10.6.1 DIGIPASS Assignment Options
With the introduction of Virtual DIGIPASS, there are several different assignment combinations that can be used.
The first option in the table below does not utilize Virtual DIGIPASS. The others include a Virtual DIGIPASS in either a backup or primary mode.
Primary Backup
DIGIPASS None User must log in using a DIGIPASS.
DIGIPASS Backup Virtual DIGIPASS User usually logs in using a DIGIPASS, but may utilize the Backup Virtual DIGIPASS feature where required. Usage of the feature may be limited.
DIGIPASS (temporarily disallowed)
Backup Virtual DIGIPASS User must log in using the Backup Virtual DIGIPASS feature. This might be used while a User’s DIGIPASS is lost, until the DIGIPASS is recovered.
Primary Virtual DIGIPASS N/A User is assigned a Virtual DIGIPASS and must log in using it.
Table 2: DIGIPASS Options
10.6.2 Cost
Your company will probably need to pay an amount for each text message sent. In some countries, mobile phone owners might need to pay an amount for each text message received on their mobile phone. This will need to be taken into consideration when deciding how to implement Virtual DIGIPASS functionality.
10.6.3 Security
Hardware DIGIPASS devices provide the highest level of security. Virtual DIGIPASS provides a lower, although still high, level of security. This needs to be weighed against other considerations before deciding whether your company will implement Virtual DIGIPASS, and if so, how it will be implemented.
10.6.4 Convenience
Virtual DIGIPASS is more convenient than a hardware DIGIPASS for many Users. Only one’s usual mobile phone is required: there are no extra devices to carry around. Users who do not habitually carry their mobile phone with them, though, are likely to find a GO 3 or GO 1 easier to transport.
For Users with the Backup Virtual DIGIPASS enabled, it might be the difference between going to work to pick up a forgotten DIGIPASS and getting important work done at home.
10.6.5 Gateway and account
Your company will need the use of an text message gateway and an account with the gateway. The Message Delivery Component will need configuration information for the gateway and the Username and password for the account. Your VASCO supplier can assist with this process.
10.6.6 Limiting Usage of Virtual DIGIPASS
Use of Virtual DIGIPASS may be limited by:
Using Backup Virtual DIGIPASS only.
Minimizing the number of Users assigned a Primary Virtual DIGIPASS.
A User’s Primary Virtual DIGIPASS use cannot be limited.
The Backup Virtual DIGIPASS feature may be enabled as an ‘emergency’ backup for Users who have left their primary DIGIPASS at home, or for other reasons do not have access to their primary DIGIPASS. Use of this feature can be limited for each DIGIPASS by:
Time period
Set a time period in which a User may access the Backup Virtual DIGIPASS. After this period has expired, any Virtual DIGIPASS requests from the User will be rejected. If the User is still unable to use their DIGIPASS, the time period must then be extended by an administrator. Once they have started using their DIGIPASS again, the administrator must reset the time period if the User is to be allowed to use Backup Virtual DIGIPASS again.
Number of Uses
Set a maximum number of times a User may request an OTP using the Backup Virtual DIGIPASS feature. When the User has reached this number of uses, any further OTP requests from the User will be rejected. This must be reset by an administrator if further use of the Backup Virtual DIGIPASS is required for the User.
Global and Individual Backup Virtual DIGIPASS settings
Backup Virtual DIGIPASS options can be set globally or individually, to allow a standard policy for all DIGIPASS with exceptions made where necessary. Global settings will affect all DIGIPASS whose individual option is set to 'Default'.
Global options are defined in the Policy that controls authentication. Therefore, by using multiple Policies, you have some additional flexibility.
10.6.6.2 Backup Virtual DIGIPASS Usage Guidelines
Some questions which will need to be answered before arriving at a Backup Virtual DIGIPASS usage guidelines are:
Will any users have access to Backup Virtual DIGIPASS?
If so, will all users have access to Backup Virtual DIGIPASS?
Will usage of Backup Virtual DIGIPASS be limited? If so, how?
Time-limited?
Limited number of uses?
Some Possible Guidelines
Guideline Pro Con
Backup Virtual DIGIPASS disabled for all - enabled for individual Users as required.
Low text message costs Manual enable for each User and circumstance. Possible heavy administration load.
Backup Virtual DIGIPASS enabled for all - either time/number of usage limit set.
Predictable text message costs Administrator may need to reset limits frequently – medium administration load.
Backup Virtual DIGIPASS enabled for all - no limits set.
Lighter administration load Possible high text message costs.
Table 3: Backup Virtual DIGIPASS Example Guidelines
10.6.7 Resetting Virtual DIGIPASS Restrictions
When a User has reached their limit of Virtual DIGIPASS use, an administrator must reset their limit.
10.6.8 Virtual DIGIPASS Login options
A decision must be made as to how Users will log in using Virtual DIGIPASS. In particular, Users with a hardware DIGIPASS and the Backup Virtual DIGIPASS enabled must be able to request an OTP to be sent to their mobile when required, but to login using the hardware DIGIPASS at other times.
The simplest method for the User is to allow a 2-step login process, where the User enters their User ID and password only, triggering an OTP Request, and are redirected to a second login page to enter the OTP sent to them. To use this method, though, your system must be set up to allow 2-step logins. Check with your system administrator if unsure.
Alternatives to the 2-step login are a sequence of two 1-step logins or the use of a specific web page to request an OTP, separate from the login page screen.
See the Administrator Reference for information on possible login permutation.