GrIDsure
You can enable GrIDsure authentication, so that users can enroll a GrIDsure token in a similar way as SafeNet MobilePASS+ to secure your organization’s resources without constraining users to specific devices.
During authentication, GrIDsure tokens present the user with a matrix of characters. To determine the passcode, the user enters the grid characters that correspond to their personal identification pattern (PIP). The red circles in the following image demonstrate the concept of a PIP and a resulting passcode (40DHM), assuming that user created the PIP by entering the characters in order from left to right.
Alternatively, if the user created the PIP from right to left, the passcode would be MHD04. There is no restriction on the order in which a pattern is created. In addition, cells in a pattern may be used more than once. For example, assume a left to right PIP, repeating every second cell would create a passcode of 400DHHM.
All GrIDsure authentications and errors are logged in the access logs.
Configure PIP requirements
You can configure GrIDsure requirements for the PIP, such as the type of characters that are allowed and the PIP length.
-
On the STA Token Management console, select Policy > Token Policies > Third-Party Authentication Options.
-
In the Third-Party Token Type list, select GrIDsure and then click Edit.
-
Select the GrIDsure options as required:
-
Allow trivial PIPs: (Not recommended) If enabled, the user can select a straight line (horizontal, vertical, diagonal), or the four corners of a square within the grid as their PIP.
-
Use numbers, Use uppercase letters, Use lowercase letters, Use special/symbolic characters: Grids display characters from the selected options. The grid size is set in the token template.
-
Minimum PIP Length: Specify the minimum number of characters for a PIP. The default is 4.
-
-
Select Apply.
Configure PIN type and grid size
You set the PIN type and grid size in the token template.
-
On the STA Token Management console, select Policy > Token Policies > Token Templates.
-
Under Token Templates, in the Type list, select GrIDsure.
-
Select Edit.
-
Select the PIN Type and Grid Size options, as required.
For a description of the PIN type options, see token template
-
Select Apply.
Allow users to reset their PIP
Users can reset their PIP during the authentication flow. By default, PIP reset is not allowed until you enable it.
During the PIP reset flow, the GrIDsure settings are affected:
-
The token template settings are retained. This means that the grid size and PIN requirements are unchanged. If there is a fixed PIN, the value that the user set when they first enrolled is used.
-
Server-side PIN policy settings are not saved, so the latest PIN length and complexity settings apply for non-fixed PIN scenarios.
-
Third-party authentication options are not saved, so the latest PIP length and trivial PIP settings apply.
PIP resets are recorded in the access logs. There is a log for the deletion of the existing GrIDsure, and a log for the enrollment of a new GrIDsure.
-
On the STA Access Management console, select Settings > GrIDsure.
-
Select Edit.
-
Select the toggle to Allow users to reset their personal identification pattern (PIP) within the IDP authentication flow.
-
Select Save.
Reset your PIP
To test the PIP reset, follow the login steps as a user.
-
Go to the login page for an application, such as the user portal, and select Start.
-
Enter your Username and select Login.
-
At the bottom of the grid page, select Other options.
-
Select Reset grid pattern.
-
Complete the identity verification step. For example, you might need to enter a code that was emailed to you, or you might need to enter your password.
-
On the How GrIDsure works page, select Continue.
-
Enter your new PIP, and then select Submit.
-
Use your new grid pattern to log in.
GrIDsure self-provisioning
To enable groups to self-provision GrIDsure tokens, see Self-provisioning rules for groups.
Self-provision with GrIDsure
To test your setup and ensure that it works as intended, you can follow the self-provisioning steps that your users will follow.
-
Go to the login page for an application (such as the user portal), and select Start.
-
Depending on the settings for your account, you might be prompted to enter your username and select Login.
-
Depending on the settings for your account, you might be prompted to enter your passcode and select Login.
-
Depending on the tokens configured for your account:
- If you already have a token, select Add Additional Authenticator.
-
If you don't already have a token, select Add Authenticator.
-
Depending on whether you have a synchronized password:
-
If your password is already validated, skip this step.
-
If you have a synchronized password, enter your password and select Submit.
-
If you do not have a synchronized password, STA sends you a verification code by email. Enter the code in the field provided and select Continue.
-
-
Select Grid Pattern and then select Submit.
Note
The grid pattern option is not available if:
-
Self-provisioning is not enabled (see Enable GrIDsure authentication and self-provisioning).
-
The maximum token limit is reached (see Token allocations).
An animation displays how GrIDsure works.
-
-
When you are ready to enter your grid pattern, select Continue.
-
To add the GrIDsure authenticator, enter your grid pattern and then select Submit.
Valid grid patterns are based on the settings described in Configure PIP requirements. In addition, a grid pattern must not contain invalid characters or three or more duplicate characters (for example, 5550).
-
If the PIN type is configured as Server-side User Select, enter a PIN of your own and then select Submit. The following images show the range of PIN requirements that can be configured, from fewest (on the left) to most (on the right).
-
If the PIN type is Server-side Server Select or Server-side Fixed, memorize the PIN that is provided and then select Continue.
For information about configuring PIN requirements, see PIN policy parameters.
You are prompted to confirm that you memorized your PIN.
-
To continue, select My PIN is memorized.
-
To review your PIN, select Go back.
-
-
-
To use the GrIDsure authenticator, enter your grid pattern and PIN (if required), and then select LOGIN.
If configured, STA prompts you to enter a PIN before or after your grid pattern.
The following image shows a prompt for PIN and passcode.
After successfully authenticating, the application (such as the user portal) displays.
Manage GrIDsure authenticators
To manage GrIDsure authenticators for specific users, follow the instructions in View users on the STA Access Management console.