Accepted Solutions
No trouble at all! My answers are inline:
- If the passcode = PIN + 6-digit tokencode, and I set the PIN length to 6 (for example) then the minimum the passcode length in this situation is 12, right?
That is correct.
- And most PINs will probably be 6 or 8 digits so the minimum passcode should be 8 (4-digit PIN + 4-digit tokencode)
There will never be a 4 digit tokencode. Tokencodes on the hardware token fob will be either six digits on a hardware token or either six or eight digits with a software token that is on your desktop or device.
Hardware token displaying six digits:
Software token displaying eight digits (with PIN already entered because we can see that the label says passcode:
- The maximum at 16 assuming both the software token and the PIN are set to 8.
Correct.
- But why have a configurable setting at all that limits the passcode length if both the PIN and tokencode are set elsewhere?
Both the min PIN and max PIN values are set under Authentication > Policies > Token Policies. They are not set elsewhere.
- I'm attaching an image of the Fixed passcode format option from the token policy. The Minimum length is 6 and Maximum length is 8 in the image. What does "Maximum passcode length = 8" mean?
It means that the maximum length of a fixed passcode is eight characters.
- I don't want to change the PIN requirement to an 8-digit PIN without understanding what this passcode setting does in case it breaks something by me leaving it as is or changing it. Thanks again!!
The fixed passcode is a whole other thing and not the same as the passcode used when you use PIN + tokencode. Going back to your tokens, when you authenticate for the first time you create a PIN. You then use this PIN + passcode to authenticate. Every time you authenticate you use the same PIN but a different tokencode.
For fixed passcodes you set a passcode of, let's say, 12345678, and it never changes. You do not use a PIN. Every time you authenticate you use only 12345678. You can set acceptable min and max lengths for a fixed passcode, just as you can for a PIN, but they are not the same. Like I mentioned, fixed passcodes are great as an auth method for your admins when testing authentication issues because you are not sitting around waiting for 60 seconds to test again (the longest 60 seconds ever, except maybe for the last minute when you want to take the popcorn out of the microwave). They are also good for service accounts that are automated to ensure authentication is working; on a Cisco switch, for example.
The information below is from the Administrator's Guide and may be helpful to you:
Maximum Lifetime A fixed passcode can be used instead of a PIN and tokencode to authenticate. Fixed passcodes are not recommended because they eliminate the advantages of two-factor authentication. This setting determines the maximum amount of time that a user can keep a fixed passcode before being required to change it. For example, suppose the maximum fixed passcode lifetime is set to 90 days. If users change their fixed passcode on June 1, they must change it again on August 30. This setting prevents users from indefinitely keeping the same fixed passcode, which increases the likelihood that it might be guessed by an unauthorized person trying to access your network.
Minimum Lifetime The minimum amount of time that a fixed passcode can exist before the user can change it. For example, suppose the minimum lifetime is set to 14 days. If users change their fixed passcode on June 15, they cannot change it again until June 29. This setting prevents users from circumventing restrictions on reusing old fixed passcodes that may have previously been set. For example, suppose you restrict users from reusing their five most recent fixed passcodes. The minimum fixed passcode lifetime prevents users from immediately changing their fixed passcode six times so that they can reuse a particular fixed passcode.
Bring on your next questions!
Welcome to the community! Here is the quickest answer that I can give: You are correct that the passcode is PIN + tokencode.
The min and max PIN values are set in token policies, as you have found, shown here:
The value here is the minimum length that a PIN can be when used to authenticate. We do not allow less than four characters or more than eight. Let's say you are using a hardware token to authenticate to your VPN. The displayed token code is 159759, like this:
If you have the default min PIN and max PIN values of 4 and 8 respectively, your users can create a PIN values of something sort like 1125 or longer like19030752 (or anywhere in between). Now to authenticate with your passcode (PIN+ tokencode), you would enter 1125159759 or 19030752159759. Note that if you update your token policy to change the min or max PIN values you may place some of your users into New PIN mode. An example would be that if you change your min PIN from 4 to 6, any users' whose PINs are either 4 or 5 characters will be prompted to create a new PIN.
Hmm, a longer answer than I expected.
For your question on matching PIN default settings, fixed passcodes do not offer two factor authentication; therefore, from a security perspective we do not recommend setting fixed passcodes for your end users. They are helpful for admins for testing because you do not need to wait for a tokencode to roll to the next one. Copying settings from the SecurID PIN format for fixed passcodes mean that the values for a fixed passcode need to match whatever values you set below for PIN format, like allowing passcode length, use of alpha characters, whether the excluded word list is used, etc.
Oh my! This is so much longer than expected, but I hope I answered your questions!
No trouble at all! My answers are inline:
- If the passcode = PIN + 6-digit tokencode, and I set the PIN length to 6 (for example) then the minimum the passcode length in this situation is 12, right?
That is correct.
- And most PINs will probably be 6 or 8 digits so the minimum passcode should be 8 (4-digit PIN + 4-digit tokencode)
There will never be a 4 digit tokencode. Tokencodes on the hardware token fob will be either six digits on a hardware token or either six or eight digits with a software token that is on your desktop or device.
Hardware token displaying six digits:
Software token displaying eight digits (with PIN already entered because we can see that the label says passcode:
- The maximum at 16 assuming both the software token and the PIN are set to 8.
Correct.
- But why have a configurable setting at all that limits the passcode length if both the PIN and tokencode are set elsewhere?
Both the min PIN and max PIN values are set under Authentication > Policies > Token Policies. They are not set elsewhere.
- I'm attaching an image of the Fixed passcode format option from the token policy. The Minimum length is 6 and Maximum length is 8 in the image. What does "Maximum passcode length = 8" mean?
It means that the maximum length of a fixed passcode is eight characters.
- I don't want to change the PIN requirement to an 8-digit PIN without understanding what this passcode setting does in case it breaks something by me leaving it as is or changing it. Thanks again!!
The fixed passcode is a whole other thing and not the same as the passcode used when you use PIN + tokencode. Going back to your tokens, when you authenticate for the first time you create a PIN. You then use this PIN + passcode to authenticate. Every time you authenticate you use the same PIN but a different tokencode.
For fixed passcodes you set a passcode of, let's say, 12345678, and it never changes. You do not use a PIN. Every time you authenticate you use only 12345678. You can set acceptable min and max lengths for a fixed passcode, just as you can for a PIN, but they are not the same. Like I mentioned, fixed passcodes are great as an auth method for your admins when testing authentication issues because you are not sitting around waiting for 60 seconds to test again (the longest 60 seconds ever, except maybe for the last minute when you want to take the popcorn out of the microwave). They are also good for service accounts that are automated to ensure authentication is working; on a Cisco switch, for example.
The information below is from the Administrator's Guide and may be helpful to you:
Maximum Lifetime A fixed passcode can be used instead of a PIN and tokencode to authenticate. Fixed passcodes are not recommended because they eliminate the advantages of two-factor authentication. This setting determines the maximum amount of time that a user can keep a fixed passcode before being required to change it. For example, suppose the maximum fixed passcode lifetime is set to 90 days. If users change their fixed passcode on June 1, they must change it again on August 30. This setting prevents users from indefinitely keeping the same fixed passcode, which increases the likelihood that it might be guessed by an unauthorized person trying to access your network.
Minimum Lifetime The minimum amount of time that a fixed passcode can exist before the user can change it. For example, suppose the minimum lifetime is set to 14 days. If users change their fixed passcode on June 15, they cannot change it again until June 29. This setting prevents users from circumventing restrictions on reusing old fixed passcodes that may have previously been set. For example, suppose you restrict users from reusing their five most recent fixed passcodes. The minimum fixed passcode lifetime prevents users from immediately changing their fixed passcode six times so that they can reuse a particular fixed passcode.
Bring on your next questions!
