisioning 

model scenario 2 - Dynamic 

Registration using Back-End 

System. Change the Back-End 

Protocol to the one required. 

Base Policy Identikey Digipass for Mobile 

Register - pre-loaded User 

accounts and static passwords. 



Activation codes are encrypted 

with pre-loaded static passwords. 



pre-loaded User accounts and 

static passwords. 



Dynamic Registration using Back- 

End System. Change the Back-End 

Protocol to the one required. 

Base Policy Deferred time signature 

verification settings: Time based. 

Base Policy Real-time signature verification 

settings: Time-based, several 

signatures are allowed in the same 

timestep but 2 identical 

successive signatures will be 

rejected. 

Base Policy Real-time signature verification 

settings: Time-based, one 

signature allowed per timestep. 

Base Policy Deferred time signature 

verification settings: Event based, 

off-line mode. 

Policies 

Local Auth = Digipass/Password 

1-Step Challenge/Response=Yes-Any 

challenge 


Back-End Authentication = Always 

1-Step Challenge/Response=Yes – Any 

challenge 

Online Signature Level = 1 Multiple 

Signatures allowed in same Time Step 



DUR=Yes 

Signature Time Window = 24 

Online signature level = 1 - Multiple 

Signatures allowed in same Time Step 

Online signature level = 2 - Only 1 

Signature/Time Step allowed 

Signature Time Window = 24 


11 Reporting 

11.1 Reporting Overview 

Image 35: Reporting Structure 

Reporting 

The Identikey Server Reporting facility allows you to create reports from the Identikey Server database information, 

and from the Audit information. 

The main uses for reports are: 

Troubleshooting 

User Troubleshooting – administrators can generate reports to enable them to troubleshoot authentication 

failures for specific users. 

System Troubleshooting – system administrators can generate Identikey Server reports to analyse and 

solve system problems 

System Audits 

System administrators can generate reports to carry out audits of Digipass or administrator actions. 

Security Audits 


System administrators can generate reports to analyse suspicious activity. 

Accounting 

Reports can be generated to count the number of authentication requests per user or organizational unit. 

Reporting 

A number of standard reports are available, but if the report you require is not among them you can create your 

own (custom) report. 

11.2 Report Definition 

Reports are made up of the following elements: 

Report Type 

Data Store 

Grouping Level 

Query 

11.2.1 Report Type 

Formatting Template 

These elements combine to produce a report. They are present for standard reports, and you can select properties 

from each of these elements to create a custom report. 

There are four report types. All reports are based on these report types. 

List Analysis Report 

Detailed Analysis Report 

Distribution Analysis Report 

Trend Analysis Report. 

The List Analysis Report lists all items that match the criteria specified in the report definition. For example, a list 

of users with no Digipass assigned. 

The Detailed Analysis Report shows detail of the events specified in the report definition. For example, a detailed 

list of failed authentications for a User. 

The Distribution Analysis Report will show counts of events and objects. For example, the number of failed 

authentications for a domain. 

The Trend Analysis Report shows a trend over a period of time for a the objects specified in the report definition. 

For Trend Analysis Reports there is an extra parameter. The period of time for which the data needs to be 

extracted must be specified. The choice is: 

Hour 

Day 


Month 

Year 

11.2.2 Data Source 

11.2.3 Grouping Level 

Reporting 

Each report, whether standard or custom, will be based on these report types. Each report type retrieves its 

information from either the audit data, the Data Store, or from both sources. 

Each report is generated from data existing on Identikey Server. The choices for Data Source are as follows: 

Users. This will generate the report based on the User information from the Identikey Server Data Store. 

Users + Audit Data. This will generate the report based on the User information mentioned above, and the 

Audit Data from Identikey Server. 

Digipass. This will generate the report based on the Digipass information from the Identikey Server Data Store. 

Digipass + Audit Data. This will generate the report based on the Digipass information mentioned above, and 

the Audit Data from Identikey Server. 

Audit Data only. This will generate the report based on the Audit data only. 

The Grouping Level specifies how the data in the report will be grouped. The Grouping Level choices are: 

Client 

Domain 

Organizational Unit 

User 

Digipass 

If a Detail or List report is set at Grouping Level of User, each user will be represented individually. If a Detail or 

List report is set at Grouping Level of Organizational Unit, the data for all the Users in that Organizational Unit will 

be added together and represented only once under the Organizational Unit. 

In the example below, the Grouping Level has been set to User, because each User has an individual row on the 

report. 


11.2.4 Query 

Image 36: Report Grouping 

Reporting 

The Query specifies the search criteria that are used when the data is extracted from the Data Store or Audit Data. 

For example, to generate a report for a specific Audit message, such as 'Authentication' or 'DP4WEB', you can 

specify in your Query that Audit Message = 'Authentication'. Then you will only receive information on 

'Authentication' Audit Messages in your report. 

It is possible to add further query criteria just for one run of a report. 

Queries can be simple, as the query above, or they can be a combination of criteria, such as Audit Message = 

'Authentication', User Name = 'User5'. 


11.2.5 Formatting Templates 

Reporting 

Report data is always generated into XML, then an XSLT transformation is applied to give the output. The XSLT 

transformation requires a formatting template. Each report definition requires at least one template so that it can 

be produced in the format required. Each report definition can have more than one Formatting Template. The 

template to be used can be selected when running the report. 

11.3 Standard Reports 

The Identikey Server reporting package will come with standard reports. Standard reports are provided for the most 

common administration tasks. 

The standard reports can be grouped by their use: 

Reports produced by the Helpdesk to help with troubleshooting functional problems 

Detailed authentication report 

User authentication history report 

Detailed Digipass registration report 

Detailed activity summary report 

Detailed Signature Validation report 

Detailed Provisioning report 

Signature Validation history report 

Reports produced by System administrators to help with troubleshooting system problems 

Failed Operations summary report 

Succeeded Operations summary report 

Reports produced by Administrators for Accounting information 

Authentication activity by user report 

Authentication activity by client report 

Provisioning activity by user report 

Provisioning activity by client report 

Transaction Signing Activity by User Application report 

Transaction Signing Activity by Client report 

Reports produced by Administrators for System auditing information 

Administration activity summary report 

Digipass availability by type report 

Digipass deployment trend report 

Digipass deployment by type report 


11.4 Custom Reports 

Authentication trend report 

Transaction Signing Activity Trend 

Provisioning activity trend report 

Account lock trend report 

Digipass assignment activity summary report 

Reporting 

If there is not a standard report that meets your requirements, you can create a custom report using the Report 

Definition Wizard on the Identikey Server Web Administration application. 

A custom report can be created based on one of the available report types. Variables such as the subject of the 

report, and selection criteria can be specified to create the report you require. 

11.5 Report Generation Process 

Report generation relies on a number of components. An SQL query must be defined to retrieve the data that is 

required for the report. A report type must be selected from the list available. The result of the SQL query and the 

report type are then combined into an XML report. The XML report and the report format template are combined 

to produce the finished report in the required format. 

Image 37: Report Generation Process 


11.6 Report Usage and Change Permissions 

Reporting 

Each report definition has an owner. The owner is usually the Administrator that created the report, but ownership 

can be transferred to another Administrator in the same Domain. 

Permissions are associated with each report that control: 

Who can run the report. Use can be restricted to the report owner, or it can be granted to other 

administrators. 

Who can change the report definitions. The ability to change the report format and details can be restricted to 

the report owner, or it can be granted to other administrators. 

Who can view the report. 

11.6.1 Usage permissions 

There are three types of usage permissions: 

11.6.2 Change Permissions 

Private – only the owner can view and run the report. 

Public – all administrators in all domains can view and run the report. 

Domain – the report can be run and viewed only by administrators that belong to the domain where the report 

was defined. 

There are three types of change permissions: 

Private – only the owner can change the report. 

Public – all administrators in all domains can change the report. 

Domain – the report can be changed only by administrators that belong to the domain where the report was 

defined. 

11.6.3 Permissions for standard reports 

The standard reports have 'private' permissions relating to changing the reports, and 'public' permissions relating 

to running and viewing the reports. 


11.7 Making Data Available to Reports 

Reporting 

When you are using data to create reports it makes sense to consider the way in which your data is stored and 

archived. The reports you can run use the audit data and the Data Store. 

An issue arises when you have more than one Identikey Server in your system. Audit messages can be stored on 

a database or in local text files. The database storage option can be local or centralised; text files are local. A 

report can only be run on one source of audit data, so if there is more than one Identikey Server you have the 

following options to enable reports to run on all the audit data: 

Online Centralized Database. 

Have a centralized Audit database. All Identikey Servers write to this database all the time. All reports can be run 

against this database all the time. If the centralized database is used it must be configured to be fast enough and 

big enough to cope with the load of Audit data. 

Offline Centralized Database 

Write the Audit data locally but periodically load the local data to a centralized Audit database. Each Identikey 

Server must be configured to read the Audit data from the centralized database. Reports will only contain data up 

to the last load to the centralized Audit Database. 

Offline Centralized Database with Reporting Server 

Write the Audit data locally but periodically load the local data to a centralized Audit database. Each Identikey 

Server must be configured to read the Audit data from the local Audit data source. A reporting server can be 

installed that is configured to read its data from the centralized Audit database. 

Reports that need to use up to the minute data can be run on the server that retrieves its data locally. An example 

of this would be a user activity report for troubleshooting. 

Reports that need to use global data can be run on the reporting server. Reports will only contain data up to the 

last load to the centralized Audit Database. 

No Centralized Audit Data 

Configure each Identikey Server to retrieve Audit report data locally. 

An option to Upload Audit Data is available in the Configuration Wizard. This will allow you to configure Identikey 

Server to upload local Audit Data to a centralized Audit Database. 

11.7.2 Archiving Strategy 

If you are running reports that will require data which is spread out over a long period of time, the reports will take 

a long time to run as the volume of data gets bigger. The best way of dealing with this growth is to archive the 

data. It is best to develop a good archiving strategy when your system is being implemented. Consider the kind of 

data you will want to report on, and the length of time you would like data to be available before being archived. 

Remember, archived data cannot be reported upon. 


12 Identikey Data Store 

12.1 Active Directory 

12.1.1 What is Stored in Active Directory? 

The following information is stored in Active Directory: 

Digipass User accounts 

12.1.2 Schema Extensions 

Digipass and Digipass Application records 

Identikey Data Store 

Digipass configuration records (Policies, Components, Back-End Servers, Reports and Report Formats) 

Identikey Server Configuration information 

User attributes – vasco-UserExt class 

Extra VASCO attributes are added to an Active Directory User record via an 'auxiliary class' vasco-UserExt on the 

User class. 


The vasco-DPToken class is used to store Digipass attributes. It is also a container, in which vasco-DPApplication 

records for that Digipass are stored. 

Upon assignment to a User, the Digipass record is stored in the same location as the User. 

Policies, Components and Back-End Servers 

Policy, Component, Back-End Server, Report and Report Format records are stored in vasco-Policy, vasco- 

Component, vasco-BackEndServer, vasco-Report and vasco-ReportFormat objects respectively. They are located in 

a single “Digipass-Configuration” container in a single Domain. 

12.1.3 Digipass Records 

12.1.3.1 Location of Digipass Records 

When a Digipass is assigned to a User, it is moved to the same location as the Digipass User account it is assigned 

to. This makes it easier to set up the permissions necessary for delegated administration. 


Note 


A Digipass record will not automatically be moved when the User account to which it is assigned 

is moved to another location. When moving User accounts within Active Directory, ensure that 

the records of any assigned Digipass are manually moved to the same location. 

Unassigned Digipass records may be stored in various places in the data store: 

Digipass Pool 

A container called Digipass-Pool is created during installation. This is intended as a general store for unassigned 

Digipass. 

Organizational Units 

If an Organizational Unit structure is used in the data store, Digipass can be loaded or moved either into the exact 

Organizational Units where the User accounts to which they will be assigned are located, or into a few key 

Organizational Units in the hierarchy where they may be assigned to Users in lower level Organizational Units. 

Users Container 

When Active Directory is used as the data store, Digipass can be loaded into the Users container so they are 

available for Users in that container. However, it is not recommended to use the Users container for either User 

accounts or Digipass. 

When looking for an available Digipass to assign to a User, the Identikey Server will first look in the same 

Organizational Unit as the specific User account. The Search Upwards in Organizational Unit hierarchy option, 

when enabled, allows the Identikey Server to search in parent Organizational Units and the Digipass Pool 

container. This option may be set at the Policy level for system searches (eg. Auto-Assignment and Self- 

Assignment) or at the time of the search for manual assignment. 

Note 

The Identikey Server will always find or assign the closest available Digipass record to the 

selected User record(s). 

12.1.3.2 Delegated Administration in Active Directory 

If the assignment is manual (performed by an administrator), it will only find and successfully assign Digipass from 

locations where the administrator has the correct permissions. The administrator must have read permission for 

Digipass objects in the location to find a Digipass record, and if it needs to be moved to the User's location, they 

must have delete permission for Digipass objects to successfully assign the Digipass. If the administrator has 

sufficient permissions to view a Digipass record but not to assign it, the assignment will fail. 


Table 5: Summary of Digipass Record Location Options 

Record Location Pros Cons 

Digipass Pool Digipass are available to be assigned to all 

Users, regardless of the Organizational Unit 

structure. 

Only administrators with access to the Digipass 

Pool may view or modify records for unassigned 

Digipass. This also means that only those 

administrators may manually assign Digipass. 

Organizational Unit Digipass may be portioned out to various 

Organizational Units. This is particularly useful 

where a company is contracted to provide 

authentication services to multiple companies, 

or where various departments have different 

Digipass quota. 

Users Container Digipass can be assigned to any User in the 

Users container. 


An extra permission must be assigned to all 

administrators who should be able to assign 

Digipass (if they are not Domain Admins). It is 

not possible to strictly subdivide the unassigned 

Digipass among the Organizational Units 

according to quotas. 

If an Organizational Unit runs out of Digipass to 

assign its Users, more Digipass records must be 

manually moved to the right location. 

Digipass in the Users container are only 

available to User accounts stored there. 


12.1.3.3 Typical Digipass Location Models 

Digipass Pool 


A centralised point of access and importation can be implemented by using the Digipass Pool to hold unassigned 

Digipass records. This option requires less calculation and high-level administration, as Digipass records are all 

imported into one area and there is no need to manually move records or calculate the exact number of Digipass 

required for each Organizational Unit or group of Units. However, permissions will need to be set up to permit 

delegated administrators access to move the Digipass out of the container upon assignment. 

The Digipass Pool is treated as the Domain Root by the Identikey Server, as Digipass records may not be saved in 

the Domain Root. 

Image 38: Digipass Record Locations - Digipass Pool 

In the diagram above, the Identikey Server is shown searching upwards through the Organizational Unit structure 

for available Digipass to assign to a Digipass User in the Organizational Unit B1. Because no available Digipass are 

found in B1, it searches in B, then in the Digipass Pool. 

Administrator 1 needs delegated administrator permissions for the Organizational Unit B and its child 

Organizational Units. They must also have read and delete permissions for Digipass objects in the Digipass Pool 

container. 

Note 

The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to 

function correctly. 


Parent Organizational Units 


Unassigned Digipass can be kept in key Organizational Units, and made available to their lower level Organizational 

Units. This requires a delegated administrator to have permissions not only for the Organizational Unit in which the 

User accounts are stored, but also read, write and delete permissions for Digipass objects in the Organizational 

Unit in which the Digipass are stored. 

Image 39: Digipass Record Locations - Parent Organizational Unit 

In the diagram above, the Identikey Server can search in the parent Organizational Unit for available Digipass. 

The delegated administratration permissions can be set up in two basic ways: 

Administrator 1 has full admin permissions for Organizational Unit B and its child Organizational Units. She 

does not require any other permissions to assign Digipass from Organizational Unit B to a User in 

Organizational Unit B1. 

Administrator 2 has full admin permissions for Organizational Unit A2 only. He has read and delete permissions 

for Digipass objects in Organizational Unit A in order to assign Digipass from Organizational Unit A to a User in 

Organizational Unit A2. 

Note 




Individual Organizational Units 


Digipass can be loaded or moved into each Organizational Unit where and when they are required. It is then easy 

to set up permissions for delegated administrators to assign them only within their scope of control. If all Digipass 

in the Organizational Unit are assigned, more Digipass will need to be moved in manually by a Domain Admin 

before they can be assigned by a delegated administrator. 


Image 40: Digipass Record Locations - Individual Organizational Units 


In the diagram above, unassigned Digipass are stored in the exact Organizational Units in which they will be 

assigned. 

Each delegated administrator only requires permissions within their specific Organizational Unit(s). 

Note 

The Search Upwards in Organizational Unit hierarchy option does not need to be enabled for 

this model. 

Combination of models 

Digipass may be stored in the Digipass Pool as well as some or all Organizational Units. If no unassigned Digipass 

records are found in the Organizational Unit, and the Search Upwards in Organization Unit hierarchy option is 

enabled, the Identikey Server will search upwards to the Domain Root and search in the Digipass Pool for an 

available, unassigned Digipass record. 

12.1.4 Permissions Needed by the Identikey Server 

The installation process will ensure that the Identikey Server has sufficient permissions. This is achieved by 

assigning permissions in the domain to the in-built “RAS and IAS Servers” group. It is necessary to make sure that 

the Identikey Server is added to that group. 

12.1.5 Administrative Permissions 

Administrative permissions for Identikey Server administrators are controlled using Active Directory security 



properties. See the Permissions Needed by Administrators topic in the Administrator Reference for more 

information. 

Domain Administrators may view and edit all Digipass and Digipass User information in their domain, plus 

Digipass Configuration information if the Digipass Configuration Container is located in their domain. No 

permissions setup is required for them. 

Delegated Administrators may view and edit all Digipass and Digipass User information within their 

administrative scope of control. It is necessary to grant them full control, create and delete permissions over the 

Digipass and Digipass Application objects within their scope. 

Reduced Rights Administrators may perform a subset of the administration tasks. 'Property sets' are defined 

with the directory which can be used to enable or limit them in various Digipass administration tasks (eg. Access to 

the Digipass blob). 

12.1.6 Active Directory Command Line Utility 

This utility has to perform several tasks that are needed at various times during installation and upgrade if Active 

Directory is selected, or afterwards for maintenance. Some of the commands are run automatically by the 

installation program, while others are run manually. The commands that are run automatically can be run manually 

also, for example to troubleshoot why the installation is not succeeding. 

Table 6: DPADadmin tasks 

Command Description 

addschema Extend the Active Directory schema. 

checkschema Check that the schema extensions are all present. 

setupdomain Sets up the Digipass Configuration Container in the specified domain. 

setupaccess Assign permissions to a Windows group including: 

Full read access to everything in the domain 

Full control over vasco-DPToken objects 

Full control over vasco-DPApplication objects 

Ability to create and delete vasco-DPToken objects 

Full write access to extension attributes on user objects 

This command can optionally be used to also add a machine to the group. 


12.1.7 Active Directory Replication 


For more details of Active Directory Replication see Active Directory Replication Issues in the Administration 

Reference Guide. 

12.2 ODBC Database 

You may use the embedded PostgreSQL database supplied with Identikey Server, or another ODBC-compliant 

database. 

12.2.1 What is Stored in the Data Store? 

The following information is stored in the data store: 

Digipass User accounts 


Digipass configuration records (Policies, Components, Back-End Servers, Reports and Report Formats) 

Identikey Server Configuration information 

12.2.2 Domains and Organizational Units 

Image 41: Domains and Organizational Units 

Domains and Organizational Units are included in the ODBC database in a way that mirrors the data structure used 

by Active Directory. 

Organizational Units are designed to hold User accounts and Digipass records. They allow grouping of Users 

according to department, job function, or other criteria. They also allow Digipass to be allocated for Auto- 



Assignment to single or multiple groups of Users. Both Domains and Organizational Units can be used to limit 

administrators to a group of Users and/or Digipass. 

12.2.3 Location of Digipass Records 

When a Digipass is assigned to a User, it is moved to the same Organizational Unit as the Digipass User account to 

which it is assigned. 

Note 

When a User account is moved to an Organizational Unit, all Digipass records assigned to it will 

also be moved. 

A Digipass record assigned to a User cannot be moved - the User account must be moved. 

Unassigned Digipass records may be allocated to various places in the Organizational Unit structure: 

Master Domain 

During installation, a default domain is created. Digipass are imported to the Master Domain, and may then be 

moved to other domains and Organizational Units. 

Organizational Units 

If an Organizational Unit structure is used in the database, Digipass can be moved either into the exact 

Organizational Units where the User accounts to which they will be assigned are located, or into a few key 

Organizational Units in the hierarchy where they may be assigned to Users in lower level Organizational Units. 

When looking for an available Digipass to assign to a User, the Identikey Server will first look in the same 

Organizational Unit as the specific User account, if the User account belongs to an Organizational Unit. The Search 

Upwards in Organizational Unit hierarchy option, when enabled, allows the Identikey Server to search in parent 

Organizational Units and the Digipass Pool container. This option may be set at the Policy level for system searches 

(eg. Auto-Assignment and Self-Assignment) or at the time of the search for manual assignment. 

Note 

The Identikey Server will always find or assign the closest available Digipass record to the 

selected User record(s). 

If the User account being assigned a Digipass does not belong to an Organizational Unit, the Identikey Server will 

look for an available Digipass in the domain which does not belong to an Organizational Unit. 


12.2.3.2 Typical Digipass Location Models 

Domain Root 

Digipass records may be stored in the Domain Root while unassigned. 


This option allows a centralised point of access for assignment of Digipass. It also requires less calculation and 

high-level administration - Digipass records are all stored in one area and there is no need to manually move 

records or calculate the exact number of Digipass required for each Organizational Unit or group of Units. 

Administrators must belong to the Domain only (not an Organizational Unit) to assign Digipass from the Domain 

Root. 

Image 42: Digipass Record Locations – Domain Root 

In the diagram above, the Identikey Server searches upwards through the Organizational Unit structure for available 

Digipass to assign to a Digipass User in the Organizational Unit B1. Because no available Digipass are found in B1, 

it searches in B, then in the Domain root. 

The administrator account must be located in the domain root (no Organizational Unit) in order for this model to 

work successfully. 

Note 





This option is simplified if an Organizational Unit structure is not used in the database. User accounts and Digipass 

records may all be stored in the Master Domain. The Search Upwards in Organizational Unit hierarchy option 

does not need to be enabled in this case. 

Parent Organizational Units 

Unassigned Digipass can be kept in key Organizational Units, and made available to their lower level Organizational 

Units. 

Image 43: Digipass Record Location – Parent Organizational Unit 

In the diagram above, the Identikey Server can search in the parent Organizational Unit for available Digipass. 

Administrators will need to belong to the parent Organizational Unit. 

Note 




Individual Organizational Units 


Digipass can be loaded or moved into each Organizational Unit where and when they are required. If all Digipass in 

the Organizational Unit are assigned, more Digipass will need to be moved in manually by a Domain Admin before 

they can be assigned. 

Image 44: Digipass Record Location s – Individual Organizational Units 

In the diagram above, unassigned Digipass are stored in the exact Organizational Units in which they will be 

assigned. 

Administrator accounts belonging to the Organizational Units A1 and A2 have administration privileges in their own 

Organizational Unit only. 

Note 

The Search Upwards in Organizational Unit hierarchy option does not need to be enabled for 

this model. 

Combination of models 

Digipass may be stored in the Master Domain as well as some or all Organizational Units. If no unassigned 

Digipass records are found in the Organizational Unit, and the Search Upwards in Organization Unit hierarchy 

option is enabled, the Identikey Server will search upwards to the Domain Root and search in the Digipass Pool for 

an available, unassigned Digipass record. 

12.2.4 Permissions Needed by the Identikey Server 

Identikey Server will require either: 


a database administrator account for the database, 

ownership of the VASCO tables, or 

permissions to insert, remove, read and modify rows in VASCO tables. 


See the Administrator Reference for more information. This is set up automatically in the case of the embedded 

database option. 

12.2.5 Database Command Line Utility 

This utility has to perform several tasks that are needed at various times during installation and upgrade, or 

afterwards for maintenance. Some of the commands are run automatically by the installation program, while others 

are run manually. The commands that are run automatically can be run manually also, for example to troubleshoot 

why the installation is not succeeding. 

Command Description 

addschema Modify the database structure to create the required VASCO tables. 

checkschema Check that the required database modifications and/or table name remappings have been 

completed. 

dropschema Remove all database schema modifications from the database. 

Table 7: DPDBadmin commands 


12.2.6 Additional ODBC Databases 


A synchronized backup database may be set up for the Identikey Server. This helps to ensure continuous service if 

the main database fails. The synchronization can be a shadow database, a mirror or a replicated copy. 

The required synchronization must be set up according to the instructions provided by the database vendor. It is 

strongly recommended to minimize the synchronization delay. 

Once the database and any synchronization is set up, create a Data Source Name for the new database and add it 

to the Identikey Server Configuration GUI. 

Image 45: Additional ODBC databases 

See the Database Connection Handling topic in the Administrator Reference Guide for more information. 


12.2.7 Multiple Identikey Servers 

If more than one Identikey Server is installed on the system, some additional setup may be required. 

Multiple Identikey Servers Using Same Database 


If more than one Identikey Server is using the one ODBC database, no additional setup steps are required. A 

backup database should be considered. 

Image 46: Multiple Identikey Server Using Single Database 


12.2.8 Replication 


When multiple Identikey Servers are in use each with their own database, they can be configured to replicate data 

changes between them, to keep all database synchronized. 

12.2.8.1 Common Scenarios 

Primary and Backup Identikey Servers 

The most common, and most basic, replication setup is used when a company has two Identikey Servers – one 

primary, to which all authentication requests are customarily sent, and a backup Identikey Server for use when the 

primary server is busy or unavailable. Replication is usually set to occur very frequently. 

Image 47: Replication between a Primary and Backup Identikey Server 


12.2.8.2 Other Scenarios 

Primary, Backup and Disaster Recovery Identikey Servers 


This scenario is often used when a company requires an offsite disaster recovery Identikey Server and database. 

Image 48: Replication between Primary, Backup, and Disaster Recovery in Identikey Server 

Other replication scenarios may also be used. For example, a company may have three Identikey Servers, all 

replicating to each other. This may keep data up to date better than a simpler replication chain. 


Image 49: Replication between three Identikey Servers 


Or, a company might require two Primary Identikey Servers, each with a backup Identikey Server, and add in an 

extra replication link to speed up data communications: 

Image 50: Complex Identikey Server Replication Scenario 


12.3 Sensitive Data Encryption 


Sensitive data is encrypted by the Identikey Server using an embedded key. If needed, this encryption may be 

strengthened by including a custom encryption key. See the Administrator Reference Guide for more information. 


13 Licensing 

13.1 Overview 

Licensing 

VASCO products are licensed per Component record in the data store. The licensing relies upon a License Key 

which is checked when the Identikey Server starts. This License Key is tied to the location (IP address) where the 

Identikey Server is installed, and stored in the Component record for the Identikey Server. The Identikey Server will 

not authenticate a user without a correct License Key, except to permit administration. SOAP, RADIUS, and the 

Authorization, Signature Validation and Provisioning scenarios all require a License Key. 

Client modules – such as the IIS 6 Module or Citrix Web Interface – also require a License Key to be loaded into 

their Component record. The Identikey Servers to which they connect will otherwise reject all authentication 

requests from them. 

Evaluation License 

An evaluation license means that you can use its full functionality until the evaluation period runs out. At the end of 

this period, you will need to either uninstall the product or buy a permanent license. Contact your distributor or the 

appropriate VASCO Reseller representative to acquire the licences you will need. For your convenience, the 

evaluation serial number is embedded in the installation program. You will still need to obtain and load a license 

key. 

Client module licenses can also be evaluation (time-limited) licenses. 

13.2 Obtaining and Loading a License Key 

The Identikey Server Configuration Wizard will guide you through the process of requesting and loading a License 

Key. However, if for some reason it is not possible to complete the licensing at installation time, the Web 

Administration Interface can be used to obtain and load a License Key for a Component. This process must be 

completed for each Identikey Server, and requires an active internet connection to open the Manage Identikey 

ServerPage. 


14 Auditing and Tracing 

14.1 Audit System 

Auditing and Tracing 

The VASCO Audit System consists of a number of auditing modules which save audit messages to a specific 

format (eg. text file or database) and an Audit Viewer which can open, display and filter audit messages from 

various sources. 

Image 51: Audit System Overview 

Audit messages are primarily generated by the Identikey Server. They may be recorded by a number of different 

methods: 

Windows Event Log (to be viewed in the Event Log Viewer) 

Syslog (In Linux environments) 

Text file 

ODBC-compliant database 

Audit messages may also be passed directly to an Audit Viewer as a live feed. 

14.1.1 Configure Auditing Output 

Auditing output from the Identikey Server can be configured using the Identikey Server Configuration. See the 

Configuration section of the Administrator Reference for more information. 


14.1.2 Audit Viewer 

Image 52: Audit Viewer 


The Audit Viewer can retrieve messages from several different sources and display audit messages from each in 

separate windows. Audit messages may be filtered by message type, date and time, or the contents of specific 

fields. 

14.1.3 Starting the Audit Viewer 

Windows 

Use the Start menu (by default, Programs -> VASCO -> Identikey Server -> Audit Viewer) or go to the Identikey 

Server installation/bin directory. 

Linux 

1. Navigate to the Identikey Server installation directory (by default, /opt/vasco/Identikey). 

2. Start the Audit Viewer by entering these commands: 

vds_chroot /bin/bash 

dpauditviewer 


14.1.4 Audit message types 

Type Description 


Error The message contains details about a system, configuration, licensing or some internal error. Errors do 

not include normal processing events such as failed logins. 

Warning Warning messages contain details about potential problems within the system. This could include details 

such as a failed connection attempt to a database 

Information Informational messages provide details about events within the system that need to be recorded but do 

not indicate errors or potential errors. 

Success Success messages contain details about processing events that were correctly processed. This may 

include successful authentications or successful administration commands. 

Failure Failure messages contain details about processing events that failed. This may include rejected 

authentications, or administration actions that failed. 

Table 8: Audit message types 

14.1.5 Active Directory Auditing 

14.2 Tracing 

Active Directory auditing may be enabled and configured to record access and modifications to Digipass-related 

data used by the Identikey Server. See the Active Directory Auditing topic in the Administrator Reference for 

more information. 

The level of tracing for the Identikey Server can be configured using the Identikey Server Configuration utility. 

Tracing messages will be recorded to a text file. 

See the Tracing section in the Administrator Reference for more information, and instructions on configuring 

tracing for the Identikey Server. 


15 Message Delivery Component 

15.1 What is the Message Delivery Component? 

Message Delivery Component 

The Message Delivery Component (MDC) interfaces with a gateway service to send a One Time Password to a 

User’s mobile phone. The MDC acts as a service, accepting messages from the Identikey Server, which are then 

forwarded to a text message gateway via the HTTP/HTTPS protocol. 

Since every gateway uses different submission parameters, a set of configuration values is required, which can be 

administered by the MDC Configuration GUI. See the Configuration section of the Administrator Reference for more 

information. 

15.2 Starting the Message Delivery Component 

Windows 

The MDC service can be started and stopped through the Windows Service Manager Console. 

Linux 

To start the MDC daemon: 

1. Enter the chroot environment: 

vds_chroot /bin/bash 

2. Navigate to usr/share/vasco/init.d 

3. Enter the command: 

./mdc start 


16 User Self Management Web Site 

16.1 What is the User Self Management Web Site? 

User Self Management Web Site 

The User Self Management Web Site allows Users to perform functions which are unavailable during a usual login 

– either because the functionality is disabled within the Identikey Server configuration, or because CHAP or another 

protocol is in use which does not allow the functionality: 

User Registration and Auto-Assignment 

Self-Assignment 

Password Synchronization 

PIN Change 

Login Test 

The site can also be used to help Users get started with their Digipass while they are still in the office and help is 

available. 

Image 53: User Self Management Web Site 


Important Note 

User Self Management Web Site 

The User Self Management Web Site is intended for RADIUS environments, and uses the RADIUS 

protocol to communicate with the Identikey Server. If the Identikey Server is not licensed for 

RADIUS, you will not be able to use the User Self Management Web Site. 

16.2 Customizing the User Self Management Web Site 

The User Self Management Web Site can be customized by modifying the pages provided with the installation. You 

may wish to: 

change the colors and graphics to match your corporate colors/logos. 

integrate the pages into a larger web site. 

translate or customize the text 

Any cosmetic part of the web pages may be modified. Completely new web pages may be used, provided that the 

correct form fields are posted to the CGI program, and query string variables are interpreted correctly. Server 

scripting languages such as PHP or ASP, or any other way of generating HTML, can be used. 

See the Web Sites section of the Administrator Reference for more information. 


Alphabetical Index 

Activation Code........................................................................................87 

Active Directory............................................................................................ 

Active Directory User..........................................................................38 

Archiving Strategy..................................................................................128 

Audit........................................................................................................... 

Active Directory Auditing..................................................................152 

Audit System...................................................................................150 

Audit Viewer....................................................................................151 

Authentication.............................................................................................. 

Local................................................................................................ 45 

Auto-Assignment.......................................................................43, 47, 154 

Back End Authentication - Novell e-Directory.............................................58 

Back-End Authentication.......................................................................... 64 

Back-End Authentication - Active Directory................................................57 

Back-End Protocol....................................................................................54 

Back-End Server.......................................................................................... 

Back-End Server record.....................................................27, 129, 137 

Backup Virtual Digipass....................................................................27, 106 

Challenge................................................................................................47 

Challenge/Response...............................................................9, 64, 65, 103 

1-Step Challenge/Response...............................................................48 

2-Step Challenge/Response...............................................................48 

Non-time-based..............................................................................104 

Time-based.....................................................................................103 

Challenge/Response ................................................................................12 

CHAP.....................................................................................17-20, 63, 64 

Check Digit............................................................................................104 

Citrix Web Interface..................................................................................36 

Command-Line Administration..................................................................93 

Communicator.........................................................................................15 

Component.................................................................................................. 

Component record.............................................................26, 129, 137 

Configuration...........................................................................................94 

Configuration Wizard................................................................................25 

Context Menu..........................................................................................92 

Index 

Custom..................................................................................................126 

Custom Reports.....................................................................................126 

Customize..............................................................................................155 

Data field...................................................................................................9 

Database Synchronization.......................................................................143 

Deferred Signature Validation....................................................................67 

Digipass..................................................................................8, 9, 47, 103 

Assign.............................................................................................. 98 

Digipass Application...................................................................... 9, 27 

Digipass Assignment......................................................................... 93 

Digipass Blob....................................................................................26 

Digipass for Web...............................................................................12 

Digipass PIN....................................................................................103 

Digipass record.....................................26, 92, 99, 101, 130, 137, 139 

Digipass Record Administration..........................................................93 

Hardware Digipass.............................................................................10 

Lookup..............................................................................................45 

Programming..................................................................................103 

Search..............................................................................................93 

Serial Number...................................................................................99 

Server PIN.......................................................................................106 

Software Digipass..............................................................................12 

Unlock Digipass...............................................................................102 

Digipass Application...................................................................................9 

Digipass Extension for Active Directory Users and Computers..................... 92 

Digipass for Mobile...................................................................................12 

Digipass for Web......................................................................................12 

Digipass TCL Command-Line Administration............................................. 24 

Digipass User............................................................................................... 

Account..............................26, 28, 37, 42, 92, 96, 100, 129, 137, 138 

Account Creation...............................................................................96 

Linked...............................................................................................46 

Digital Signature...............................................................................8, 9, 11 

Digital signatures.....................................................................................66 

Domain............................................................................................56, 138 


Domain........................................................................................................ 

Active Directory.................................................................................27 

Default Domain..................................................................................38 

ODBC............................................................................................... 97 

DUR........................................................................................................96 

Dynamic User Registration..................................................................43, 54 

EAP...................................................................................................18, 64 

EAP-TTLS................................................................................................18 

Encryption............................................................................................. 148 

Engine.....................................................................................................29 

Event ......................................................................................................67 

Event Based Signature..............................................................................67 

Event Value............................................................................................105 

Event-based...........................................................................................103 

Generate digital signatures.......................................................................66 

Grace Period......................................................................................47, 99 

Group Check......................................................................................41, 45 

Group Check................................................................................................ 

Back-End..........................................................................................42 

Pass Back.........................................................................................41 

'Reject..............................................................................................42 

Identikey Server Configuration...................................................................25 

IIS...........................................................................................................23 

IIS Module Component Check...................................................................36 

Internet Information Services.....................................................................21 

Licensing...............................................................................................149 

Evaluation License...........................................................................149 

License Key...............................................................................26, 149 

Local Authentication...........................................................................42, 45 

Message Delivery Component.................................................................153 

MPPE......................................................................................................63 

MS-CHAP..........................................................................................63, 64 

MS-CHAP2........................................................................................63, 64 

MS-CHAPv1.......................................................................................17-19 

MS-CHAPv2.......................................................................................17-19 

Multi-Mode..........................................................................................9, 12 

Index 

Offline Delivery.........................................................................................72 

One Time Password.............................................................8, 9, 11, 12, 49 

Length............................................................................................104 

Online delivery.........................................................................................72 

Organizational Unit.................................................................................138 

Organizational Unit....................................................................................... 

Active Directory.................................................................................28 

ODBC............................................................................................... 97 

OTP.............................................................................................19, 20, 21 

OTP Request Site.....................................................................................50 

Outlook Web Access or............................................................................ 36 

PAP.............................................................................................17-20, 63 

Password..................................................................................................... 

Password Autolearn...............................................................56, 64, 97 

Password Replacement......................................................................54 

RADIUS.............................................................................................22 

Static password.........................................................20, 22, 23, 50, 54 

Stored Password Proxy......................................................................55 

Stored Static Password......................................................................55 

Windows.....................................................................................22, 23 

PEAP.......................................................................................................18 

PIN.............................................................................................................. 

Digipass PIN..............................................................................11, 103 

Force PIN Change............................................................................102 

Server PIN.................................................................................47, 106 

Policy..............................................................................................45, 114 

Effective Settings.............................................................................115 

Inheritance......................................................................................114 

Policy record.....................................................................27, 129, 137 

Policy record......................................................................................... 

Pre-loaded................................................................................117 

Privileges...............................................................................................135 

Provisioning.......................................................................................71, 72 

RADIUS..............................................................................................17, 29 

Attributes....................................................................................17, 54 

CHAP................................................................................................29 


Client................................................................................................36 

Default RADIUS Client..................................................................36 

MPPE................................................................................................29 

MS-CHAP..........................................................................................29 

MS-CHAP2........................................................................................29 

PAP..................................................................................................29 

Server.......................................................................17, 18, 19, 20, 22 

RADIUS Client Component Check..............................................................36 

Real Time Signature Validation..................................................................66 

Replication.....................................................................................145, 147 

Report Generation..................................................................................126 

Report Permissions................................................................................127 

Report Type...........................................................................................122 

Reporting...............................................................................................121 

Reset........................................................................................................... 

Reset Application.............................................................................101 

Reset Application Lock.....................................................................102 

Reset PIN........................................................................................102 

Response Only.............................................................................9, 12, 103 

Scenario..................................................................................................15 

SEAL.......................................................................................................15 

Self-Assignment............................................................ 43, 54, 64, 98, 154 

Server PIN...............................................................................................64 

Set.............................................................................................................. 

Set Event Counter............................................................................102 

Index 

Set PIN........................................................................................... 102 

Sign transaction.......................................................................................66 

Simple Name Resolution...........................................................................37 

Smartcard................................................................................................12 

SOAP......................................................................................................28 

Software Digipass................................................................................8, 71 

Standard Reports...................................................................................125 

Stored Password Proxy.................................................................55, 64, 97 

Test Digipass Application........................................................................102 

Text message............................................................................................8 

Time .......................................................................................................67 

Time based signature...............................................................................67 

Time Shift..............................................................................................105 

Time Step........................................................................................67, 105 

Time-based...........................................................................................103 

Tracing..................................................................................................152 

User Self Management Web Site.....................................................154, 155 

Virtual Digipass.......................................................................8, 47-49, 108 

Backup Virtual Digipass............................................... 13, 48, 108, 110 

Keyword............................................................................................50 

OTP..................................................................................................48 

Primary Virtual Digipass.....................................................................13 

Request Method................................................................................50 

Windows Name Resolution....................................................................... 37

Identikey Server Product Guide - Vasco

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?