Settings screen
How to Get There
In the Navigation Pane, choose Settings. At least one Authentication Manager must exist before settings can be configured. See Managers screen.
What it Does
Use these settings to allow an Access Authenticator administrator to define which authentication methods are authorized, and configure other settings pertaining to Access Authenticator's user interactions.
Options
Authentication Methods
Choose the authentication methods available to network users.
- One-Time Password (OTP). The Access Authenticator agent software prompts the user to enter a one-time password. Network users use their mobile app to generate the one-time password and they enter the value generated . This value is authenticated with the authentication manager.
- Mobile Push Notification. A push notification is sent to the network user's mobile app, which displays a notification on-screen. The user is presented with the profile that is attempting to sign in, information about the system that’s being signed into, and a prompt to confirm or deny whether the sign-in attempt is legitimate. If the user confirms that the sign-in attempt is legitimate, a message is returned to the authentication manager to authenticate and the user is allowed to sign in. If the user denies the sign-in attempt, authentication fails and the user is not allowed to sign in. The authentication manager alerts an administrator to a possible hacking attempt.
WARNING: In order for Access Authenticator to send Push Notifications to a mobile device outside the private network, the Authentication Manager's Connector Port (port 3040 by default) must be accessible to the public.
- Biometrics (Mobile Fingerprint Scan). This feature is available on mobile devices that contain a fingerprint scanner (e.g. the Google Nexus 5X and 6P, or the iPhone 5S and up). Similar to the push notification processing, a notification is sent to the mobile device prompting the user to authenticate using the fingerprint scanner. If the sign-in attempt is legitimate, the user can authenticate using the fingerprint scanner. If it isn’t, they will have the option to deny the request (as per push notifications).
WARNING: In order for Access Authenticator to send Fingerprint Scan prompts to a mobile device outside the private network, the Authentication Manager's Connector Port (port 3040 by default) must be accessible to the public.
- YubiKey. The YubiKey is a FIDO certified U2F USB authentication device that can be used as an alternative to the Access Authenticator mobile app. When the Access Authenticator agent software prompts for the second factor, the user selects the YubiKey authentication option, inserts the YubiKey into a USB port on their PC/laptop, and presses a button on the YubiKey.
- Printed List of OTPs. This is a printed list of one-time passwords, and is a backup authentication method for the user if they lose their smart phone.
New User Action
This drop-down menu allows you to configure Access Authenticator's authentication settings upon user creation.
When a new user is created:
- Set User to Authenticate Immediately. Require authentication at next user sign on. If you choose this option, new users enrolled in Access Authenticator will be required to authenticate using a registered device the first time they sign on. This means they will need to register a device with Access Authenticator prior to their next sign on attempt in order to gain access.WARNING: If this option is selected, users will be locked out of the system until they have registered a device with Access Authenticator.
- Set User to Authenticate only after Device Registration. Require authentication after user registers a device. If you choose this option, new users enrolled in Access Authenticator will not be prompted to authenticate upon sign on until after they have registered a device.
- Manually Set Authentication Option for User. Administrator is responsible for activating or deactivating authentication on an individual user basis using the 'Authenticate User' option in the Edit User settings for each new user (regardless of whether a device has been registered or not).
User Portal
User Portal Session Timeout
Enter the number of minutes an idle User Portal session will remain active before timing out and requiring the user to sign on again.
Authentication Attempts
Allowed Attempts
Enter the number of authentication request attempts can be made before the user is rejected.
Printed Backup OTP Expiration
Backup List Expiration
Enter the number of days a printed list of one-time passwords will be valid.
Log Output
Output to Syslog; On • Off
Set to On in order to log output report data to a syslog server, or Off if you do not wish to log report data to a syslog server.
Syslog Server
Enter the IP address or DNS name and port of the syslog server you would like to output log data to. (The default syslog port is 514.)
10.60.153.12:514
License Expiry Notification
Enabled
Set Enabled to On to receive a notification when the current license is approaching its expiration date.
If enabled, a service runs once per day at 12 noon to check license expiration and send notifications. A notification is sent to the email address specified if a temporary or subscription license is due to expire within 15 days, or if it has already expired.
The notification email is sent once.
Set Enabled to Off if you do not wish to receive a notification in the circumstances listed above.
Email Address to Notify
If License Expiry Notification is enabled, the expiry notification will be sent to the email address specified here.
Name of Person to Notify
Here you can specify the name of the person to be addressed in the body of the email message.
Purging Report Data
Automatically Purge Report Data
Set this option to On if you would like to enable automatic purging of report data. If enabled, a service runs every day at midnight and deletes from the database all report data older than the number of days specified in the 'Days' Worth of Data to Retain' field.
A record is written into the system event log to record the fact that a purge has run.
Set this option to Off to disable purging. When disabled, no data is deleted from the database.