Direct authentication credentials
Password
Password authentication is the most used of all credential types, but it is a weak authentication method.
[The table]" lists all password policy parameters.
Ticket
A one-time ticket contains a generated random value and can usually only be used once. By means of the ticket policy, the ticket may be configured to be re-used.
[The table] lists all ticket policy parameters.
Temporary strong password
The purpose of a temporary strong password is to replace another strong authentication credential, e.g., a certificate or SecurID. This is important for users who lost or forgot their other strong authentication credential but still want the benefits of strong authentication.
It is called "temporary" because it is only valid for a single login operation. Therefore, it could also be described as a one-time password credential, which is considered an exceptionally strong authentication method.
[The table] lists all temporary strong password policy parameters.
OTP
A one-time password (OTP) is used for a challenge/response (C/R) authentication.
A so-called OTP card, also known as grid card, contains an indexed table of small passwords. During authentication, the authentication service asks the user for a certain password on the OTP card by specifying only the coordinates of the table cell on the OTP card. The user then returns the content of that table cell to the authentication service. [The table] lists all OTP policy parameters.
Vasco Digipass token
Vasco Digipass tokens can handle challenge/response authentication and response-only authentication, depending on the Vasco Digipass device used.
During authentication with challenge/response, nevisIDM uses the token to create a challenge. The user then has to enter the challenge into the Vasco Digipass device to get the correct response. For response-only authentication, the user gets the response directly from the device. lists all Vasco Digipass token attributes. contains all Vasco Digipass token policy parameters.
Certificate
An X509 certificate enables a user to authenticate himself without interaction (besides the password he might have to enter for the private key). It also adds extra security to the connection (two-way SSL), which makes it harder for man-in-the-middle proxies to intercept the traffic or to execute man-in-the-middle attacks. A certificate can only be registered once within a nevisIDM client (tenant).
The ability to log in without interaction makes certificate authentication very suitable for technical clients, for example, SOAP clients.
nevisIDM requires the information encoded in the certificate. To avoid that the certificate has to be parsed every time, the table TIDMA_CERT_INFO was introduced. It is located in [Certificate]. lists all certificate attributes. contains all certificate policy parameters.
SuisseID
The SuisseID is the digital equivalent of the Swiss passport. From a technical perspective – from nevisIDM's perspective –, the SuisseID is a pair of certificates belonging to a single SuisseID number. However, only one, the Identity and Authentication Certificate (IAC), is used for the login. Therefore, nevisIDM treats it as a single certificate credential and there is no credential type "SuisseID".
For more information about the SuisseID, browse to http://www.adnovum.ch
A PUK (Personal Unblocking Key) is a strong type of password that can be used for authentication or to unlock other passwords. The value of a PUK can only be generated by nevisIDM; it cannot be set by web service or on the GUI. The PUK can be generated together with a normal password (sometimes also called PIN). In this case, a new password credential will be generated automatically as well. If the user already has a password credential, it will be reset. [The table] lists all PUK policy parameters.
URL ticket
A URL ticket is a special password that is communicated to the user as part of a personalized link.
The value of a URL ticket can be generated in the nevisIDM. It cannot be set by web service or on the GUI. The URL tickets cannot be regenerated. A URL ticket can be used only once; it will be deleted automatically after a successful authentication. The format of the personalized link is as follows:
- {URLPrefix}{calculated value depending on loginId/clientId/URL ticket}
[The table] lists all URL ticket policy parameters.
Device password
A device password credential is similar to a normal password credential, with the exception that the user is allowed to have several device password credentials. This is useful for users who have multiple devices (smartphone, PC, laptop, etc.). The device password credential provides the same features as a normal password credential.
To log in using the device password, the user must provide an additional identifier that uniquely defines the credential/device to use. This identifier is called the device password ID. Device password credentials support the same policy parameters as password credentials. [The table] lists all these policy parameters.
Context password
A context password credential is similar to a normal password credential, with the exception that the user is allowed to have several context password credentials. The context password credential provides the same features as a normal password credential. Additionally, it has a mandatory context attribute that is unique for each user. To log in using the context password, the context must be given by the user, which uniquely defines which context password to use. [The table] lists all context password policy parameters.
Security question
The security question credential holds the user's answers to one or more security questions, e.g., "What was the name of your first pet?" In the default setup, only the owner of the credential is allowed to add or modify answers. This behavior can be changed with the Security Question policy parameter "restrictModifyToOwner".
We recommend using security questions as an additional authenticator in combination with other credentials only. lists all security question attributes. contains the attributes concerning the answers to the security questions." lists all security question policy parameters.
OATH
OATH credentials are OTP credentials based on the specification of the "Initiative for Open Authentication" (OATH). They support two modes, HOTP and TOTP. HOTP is a HMAC-based one-time password algorithm that is counter-based, which means that the user has to click to get a new password/token. TOTP is similar to HOTP but is time-based, which means the system automatically creates a new password/token after a set amount of time. We recommend TOTP unless specified otherwise.
The OATH credential is used in combination with a mobile app or hardware token that supports TOTP and/or HOTP, e.g., Google Authenticator lists all OATH attributes. contains all OATH policy parameters.