Skip to main content
Version: 8.2511.x.x RR

OTP

This page lists the policy parameters specific to OTP credentials.

In addition to the policy parameters defined here, the parameters defined in the table in the chapter All credential types are also valid for OTP credentials.

closeToExpirationThreshold

  • Data type: int (days)
  • Default: 10
  • Description: Defines the number of days preceding the real expiry date at which the batch job UpdateCredentialStateJob, if configured, will trigger renewal or other communication events. Example: If set to 2, then all OTPs that expire the day after tomorrow (between 00:00 and 23:59) will be affected.

coordinateCardFormat

  • Data type: boolean
  • Default: false
  • Description: Defines the format in which the challenges in the OTP card are stored. When true, the coordinate format is used, i.e., the challenges are numbered from A1 to N12. When false, the challenges are sequentially numbered from 001 to 168.

credentialLifetime

  • Data type: long (>0)
  • Default: 315360000000 (10 years in milliseconds)
  • Description: The time to live (in milliseconds) of the OTP credential. After the defined period of time, the user will not be able to log in with this OTP credential anymore.

fallbackAllowed

  • Data type: boolean
  • Default: true
  • Description: If set to true, a user whose new OTP card has already been sent can still log in with the old OTP card during the fallback transition period.

fallbackTransitionPeriod

  • Data type: int (>0)
  • Default: 14
  • Description: Defines the period in days during which a user may still use his old OTP card although a new OTP card was already sent to him.

lowOnChallengesThreshold

  • Data type: int
  • Default: 20
  • Description: Threshold that triggers a warning as soon as the number of remaining challenges on the OTP card goes below the configured value.

maxCredFailureCount

  • Data type: int (>0) or -1
  • Default: 3
  • Description: Maximum number of login failures before the OTP credential is definitely locked. If set to -1, the max. failure counter is disabled.

renewWhenCloseToExpiration

  • Data type: boolean
  • Default: false
  • Description: Defines whether the batch job UpdateCredentialStateJob should trigger an OTP card renewal when closeToExpirationThreshold is reached.

renewWhenLowOnChallenges

  • Data type: boolean
  • Default: true
  • Description: If set to true, it triggers an OTP card renewal event when the lowOnChallengesThreshold is underrun. Renewal means generating an additional OTP card while the original card remains untouched.

reuseChallenges

  • Data type: boolean
  • Default: true
  • Description: Enable/disable the reuse of challenges.

sendingMethod

  • Data type: Comma-separated list of enums

  • Values: any subset of PDFstore, Print, PDFemail, None

  • Default: PDFstore

  • Description: Defines a fallback list of different methods of how a credential should be communicated to the user (if the first method fails for some reason, the second is tried, and so on). All methods (except None) will fail if the corresponding template is missing or one or more mandatory placeholders are empty. If sendingMethod was not defined at all, nevisIDM takes the default value. The default value has no fallbacks.

    If PDFstore is configured, the following additional parameter can be defined:

    • PDFstore.destDir (optional): Defines the destination directory where the PDF is to be saved. If not configured, the directory set in nevisidm-prod.properties is used as fallback.

    The PDFemail method requires two templates: one e-mail and one OpenOffice template. If PDFemail is configured, the following additional parameter can be defined:

    • PDFemail.htmlEmail (optional, default: false): If true, an HTML e-mail is sent. Otherwise, a plain text e-mail is sent.

sendWarningWhenCloseToExpiration

  • Data type: boolean
  • Default: false
  • Description: Defines whether the batch job UpdateCredentialStateJob should trigger an OTPExpirationWarning communication event when closeToExpirationThreshold is reached.

sendWarningWhenLowOnChallenges

  • Data type: boolean
  • Default: false
  • Description: If set to true, it triggers an OTPLowOnChallengesWarning event as soon as the lowOnChallengesThreshold is underrun.

supportLegacyCardTransition

  • Data type: boolean
  • Default: false
  • Description: Enables the fallback mechanism to legacy OTP cards (migrated cards whose dimensions are different from nevisIDM OTP cards). If set to true, nevisIDM will generate a pair of challenges during the transition phase from the old migrated OTP card to the new OTP card. Example pair of challenges: 168#J10. The user can log in with the old card (giving the value of position J10 in the old card as response) or with the new card (giving the value of position 168 in the new card as response).

templatePrecedence

  • Data type: int
  • Default: null
  • Description: The precedence number of the template to use during the communication with the user. If the parameter is not set, the default template will be used. If no template exists with the given precedence number, an error will occur.

tmpLockingDuration

  • Data type: long
  • Default: 60000
  • Description: Duration of the temporary locking in milliseconds. Use a tmpLockingDuration of at least 30000 since the exact duration cannot be guaranteed below this value.

tmpLockingMode

  • Data type: String
  • Values: strict, threshold
  • Default: strict
  • Description:
    • strict: when the first temporary locking period is over, the user can try to log in only once before the next temporary locking period activates.
    • threshold: the user can always try tmpLockingThreshold times to log in before the next temporary locking period activates.

tmpLockingThreshold

  • Data type: int (>0) or -1
  • Default: 2
  • Description: Number of login failures before the OTP credential is temporarily locked. If set to -1, the temporary lock is disabled.