Flexible Identity
Multi-Factor Authentication
Tokenless authenticators guide
© Copyright Orange Business Services 2 of 26
Publication History
Date Description Revision
© Copyright Orange Business Services 3 of 26
welcome
Your company has chosen Orange Business Services Flexible Identity – Multi-Factor Authentication service (aka FI-MFA) to help you protect your on-line identity and the networks, applications and data you use from unauthorized access.
The information in this guide applies to the following tokenless authenticators:
GrIDsure
SMS
Password
The information in this guide is intended for:
end-users: people in your company that will use the FI-MFA service.
operators: people in your company that will manage your FI-MFA end-users.
administrators: people in your company that will manage the FI-MFA service.
You can click one of the following icons for direct access to your tokenless authenticator:
© Copyright Orange Business Services 4 of 26
contents
GrIDsure overview ... 7
what is a GrIDsure token? ... 7
why use a GrIDsure token? ... 7
how does a GrIDsure token protect me? ... 7
what additional security features does my GrIDsure token offer? ... 7
what is the difference between PIP characters and an OTP? ... 8
how does a GrIDsure token work? ... 8
what are the characteristics of my GrIDsure token? ... 9
what is self-enrollment? ... 9
how do I self-enroll my GrIDsure token? ... 9
how long will my GrIDsure token continue to operate? ... 9
what if I have not received the “self-enrollment” email notification? ... 9
what is the Self-Service Portal? ... 9
why I can’t logon using my GrIDsure token? ... 9
I entered an incorrect OTP ... 9
my user account is locked ... 10
my GrIDsure token has been suspended or revoked ... 10
what are my responsibilities? ... 10
how should I protect my PIN/PIP? ... 10
how can I change my PIN/PIP? ... 10
what if I forget my PIN/PIP? ... 10
GrIDsure ... 11
introduction ... 11
enrolling GrIDsure token ... 11
authenticating with a GrIDsure token ... 12
Self-Service Portal for GrIDsure ... 13
accessing the Self-Service Portal Web site ... 13
resetting a GrIDsure token PIN ... 13
© Copyright Orange Business Services 5 of 26
sending temporary sign-in password by e-mail/SMS ... 14
SMS overview ... 15
what is a SMS token? ... 15
why use a SMS token? ... 15
how does a SMS token protect me? ... 15
what additional security features does my SMS token offer? ... 15
what is the difference between a token code and an OTP? ... 15
what are the characteristics of my SMS token? ... 17
operation modes ... 17
how long will my OTP token continue to operate? ... 18
what is the Self-Service Portal? ... 18
why I can’t logon using my SMS token? ... 18
I entered an incorrect OTP ... 18
my user account is locked ... 18
my SMS token has been suspended or revoked ... 18
what are my responsibilities? ... 18
where should I store my SMS token? ... 18
what if I forget my SMS token? ... 19
what if I lose my SMS token? ... 19
how should I protect my PIN? ... 19
how can I change my PIN?... 19
what if I forget my PIN? ... 19
SMS ... 20
Introduction ... 20
authenticating with a SMS token ... 20
Self-Service Portal for SMS ... 20
accessing the Self-Service Portal ... 20
resetting a SMS token PIN ... 20
resending SMS ... 21
sending temporary sign-in password by e-mail/SMS ... 21
© Copyright Orange Business Services 6 of 26
what is a Password token? ... 22
what are the characteristics of my Password token? ... 22
what is self-enrollment? ... 22
how do I self-enroll my Password token? ... 22
how long will my Password token continue to operate? ... 22
what if I have not received the “self-enrollment” email notification? ... 22
what is the Self-Service Portal? ... 22
why I can’t logon using my Password? ... 24
I entered an incorrect Password ... 24
my user account is locked ... 24
my Password token has been suspended or revoked ... 24
what are my responsibilities? ... 24
how should I protect my Password? ... 24
how can I change my Password? ... 24
what if I forget my Password? ... 24
Password ... 25
introduction ... 25
enrolling Password token ... 25
© Copyright Orange Business Services 7 of 26
GrIDsure overview
If you are already comfortable with FI-MFA terminologies and GrIDsure authenticator, you can click here for direct access to instructions.
what is a GrIDsure token?
A GrIDsure token allows you to generate OTPs one-time passwords each time you log into your organization’s resources, without any additional hardware or software applications. The advantage of GrIDsure token is mass deployment without hardware distribution. With our Secure Authentication service, GrIDsure Tokens can be issued, revoked and reissued without restriction or the need to recover something from the end-user.
why use a GrIDsure token?
Until now, you have probably logged into your organization’s resources with your user name and a fixed password. The problem is that passwords are easily compromised, putting your identity and the resources you access at risk.
A GrIDsure token allows you to generated and use One-Time Passwords (aka OTPs) each time you log into your organization’s resources. As the name implies, an OTP can be used only one time. Each time you log in, you use your GrIDsure token to generate a unique OTP.
how does a GrIDsure token protect me?
Password theft is a common method that thieves and hackers use to steal identities and gain unauthorized access to networks and resources. Success depends on the stolen password being valid, in the same way that credit card theft relies on the card being usable until it is reported as stolen. Discovering the compromise is almost impossible until damage has been done.
Using a GrIDsure token solves this problem, because once you have logged in using an OTP, that password is no longer valid. Any attempt to log in by reusing the OTP will fail, and it will alert your network security professionals to a possible attack on your identity.
what additional security features does my GrIDsure token offer?
Depending on your organization’s policies, your GrIDsure token may be protected against unauthorized use by a Security PIN (aka PIN) that is known only to you. Like a bank card, a thief not only needs access to your GrIDsure token, but must know your PIN as well. Do not share your PIN with others. MFA GrIDsure tokens support server-side PIN (stored on the FI-MFA server).
© Copyright Orange Business Services 8 of 26
what is the difference between PIP characters and an OTP?
The OTP value depends on the PIN protection of your GrIDsure token:
no PIN-protection: PIP characters form the OTP.
server-side PIN-protection: depending on your organization’s policies, you need to enter your PIN either before or after the PIP characters code to form the OTP.
how does a GrIDsure token work?
During self-enrollment step (refer to the related chapter is this section for details), a grid of cells containing random characters is displayed to you. As shapes and patterns are remembered more simply than words and numbers, GrIDsure involves you to remember a sequence of cells in a pattern on the grid that is easily recognizable to you.
You choose your “Personal Identification Pattern” (aka PIP) from the arrangement and sequence of the cells from the grid:
When you are required to authenticate securely to a protected network resource, you select the characters that match your PIP from the unique characters shown to you by the grid:
In this example, your PIP would be a value of: 5582. This is seen in the highlighted cells above. Therefore to authenticate, you would enter 5582 as your one-time password value. The next time you need to authenticate, the characters displayed by the grid will be different, but the PIP remains the same. You just need to enter the new characters in your PIP displayed by the grid.
© Copyright Orange Business Services 9 of 26
what are the characteristics of my GrIDsure token?
The characteristics of your GrIDsure token are defined by your organization and applied when your GrIDsure token is initialized.
Grid size: may be 5x5, 6x6 or 7x7.
Trivial PIP: diagonal line, straight line, or the four corners of the grid (may be allowed or denied).
what is self-enrollment?
Self-enrollment is a simple process during which you activate your GrIDsure token. During the process, you may be required to enter or create a PIN. When you complete the self-enrollment process, you will be able to use your GrIDsure token to generate token codes for login.
how do I self-enroll my GrIDsure token?
The self-enrollment process begins when you receive your “self-enrollment” email notification. The email contains instructions and your enrollment URL.
how long will my GrIDsure token continue to operate?
Your GrIDsure token will be able to generate OTPs until it is revoked by your IT administrator.
what if I have not received the “self-enrollment” email notification?
If you have not received a “self-enrollment” email notification, please contact your IT administrator to arrange for a new email to be sent to you.
what is the Self-Service Portal?
The Self-Service Portal is a Web site created to empower you to perform simple authentication management functions (the range of available functions depends on your organization’s policies) and in the process, reduce the workload and your reliance on the help desk.
The “self-enrollment” email notification contains the URL to access your Self-Service Portal.
why I can’t logon using my GrIDsure token?
They may be several causes of failed login.
I entered an incorrect OTP
This is the most common cause. To avoid this, ensure that:
“Caps lock mode” is disabled on your keyboard.
© Copyright Orange Business Services 10 of 26 your OTP is correctly formed (in accordance with the PIN protection type of your GrIDsure
token).
my user account is locked
You exceeded the maximum number of consecutive failed logon attempts. You must wait the amount of time defined by your organization before your user account will unlock.
my GrIDsure token has been suspended or revoked
Please contact your IT administrator.
what are my responsibilities?
Using your GrIDsure token provides strong security, and simplifies your work efforts by reducing or eliminating the need to remember or periodically change passwords. As an additional measure, Orange recommends that you observe the following tips to ensure the highest level of security.
how should I protect my PIN/PIP?
Protect them just as you would the PIN for your bank or credit card. Never share it with anybody, including people you trust. This includes your colleagues and systems administrators at your company and personnel who are, or claim to be representatives of Orange or a Partner of Orange. You should be extremely suspicious of anyone who ever tells you at they need to know your PIN/PIP, and you should report any such incident to your IT administrator immediately. Never write down your PIN/PIP.
how can I change my PIN/PIP?
If you wish to change your PIN/PIP, or if you are concerned that it has been compromised, use the “Reset PIN”/”Reset PIP” function of your FI-MFA Self-Service Portal, or contact your IT administrator if these functions were not enabled by your organization’s policies.
what if I forget my PIN/PIP?
If you forget your PIN/PIP, use the “Send sign-in password by e-mail/SMS” function of your Self-Service Portal or contact your IT administrator if this function was not enabled by your organization’s policies.
© Copyright Orange Business Services 11 of 26
GrIDsure
introduction
GrIDsure users can generate OTPs without any additional hardware or software applications, and use them to authenticate to FI-MFA-protected applications and resources.
enrolling GrIDsure token
Step 1: you have or will receive a “Self-enrollment” email notification. Open it, click the self-enrollment Web site link (beginning with https://se.safenet-inc.com/...), and then switch to your Web browser to start the self-enrollment process.
Step 2: choose your PIP using the grid, enter the characters that match your PIP in the “Enter Value” case-sensitive field (depending on your organization’s policies, you may need to memorize the displayed PIN), and then click the “Next” button.
© Copyright Orange Business Services 12 of 26 Step 3: memorize your User ID before closing your Web browser.
Your GrIDsure token is now active and able to generate OTPs.
authenticating with a GrIDsure token
You have the ability to authenticate with your GrIDsure Token only against systems that support GrIDsure (such as your Self-Service Portal described below).
Step 1: open the “Self-enrollment” email notification you previously received, click the FI-MFA Self-Service Portal link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Click the “Sign In” button, and then the “Sign in using your token” button.
Step 2: enter your User ID and then click the “OK” button without entering any value in the “OTP” field to display the grid. Enter the characters that match your PIP in the “OTP” field (depending on your organization’s policies, you may need to enter your PIN before the characters that match your PIP), and then click the “OK” button.
Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the “Sign In” button has been replaced by the “Sign Out” one.
© Copyright Orange Business Services 13 of 26
Self-Service Portal for GrIDsure
accessing the Self-Service Portal Web site
Open the “Self-enrollment” email notification you previously received, click the Self-Service Portal link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage.
resetting a GrIDsure token PIN
Step 1: from the Self-Service Portal homepage, click the “Reset PIN” icon, the “Sign in using your token” button, and then authenticate against your Self-Service Portal.
If successful, the “Create New PIN” page is displayed.
Step 2: enter your new PIN, you are required to re-enter it for verification purposes, and then click the “OK” button.
Step 3: if successful, the “Your Security PIN has been successfully reset.” message is displayed. Click the “Sign Out” before closing your browser.
© Copyright Orange Business Services 14 of 26
resetting a GrIDsure token PIP
Step 1: from the Self-Service Portal homepage, click the “Reset PIP” icon, the “Sign in using your token” button, and then authenticate against your Self-Service Portal.
If successful, the “Select Pattern” page is displayed.
Step 2: choose your new PIP using the grid, enter the characters that match your PIP in the “Enter cell values” case-sensitive field, and click the “OK” button.
Step 3: if successful, the “Your PIP was successful.” message is displayed. Click the “Sign Out” before closing your browser.
sending temporary sign-in password by e-mail/SMS
This temporary sign-in password is only for authentication against the Self-Service Portal (useful to reset a forgotten PIN/PIP) and is valid during 10 minutes.
Step 1: from the Self-Service Portal homepage, click the “Sign In” button, the “Send Sign in password by e-mail” (or “Send Sign in password by SMS”), enter your User ID, and then click the “Send” button.
Step 2: you have or will receive a “Self-service Temporary Sign In Password” email notification (or SMS) including your temporary sign-in password.
Step 3: from the Self-Service Portal homepage, click the “Sign In” button, the “Sign in using your token” button, and then authenticate using your temporary sign-in password as OTP.
© Copyright Orange Business Services 15 of 26
SMS overview
If you are already comfortable with FI-MFA terminologies and SMS authenticator, you can click
here for direct access to instructions.
what is a SMS token?
FI-MFA supports sending token codes to mobile phones via SMS messages. This allows the user to use their phone as a SMS token without requiring any additional software on the phone.
why use a SMS token?
Until now, you have probably logged into your organization’s resources with your user name and a fixed password. The problem is that passwords are easily compromised, putting your identity and the resources you access at risk.
A SMS token allows you to generate and use One-Time Passwords (aka OTPs) each time you log into your organization’s resources. As the name implies, an OTP can be used only one time.
how does a SMS token protect me?
Password theft is a common method that thieves and hackers use to steal identities and gain unauthorized access to networks and resources. Success depends on the stolen password being valid, in the same way that credit card theft relies on the card being usable until it is reported as stolen. Discovering the compromise is almost impossible until damage has been done.
Using a SMS token solves this problem, because once you have logged in using an OTP, that password is no longer valid. Any attempt to log in by reusing the OTP will fail, and it will alert your network security professionals to a possible attack on your identity.
what additional security features does my SMS token offer?
Depending on your organization’s policies, your SMS token may be protected against unauthorized use by a Security PIN (aka PIN) that is known only to you. Like a bank card, a thief not only needs access to your SMS token, but must know your PIN as well. Do not share your PIN with others. FI-MFA SMS tokens support server-side PIN (stored on the FI-MFA server).
what is the difference between a token code and an OTP?
The OTP value depends on the PIN protection of your SMS token:
© Copyright Orange Business Services 16 of 26 server-side PIN-protection: depending on your organization’s policies, you need to enter
© Copyright Orange Business Services 17 of 26
what are the characteristics of my SMS token?
The characteristics of your SMS token are defined by your organization and applied when your SMS token is initialized.
operation modes
SMS No Waiting: a user attempts to authenticate using their user name and SMS OTP. After successfully authenticating, the user then received their next token code. The
advantage is that a user always has a valid token code (which cannot be used without their PIN) on their phone. This method most closely mimics a traditional logon.
No Waiting Plus: this mode is very similar to SMS No Waiting, except that it will send up to 5 token codes in each SMS message. This is ideal for users that are frequently in areas with sporadic or unreliable SMS delivery because they are not dependent on the SMS service until all token codes have been consumed.
The following diagram describes SMS No Waiting/No Waiting Plus modes:
SMS challenge-response: a user attempts to authenticate using only their user name (blank password). FI-MFA server immediately sends the user a token code to be used. User then uses their OTP to authenticate.
© Copyright Orange Business Services 18 of 26
how long will my OTP token continue to operate?
FI-MFA SMS tokens will be able to generate OTPs until it is revoked by your IT administrator.
what is the Self-Service Portal?
The Self-Service Portal is a Web site created to empower you to perform simple authentication management functions (the range of available functions depends on your organization’s policies) and in the process, reduce the workload and your reliance on the help desk.
The “self-enrollment” email notification contains the URL to access your Self-Service Portal.
why I can’t logon using my SMS token?
They may be several causes of failed login.
I entered an incorrect OTP
This is the most common cause. To avoid this, ensure that:
“Caps lock mode” is disabled on your keyboard.
you enter right characters and keystrokes.
your OTP is correctly formed (in accordance with the PIN protection type of your OTP token).
my user account is locked
You exceeded the maximum number of consecutive failed logon attempts. You must wait the amount of time defined by your organization before your user account will unlock.
my SMS token has been suspended or revoked
Please contact your IT administrator.
what are my responsibilities?
Using your SMS token provides strong security, and simplifies your work efforts by reducing or eliminating the need to remember or periodically change passwords. As an additional measure, Orange recommends that you observe the following tips to ensure the highest level of security.
where should I store my SMS token?
You should keep your token separate from your computer. Do not leave it on your desk, or with your computer bag. Treat it as you would your wallet, purse, or credit cards, and keep it with you at all times.
© Copyright Orange Business Services 19 of 26
what if I forget my SMS token?
Your OTP token is a primary security device designed to protect you and the resources you access. Keep it with your car keys or purse or other valuable items that you use on a regular basis to minimize the potential to forget it. If you do forget your OTP token, contact your IT administrator.
what if I lose my SMS token?
If you lose your token, report it immediately to your IT administrator:
he will take the necessary actions to ensure the lost token does not present a security risk.
Depending on your organization’s policies, he will provide you with a temporary alternative for logging into the network until you receive a replacement token.
how should I protect my PIN?
If you have a PIN, protect it just as you would the PIN for your bank or credit card. Never share it with anybody, including people you trust. This includes your colleagues and systems administrators at your company and personnel who are, or claim to be representatives of Orange or a Partner of Orange. You should be extremely suspicious of anyone who ever tells you at they need to know your PIN, and you should report any such incident to your IT administrator immediately. Never write down your PIN.
how can I change my PIN?
If you wish to change your PIN, or if you are concerned that it has been compromised, use the “Reset PIN” function of your Self-Service Portal, or contact your IT administrator if this function was not enabled by your organization’s policies.
what if I forget my PIN?
If you forget your PIN, use the “Send sign-in password by e-mail/SMS” function of your Self-Service Portal or contact your IT administrator if this function was not enabled by your organization’s policies.
© Copyright Orange Business Services 20 of 26
SMS
Introduction
FI-MFA supports sending token codes to mobile phones via SMS messages. This allows the user to use their phone as a hardware token without requiring any additional software on the phone.
authenticating with a SMS token
You have the ability to authenticate with your SMS token against any systems that require a logon password.
Enter your User ID and the SMS token code as password (depending on your organization’s policies, you may need to enter your PIN either before or after the token code).
Self-Service Portal for SMS
accessing the Self-Service Portal
Contact your IT administrator to know which URL to use (beginning with
https://ss.safenet-inc.com/...) to connect to the Self-Service Portal.
resetting a SMS token PIN
Step 1: from the Self-Service Portal homepage, click the “Reset PIN” icon, the “Sign in using your token” button, and then authenticate against your Self-Service Portal.
© Copyright Orange Business Services 21 of 26 Step 2: enter your new PIN (you are required to re-enter it for verification purposes), and then click the “OK” button.
Step 3: if successful, the “Your Security PIN has been successfully reset.” message is displayed. Click the “Sign Out” button before closing your browser.
resending SMS
If published by your organization, this function allows you to request an SMS/OTP resend to your registered mobile device.
sending temporary sign-in password by e-mail/SMS
This temporary sign-in password is only for authentication against the Self-Service Portal (useful to reset a forgotten PIN) and is valid during 10 minutes.
Step 1: from the Self-Service Portal homepage, click the “Sign In” button, the “Send Sign in password by e-mail” (or “Send Sign in password by SMS”), enter your User ID, and then click the “Send” button.
Step 2: you have or will receive a “Self-service Temporary Sign In Password” email notification (or SMS) including your temporary sign-in password.
Step 3: from the Self-Service Portal homepage, click the “Sign In” button, the “Sign in using your token” button, and then authenticate using your temporary sign-in password as OTP.
© Copyright Orange Business Services 22 of 26
Password overview
If you are already comfortable with FI-MFA terminologies and Password authenticator, you can click here for direct access to instructions.
what is a Password token?
A Password token allows you use Single-factor authentication (SFA) each time you log into your organization’s resources. Single-factor authentication (SFA) is the traditional security process that requires a user name and password before granting access to the user.
what are the characteristics of my Password token?
The characteristics of your Password token are defined by your organization and applied when your Password token is initialized.
Change frequency: from 0 (never) to 365 days.
Maximum lifetime: up to 99 minutes, hours, days or weeks (this characteristic may be disabled for unlimited lifetime).
what is self-enrollment?
Self-enrollment is a simple process during which you activate your Password token. When you complete the self-enrollment process, you will be able to use your Password each time you log into your organization’s resources.
how do I self-enroll my Password token?
The self-enrollment process begins when you receive your “self-enrollment” email notification. The email contains instructions and your enrollment URL.
how long will my Password token continue to operate?
Your Password token will continue to operate until it is revoked by your IT administrator.
what if I have not received the “self-enrollment” email notification?
If you have not received a “self-enrollment” email notification, please contact your IT administrator to arrange for a new email to be sent to you.
what is the Self-Service Portal?
The Self-Service Portal is a Web site created to empower you to perform simple authentication management functions (the range of available functions depends on your organization’s policies) and in the process, reduce the workload and your reliance on the help desk.
© Copyright Orange Business Services 23 of 26 The “self-enrollment” email notification contains the URL to access your Self-Service Portal.
© Copyright Orange Business Services 24 of 26
why I can’t logon using my Password?
They may be several causes of failed login.
I entered an incorrect Password
This is the most common cause. To avoid this, ensure that:
“Caps lock mode” is disabled on your keyboard.
you enter right characters and keystrokes.
my user account is locked
You exceeded the maximum number of consecutive failed logon attempts. You must wait the amount of time defined by your organization before your user account will unlock.
my Password token has been suspended or revoked
Please contact your IT administrator.
what are my responsibilities?
Using your GrIDsure token provides strong security, and simplifies your work efforts by reducing or eliminating the need to remember or periodically change passwords. As an additional measure, Orange recommends that you observe the following tips to ensure the highest level of security.
how should I protect my Password?
Protect them just as you would the PIN for your bank or credit card. Never share it with anybody, including people you trust. This includes your colleagues and systems administrators at your company and personnel who are, or claim to be representatives of Orange or a Partner of Orange. You should be extremely suspicious of anyone who ever tells you at they need to know your Password, and you should report any such incident to your IT administrator immediately. Never write down your Password.
how can I change my Password?
If you wish to change your Password, or if you are concerned that it has been compromised, contact your IT administrator. Upon verifying your identity, he will give you a temporary Password. The next time you log in, you will be required to change it to one known only by you.
what if I forget my Password?
© Copyright Orange Business Services 25 of 26
Password
introduction
Password users can use Single-factor authentication (SFA) to authenticate to FI-MFA-protected applications and resources.
enrolling Password token
Step 1: you have or will receive a “FI-MFA self-enrollment” email notification. Open it, click the self-enrollment Web site link (beginning with https://se.safenet-inc.com/...), and then switch to your Web browser to start the self-enrollment process.
Step 2: enter your Password in both “Enter Password” and “Confirm Password”, and then click the “Next” button.
If successful, the following page is displayed:
Step 3: memorize your User ID before closing your Web browser.
© Copyright Orange Business Services 26 of 26
authenticating with a Password
You have the ability to authenticate with your Password against any systems that support SFA (such as your Self-Service Portal described below).
Step 1: open the “FI-MFA Self-enrollment” email notification you previously received, click the FI-MFA self-service portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Click the “Sign In” button, and then the “Sign in using your token” button.
Step 2: enter your User ID, your Password in the “OTP” field and then click the “OK” button. Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the “Sign In” button has been replaced by the “Sign Out” one.
